Retrict Access to Start/Stop Service

TheMSsForum.com: The Microsoft Software Forum

I need to allow a user to remotely start and stop a single designated service
on a 2003 server machine without making them a local administrator.

I attempted to use a security template on the server to specify permissions
for this user for the desired service as per KB 325349,
http://support.microsoft.com/kb/325349/en-us. However, the user still cannot
start or stop the service using both the MMC or the netsvc utility. When
using MMC, the error is "Unable to open service control manager database on
\\server Error 5: Access is denied." When using the netsvc command, the
error is also "Access is denied."

Please note that if I make the user a local administrator, they can access
all services via the MMC for the server, but the netsvc command still says
"Access is Denied". On the other hand, if I log in as one of the domain
admin accounts, which is also a member of the local administrator group, and
run the netsvc command, I can successfully start and stop the service.

At this point I am stuck and either need to resolve one of the existing
issues with MMC or NETSVC or come up with an alternate solution.
Top

RE: Retrict Access to Start/Stop Service by levinson_k

levinson_k
Thu Jul 13 11:21:02 CDT 2006


"john d" wrote:

> I need to allow a user to remotely start and stop a single designated service
> on a 2003 server machine without making them a local administrator.
>
> I attempted to use a security template on the server to specify permissions
> for this user for the desired service as per KB 325349,
> http://support.microsoft.com/kb/325349/en-us. However, the user still cannot
> start or stop the service using both the MMC or the netsvc utility. When
> using MMC, the error is "Unable to open service control manager database on
> \\server Error 5: Access is denied." When using the netsvc command, the
> error is also "Access is denied."
>
> Please note that if I make the user a local administrator, they can access
> all services via the MMC for the server, but the netsvc command still says
> "Access is Denied". On the other hand, if I log in as one of the domain
> admin accounts, which is also a member of the local administrator group, and
> run the netsvc command, I can successfully start and stop the service.

Since no one else appears to have responded...

I got some possible hits searching Google for that error message:

www.google.com/search?q=%22Unable+to+open+service+control+manager+database%22+access+denied+error-
http://forumz.tomshardware.com/software/w2k3-sp1-unable-open-service-control-manager-database-ftopict225538.html
"The permissions on the service control manager database did change with SP1
(see below). We used the SC sdset command to reset them"

Question, what happens if you try using the user account is used locally on
the server? That could be useful to know.

Also, you might enable Windows auditing, for example Audit Privilege Use
failures, and then check the Windows Security Event Log after duplicating a
failure.

You might also try running the RSOP command on Windows XP or 2003 to confirm
another group policy setting isn't overriding the settings you've changed.

Also, I assume there are no IPSec, firewall or IP filtering ACL rules in
between the client and server? Particularly of RPC ports TCP / UDP 135 and
the other random ports RPC can use? If there's any question, you could
download and use Ethereal / Wireshark currently at www.ethereal.com on the
client to sniff the network traffic and see what is happening.

If all that fails to help, you could also try downloading and running
Process Explorer, Filemon and Regmon free from www.sysinternals.com while
duplicating the failure.

I don't believe you should be experiencing this with the default settings
[certainly the default admin account should be able to stop and start
services], so I'm wondering if maybe this is something caused by a security
policy change made by an administrator there.

Top