Stop and start services remotely on w2003 sp1 - without local admi

Discussion in 'Windows Server' started by dinny, Nov 8, 2005.

  1. dinny

    dinny Guest

    Hiya,

    I have a large number of windows servers running services (such as print
    spoolers) that I wish non-admin staff - such as the helpdesk to be able to
    stop and start remotely (without having to add them to the local admin group)

    I have used the following solution successfully on w2k sp4 and w2k3

    Apply permissions to the service in question to the group in question by
    using subinacl

    eg subinacl /service spooler /grant=domain\HelpdeskAdmins=STO

    I then use a script to call SC

    eg sc \\servername start "Spooler"

    This no longer seems to work on w2k3 sp1.

    I appreciate that this could be classed as a security enhancement - but
    forcing people to be added to local admin when all they need to do is control
    a single service seems like a backwards step?

    Does anyone have a solution to administer services remotely on w2k3 sp1 that
    does not require local admin rights?

    Cheers

    Dinny
     
    dinny, Nov 8, 2005
    #1
    1. Advertisements

  2. Have a look at the thread with the title "Error: 5 Access Denied - HELP",
    posted in this newsgroup on 13 October. It suggsted a work-around for
    this problem.
     
    Pegasus \(MVP\), Nov 8, 2005
    #2
    1. Advertisements

  3. dinny

    dinny Guest

    Hi Pegasus,

    I couldn't see a work around on that post - but I have asked a similar
    question to which you suggested a workaround in the past (have dir on server
    with perms for users - and check for existence of a flag file etc.)

    However I have been trying for two weeks or so to get an answer directly off
    Microsoft - as I am a technet plus user and ought to get a next day response
    - so far no luck... So on the suggestion of technet services support team - I
    keep re-registering my account and trying to repost till hopefully I get an
    answer off Microsoft?

    Dinny
     
    dinny, Nov 8, 2005
    #3
  4. Hello Dinny,

    Thank you for posting.

    From your post, my understanding of this issue is: Using SC command to
    start or stop service remotely with a user without administrative privilege
    fails on the Windows Server 2003 SP1 system. If this is not correct,
    please feel free to let me know.

    Based on my research, there has been a change in the behavior of the
    EnumServicesStatusEx function in SP1 for the purposes of security. There
    is a hardcoded limit that requires the user to be local or a member of the
    administrators group. Please see the following link for more information
    regarding the new limitations:
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/ba
    se/service_security_and_access_rights.asp>

    "Windows Server 2003 and Windows XP/2000/NT: Unlike most other securable
    objects, the security descriptor for the SCM cannot be modified. This
    behavior has changed as of Windows Server 2003 SP1."

    Based on our testing, a possible workaround would be to write and deploy a
    WMI provider that ran with local credentials to allow you to query the
    data. You may post your question on the developer newsgroup if you need
    any assistance about the WMI provider. I have provided the link below:
    http://msdn.microsoft.com/newsgroups/default.asp

    Hope the above information helps. If anything is unclear or you have any
    concerns, please feel free to post back. I am glad to be of assistance.

    Have a nice day!

    Steven Wang (MSFT)
    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Steven Wang [MSFT], Nov 9, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.