[THIN] Re: Win2k Service Permissions
- From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 14 Jan 2004 08:59:23 +1300
Didn't know SUBINACL could be used to set permissions on services - thanks.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Paul DeHaan
Sent: 14 January 2004 7:57 AM
To: thin@xxxxxxxxxxxxx; p.stage@xxxxxxx
Subject: [THIN] Re: Win2k Service Permissions
This can be done using the subinacl.exe resource kit file. If you need a
copy email me offline. Read the documentation to figure out how it works...
I used something like in a script: c:\temp\subinacl /verbose=1 /service
\\server2\alerter /grant=Domain\User=F
There is also another non-MS tool like this called SetAcl.exe
Both work nicely,
Paul DeHaan CISSP, CCNA, CCA...
Network Administrator
J.M. Huber Corp.
------------>
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."
>>> techlists@xxxxxxxxxxxxx 01/12/04 09:49PM >>>
The problem with just creating the app or script that lets them do a few
services is that you have to still give them the right to manage all
services. The privilege is all or nothing. If you program, you can create an
app or script that will let a user call a function that runs under the
context of a more powerful account. In other words, you don't give the users
the rights to restart services at all, but they can run a program that
essentially has the right to. I read about it in Thomas Eck's ADSI
Scripting book. Here's an excerpt from an article where he talks about using
the technique to let users unlock their own accounts
(http://www.winnetmag.com/Articles/ArticleID/26696/pg/1/1.html):
Typically, resetting a password would require the user (or the Help desk
staff member entering the information on the user's behalf) to have
Administrative rights; all account management operations require some level
of administrative rights to perform the requested action. However, you
implement this application as a COM/COM+ object and run the COM server under
the context of a Win2K Component Services package (on Win2K and IIS 5.0
systems) or a Microsoft Transaction Server (MTS) package (on NT 4.0 and
Internet Information Server-IIS-4.0 systems) to which you've assigned an
administrative account's identity (see "Sample Self-Service
Account-Administration Application" for details). Therefore, the user (e.g.,
the IUSR account) can run the AuthenticateUser function in the context of a
more powerful account. To ensure security, the AuthenticateUser method
requires the target user's secrets to be passed into the method as well. The
script validates this data before unlocking the account or resetting the
password. The concept of COM delegation is too complex to explain in detail
in this article. However, "Making the Transition: Multi-Tier Development for
System Administrators"
(http://www.microsoft.com/technet/ittasks/deploy/making.asp), which is an
excerpt from my book Windows NT/2000: ADSI Scripting for System
Administration (Macmillan Technical Publishing, 2000), provides a complete
tutorial.
Jeff Durbin
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Chris Lynch
Sent: 13 January 2004 3:23 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Win2k Service Permissions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Unfortunately, you cannot just give out privileges to manage a few services.
You give them the right, or you don't. You could create a VB app or
Vbscript that would be an interface for these services, so they could only
stop/start/pause/restart certain services, without giving them full access
to the Services MMC snapin.
Chris
- -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Stage, Paul
Sent: Monday, January 12, 2004 5:26 PM
To: thin@xxxxxxxxxxxxx (E-mail)
Subject: [THIN] Win2k Service Permissions
I need to allow a few users the rights to stop and start 3 services on a
server. I have them set to start using an account with the proper
privileges. I also have an MMC configured for them to start/stop only these
services. The problem I have is I need to give them the proper permissions
to start/stop ONLY these services without giving any additional privileges
or the ability to stop/start other services. We are not running AD, so a GP
would not be feasible. Can someone point me in the right direction?
Paul T. Stage MCP, A+
Information Services
LaPorte Hospital
Tel. (219) 326-1234 x7126
Fax (219) 325-6416
P.Stage@xxxxxxx
http://www.LaPorteHealth.org <http://www.laportehealth.org/>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Public PGP Key for Chris Lynch.
iQA/AwUBQANWhG9fg+xq5T3MEQKz/QCg6hzK3r9Fr6buRjn0wCnXrliVyx4An0MR
fdKfx5IiTwiCAIyCOsvoPmYD
=Scyo
-----END PGP SIGNATURE-----
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest constraint to
scaling up?! Get this free white paper to understand the real constraints &
how to overcome them. SAVE MONEY by scaling-up rather than buying more
servers. http://www.rtosoft.com/Enter.asp?ID=147
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest constraint to
scaling up?! Get this free white paper to understand the real constraints &
how to overcome them. SAVE MONEY by scaling-up rather than buying more
servers. http://www.rtosoft.com/Enter.asp?ID=147
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest constraint to
scaling up?! Get this free white paper to understand the real constraints &
how to overcome them. SAVE MONEY by scaling-up rather than buying more
servers. http://www.rtosoft.com/Enter.asp?ID=147
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest constraint to
scaling up?! Get this free white paper to understand the real constraints &
how to overcome them. SAVE MONEY by scaling-up rather than buying more
servers. http://www.rtosoft.com/Enter.asp?ID=147
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
