 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
OK, so on the basis that somebody here might already know the answer to
this one...
I want to give certain users the power to stop and restart a specific
service at will. I can do this by adding them to the local
Administrators group - however, that would *also* give them the power to
log other users off of the PC, which I don't want. Is there some way to
allow them to control this service, but *not* allow them to kick people
off the PC?
Also, just for your amusement: The PCs in question run Windows NT 4.0
SP6a. >_<
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> Also, just for your amusement: The PCs in question run Windows NT 4.0
> SP6a. >_<
Thoughts:
See if the service will run in a different group, or whether it needs to
have some sort of admin privs. Then give someone privileges to log in as
that group and control the service that way.
See if there's something in Group Policy that lists a specific stop/start
privilege for services. I'm talking under the "user rights assignment" table.
Third, write a "set uid" program and give it rights to impersonate the
administrator to start or stop the service.
Worse comes to worst, write a kludge program that runs all the time in the
administrators group and watches for a "start.txt" or "stop.txt" to be
created in a particular directory, then invokes the appropriate "net start"
and "net stop" commands. Note this solution takes no particular knowledge of
windows APIs and can be regulated just by giving whoever you want the
appropriate permissions on the appropriate directory.
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Thoughts:
>
> See if the service will run in a different group, or whether it needs to
> have some sort of admin privs. Then give someone privileges to log in as
> that group and control the service that way.
>
> See if there's something in Group Policy that lists a specific
> stop/start privilege for services. I'm talking under the "user rights
> assignment" table.
>
> Third, write a "set uid" program and give it rights to impersonate the
> administrator to start or stop the service.
>
> Worse comes to worst, write a kludge program that runs all the time in
> the administrators group and watches for a "start.txt" or "stop.txt" to
> be created in a particular directory, then invokes the appropriate "net
> start" and "net stop" commands. Note this solution takes no particular
> knowledge of windows APIs and can be regulated just by giving whoever
> you want the appropriate permissions on the appropriate directory.
Doing some research, apparently it's not just files that can have
permissions. Registry keys, services, printers (??!) and so forth can
all have ACLs attached to them.
Not that you'd know that from the UI. :-P
Anyway, apparently Process Explorer has the power to show _and edit_ the
ACLs associated with a running service. (It's unclear whether it changes
the security token on the running process, or actually changes the
service configuration so that it will have the new security *every* time
it's run.)
Unfortunately, although this appears to work fine on Windows XP... [I'm
sure you see where I'm going with this.]
There's no huge problem with everybody having administrative rights over
the local machine, expect... that allows you to forcibly log other
people off the machine. Which would be "bad".
And now I'm wondering... maybe it's a "right" you can set? (As you may
remember, permissions apply to resources, rights apply to users.) I
wonder if I can either assign the "stop service" right to a user group,
or else create a mini-admins group and somehow revoke the "kick people
off" right?...
Otherwise, yeah, I'm going to end up writing some horribly hackish
script to kill and restart this damned service. :-(
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Doing some research, apparently it's not just files that can have
> permissions. Registry keys, services, printers (??!) and so forth can
> all have ACLs attached to them.
>
> Not that you'd know that from the UI. :-P
Huh...
Printer: http://i.techrepublic.com.com/gallery/60654-474-477.jpg
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
[stupid Ctrl-Enter sending message immediately]
Nicolas Alvarez wrote:
> Orchid XP v8 wrote:
>> Doing some research, apparently it's not just files that can have
>> permissions. Registry keys, services, printers (??!) and so forth can
>> all have ACLs attached to them.
>>
>> Not that you'd know that from the UI. :-P
>
> Huh...
>
> Printer: http://i.techrepublic.com.com/gallery/60654-474-477.jpg
http://tinyurl.com/6xqhbr
Registry key:
http://www.eisenschmidt.com/jweisen/misc/lawson/registry_permissions.jpg
http://www.oucs.ox.ac.uk/viruses/itss/regpermissions.png
Service:
http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
Share:
http://www.get-digital-help.com/permissions-recorded-tv.png
Exchange mailbox:
http://tinyurl.com/6m4ere
etc
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Doing some research, apparently it's not just files that can have
> permissions. Registry keys, services, printers (??!) and so forth can
> all have ACLs attached to them.
Um, sure. I hadn't heard of it with services, but the registry editor and
the printers both have property pages for security just like files do. You
might need to invoke regedt32 instead of regedit to get the version that has
the security stuff, IIRC.
And yes, everything has ACLs attached, including all your devices,
processes, connections, etc etc etc. Everything you can name in the kernel
has ACLs on it.
> Not that you'd know that from the UI. :-P
>
> Anyway, apparently Process Explorer has the power to show _and edit_ the
> ACLs associated with a running service. (It's unclear whether it changes
> the security token on the running process, or actually changes the
> service configuration so that it will have the new security *every* time
> it's run.)
It changes it next time it runs, if you change it from the service
configuration screens. (You know, the same set of tabs that shows you what
other services and stuff it depends on, not the "task manager"-like stuff. I
don't know which PE you're using there.)
I never tried setting up a service running as Fred and then had Fred try to
stop just that one. If that works, that would seem to be the way to go, if
you can.
> Unfortunately, although this appears to work fine on Windows XP... [I'm
> sure you see where I'm going with this.]
>
> There's no huge problem with everybody having administrative rights over
> the local machine, expect... that allows you to forcibly log other
> people off the machine. Which would be "bad".
>
> And now I'm wondering... maybe it's a "right" you can set?
That was my second suggestion. It'll likely be in the "user rights
assignment" list if it is. Maybe domain controllers have more of this sort
of thing than the individuals?
> Otherwise, yeah, I'm going to end up writing some horribly hackish
> script to kill and restart this damned service. :-(
It's that, or learning some deep Windows juju to invoke the LoginUser API to
change your own ownership when the program runs. Maybe you could have a "run
as" script?
Does this help?
http://www.codeguru.com/cpp/w-p/system/article.php/c5755
At least someone else wrote the hacky script for you. :-)
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
>> Not that you'd know that from the UI. :-P
> Printer: http://i.techrepublic.com.com/gallery/60654-474-477.jpg
And as long as we're pointing out the obvious... :-)
This is from Vista. I think you need regedt32 to get the "permissions" tab
under pre-XP systems.
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
Attachments:
Download 'image1.gif' (37 KB)
Preview of image 'image1.gif'
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> Service:
> http://blog.binaryfactory.ca/wp-content/uploads/2008/05/gpodefault.jpg
Hmmm... Where did you get that page from? It's not in my interface anywhere
obvious. Are you sure that's not specific to the print spooler?
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
http://support.microsoft.com/kb/256345/EN-US/
That says Windows 2000, but it might be similar on NT?
--
Darren New, San Diego CA, USA (PST)
The NFL should go international. I'd pay to
see the Detroit Lions vs the Roman Catholics.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Doing some research, apparently it's not just files that can have
>> permissions. Registry keys, services, printers (??!) and so forth can
>> all have ACLs attached to them.
>>
>> Not that you'd know that from the UI. :-P
>
> Huh...
>
> Printer: http://i.techrepublic.com.com/gallery/60654-474-477.jpg
It's reasonably easy to overlook though. :-P
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
