Permission to start and stop services
CG
service?
I've tried giving the user id full control to the reg keys
for the service, services.exe and the .sys for the service
itself.
The service is set to manual, using localsystem. I get a
security failure audit, event id 560. I can do it as an
administrator.
Thanks in advance.
Ritchie
> How can I allow a regular user to start and stop a single
> service?
In the absence of a better suggestion, you could try this:-
Setup a batch file for the user to execute when they want to
stop/start the service. Have this batch file drop a text message
(for instance, the mesage is either STOP or START) into a network
share to which only they have write access.
Have another batch file monitor the share (running in the context
of a user with sufficient rights) that act upon then deletes the
message.
--
Ritchie
Undo address for mail
CG
something more "self contained". This has to be a rights
issue. I am auditing all failures of the entire
filesystem and registry yet the culprit is not being
exposed. Adding and removing the user id from the local
administrators group enables and disables the ability to
control the service. It seems to be something in the
registry. I just reset all of HKLM to Authenticated
Users, Administrators and System to full control and it
works. I guess I will be may hours of playing "process of
elimination", unless someone already knows where I should
go. ;)
>
Ritchie
> Simple and clever, thanks. That would do it but I need
> something more "self contained". This has to be a rights
Ok, you need the awesome and free SETACL util from:-
http://www.helge.mynetcologne.de/setacl
I can confirm it does exactly what you want (at least on an NT4.sp6a
workstation)
Ricardo M. Urbano - W2K/NT4 MVP
hth
--
Ricardo M. Urbano
Microsoft Windows 2000/NT MVP
CG
built-in groups from advanced user rights in user
manager. This system requires the greatest possible
restrictions, even to the operators that are resposible
for it's care and feeding. I want to, if possible, allow
an operator the ability to control only 1 service. 'Trust
no one' is my charter for this. If this is one of those
Magic-Hidden rights that I cannot manipulate then I will
have to accept Power User. I am still playing "process of
elimination" in HKLM. Somewhere within there are keys
that are being accessed, fail and yet do not show audit
failures in the event log. If I give them full control to
the entire branch they can do it, give them only 'read'
and they cannot. (Yes they need more then just read to a
lot of keys in HKLM just function, but resetting all to
full give the permission) This is in addition to all the
FS and reg rights that have been granted to eliminate
audit failures.
>.
>
Ritchie
> Thanks. I have customized all rights and have removed the
> built-in groups from advanced user rights in user
> manager. This system requires the greatest possible
> restrictions, even to the operators that are resposible
> for it's care and feeding. I want to, if possible, allow
> an operator the ability to control only 1 service. 'Trust
Just curious, why don't you use SETACL, it allows you to explicitly
specify which user/group can stop/start an individual service? Is it
because its a third party util or something else?
ch...@nospam.com
Or use regmon to see what keys SETACL is altering.