Didn't know SUBINACL could be used to set permissions on services - thanks. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Paul DeHaan Sent: 14 January 2004 7:57 AM To: thin@xxxxxxxxxxxxx; p.stage@xxxxxxx Subject: [THIN] Re: Win2k Service Permissions This can be done using the subinacl.exe resource kit file. If you need a copy email me offline. Read the documentation to figure out how it works... I used something like in a script: c:\temp\subinacl /verbose=1 /service \\server2\alerter /grant=Domain\User=F There is also another non-MS tool like this called SetAcl.exe Both work nicely, Paul DeHaan CISSP, CCNA, CCA... Network Administrator J.M. Huber Corp. ------------> "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers." >>> techlists@xxxxxxxxxxxxx 01/12/04 09:49PM >>> The problem with just creating the app or script that lets them do a few services is that you have to still give them the right to manage all services. The privilege is all or nothing. If you program, you can create an app or script that will let a user call a function that runs under the context of a more powerful account. In other words, you don't give the users the rights to restart services at all, but they can run a program that essentially has the right to. I read about it in Thomas Eck's ADSI Scripting book. Here's an excerpt from an article where he talks about using the technique to let users unlock their own accounts (http://www.winnetmag.com/Articles/ArticleID/26696/pg/1/1.html): Typically, resetting a password would require the user (or the Help desk staff member entering the information on the user's behalf) to have Administrative rights; all account management operations require some level of administrative rights to perform the requested action. However, you implement this application as a COM/COM+ object and run the COM server under the context of a Win2K Component Services package (on Win2K and IIS 5.0 systems) or a Microsoft Transaction Server (MTS) package (on NT 4.0 and Internet Information Server-IIS-4.0 systems) to which you've assigned an administrative account's identity (see "Sample Self-Service Account-Administration Application" for details). Therefore, the user (e.g., the IUSR account) can run the AuthenticateUser function in the context of a more powerful account. To ensure security, the AuthenticateUser method requires the target user's secrets to be passed into the method as well. The script validates this data before unlocking the account or resetting the password. The concept of COM delegation is too complex to explain in detail in this article. However, "Making the Transition: Multi-Tier Development for System Administrators" (http://www.microsoft.com/technet/ittasks/deploy/making.asp), which is an excerpt from my book Windows NT/2000: ADSI Scripting for System Administration (Macmillan Technical Publishing, 2000), provides a complete tutorial. Jeff Durbin -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch Sent: 13 January 2004 3:23 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Win2k Service Permissions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately, you cannot just give out privileges to manage a few services. You give them the right, or you don't. You could create a VB app or Vbscript that would be an interface for these services, so they could only stop/start/pause/restart certain services, without giving them full access to the Services MMC snapin. Chris - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Stage, Paul Sent: Monday, January 12, 2004 5:26 PM To: thin@xxxxxxxxxxxxx (E-mail) Subject: [THIN] Win2k Service Permissions I need to allow a few users the rights to stop and start 3 services on a server. I have them set to start using an account with the proper privileges. I also have an MMC configured for them to start/stop only these services. The problem I have is I need to give them the proper permissions to start/stop ONLY these services without giving any additional privileges or the ability to stop/start other services. We are not running AD, so a GP would not be feasible. Can someone point me in the right direction? Paul T. Stage MCP, A+ Information Services LaPorte Hospital Tel. (219) 326-1234 x7126 Fax (219) 325-6416 P.Stage@xxxxxxx http://www.LaPorteHealth.org <http://www.laportehealth.org/> -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch. iQA/AwUBQANWhG9fg+xq5T3MEQKz/QCg6hzK3r9Fr6buRjn0wCnXrliVyx4An0MR fdKfx5IiTwiCAIyCOsvoPmYD =Scyo -----END PGP SIGNATURE----- ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=147 ********************************************************* Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=147 ********************************************************* Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=147 ********************************************************* Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - RTO Software / TScale What's keeping you from getting more from your terminal servers? Did you know, in most cases, CPU Utilization IS NOT the single biggest constraint to scaling up?! Get this free white paper to understand the real constraints & how to overcome them. SAVE MONEY by scaling-up rather than buying more servers. http://www.rtosoft.com/Enter.asp?ID=147 ********************************************************* Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm