Windows 2008 Server Security

Discussion in 'Server Security' started by Brian Stoop, May 18, 2009.

  1. Brian Stoop

    Brian Stoop Guest

    I've joined Windows 2008 Server to Windows 2003 domain and installed a
    Windows Service, that logons on as a domain account in Domain Administrators
    group.

    On Windows 2003 Servers, all works fine.
    On the 2008 Server, the service cannot contact the Eventlog, cannot open
    keys in the registry ... nothing is allowed.

    If I log into the 2008 Server as that domain account, and I can access
    Registy / Event log, it works. Why does it fail for the account when used
    by the Windows Service ?


    Thanks, Brian
     
    Brian Stoop, May 18, 2009
    #1
    1. Advertisements

  2. Hello Brian,

    Even a domain admin on 2008 machines is restricted, that belong's to UAC.
    I asume that will be the reason when running as a service, that some permissions
    are needed, one i can think of is "Logon as a batch job".

    Additional it can belong to UAC(disabling is the badest option in my opinion)
    GPO setting:
    Computer Configuration, Windows Settings Security Settings, Local Policies,
    Security Options, in the right pane you will find some UAC options.

    Check:
    - User Account Control: Behavior of the elevation prompt for administrators
    - User Account Control: Detect application installations and prompt for elevation
    - User Account Control: Run all administrators in Admin Approval Mode


    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 19, 2009
    #2
    1. Advertisements

  3. Brian Stoop

    Brian Stoop Guest

    Hi,

    The Domain Server is Windows 2003. When I run the Group Policy editor, there
    are no UAC settings visible ?

    I run Group Policy Editor on the Windows 2008 member sever. I have tried all
    the settings you indicated, and have run gpupdate also, but the problem
    persists.

    Is there anything else I could try ?


    thanks, B
     
    Brian Stoop, May 19, 2009
    #3
  4. Brian Stoop

    Brian Stoop Guest

    I disabled UAC and the application is now working.


    Thanks, for you help, Brian
     
    Brian Stoop, May 20, 2009
    #4
  5. Hello Brian,

    Policies for 2008/vista you have to configire from 2008/Vista with RSAT installed.
    So install RSAT from the server manager, features and create with that a
    GPO in the domain for your needs.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 20, 2009
    #5
  6. Brian Stoop

    Brian Stoop Guest

    Thanks again, I'll try that and I'll report back.

    Regards, Brian
     
    Brian Stoop, May 21, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.