I am running automation to stop/start Services remotely on Windows 2003 SP1 servers. The User ID cannot belong to the local Admin group, so I have setup GRANT Stop & Start using subinacl
extract from subinacl /service "adobe form server" /display
When the user nxxxxxx1 logs on to the server using Remote Desktop it can Stop and Start the Service which I allowed it to Stop/Start. All other services cannot be stopped/started. But, when I try to run the script from a remote server I still get the Access Denied message.
In the Security Event log I also get:
The web didn't return much usefull info. I found something about sc sdset .... but not much help as it's not really documented.
sc sdshow output
C:\>sc \\L12345X-BXXXXXX2 sdshow "Adobe Form Server"
Anyone who can point me in the right direction?
extract from subinacl /service "adobe form server" /display
Code:
[SIZE="1"]
...
/pace =uk\nxxxxxx1 ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_START-0x10 SERVICE_STOP-0x20[/SIZE]
In the Security Event log I also get:
Code:
[SIZE="1"]Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,1024360975}
Process ID: 1376
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: L12345X-BXXXXXX2$
Primary Domain: OK
Primary Logon ID: (0x0,0x3E7)
Client User Name: nxxxxxx1
Client Domain: OK
Client Logon ID: (0x0,0x3D0E7B89)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015[/SIZE]
sc sdshow output
C:\>sc \\L12345X-BXXXXXX2 sdshow "Adobe Form Server"
Code:
[SIZE="1"]D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP;;
;S-1-5-21-1229272821-606747145-839522115-96140)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;WD)[/SIZE]