rorybrady
asked on
Create a group policy to disable a service called K9 and enable the windows time service
I was hoping someone could walk me throught the steps to create a GPO that will disable a windows service called K9 and enable the windows time service for all the computers in a particular Active Directory OU.
One minor point to add to Pber's instructions - you must edit the GPO from a machine that has the K9 service installed in order for it to populate in the GP Editor list, if your administrative workstation does not have this service installed, you will not see it in the service list. It's an idiosyncracy of the GPO Editor that can be annoying at times.
I don't know what K9 service do but I can give you the way to force any service to be enabled or disabled on specific OU and you can give or deny the ability for users to change the status, please follow the instucions below,
(1) create new OU
(2) Create new policy
(3) edit the new policy and go to Computer Configuration > Security settings > system Services
(4) Double click on the service you like and specify the status you want
(5) Press Edit Secrity to specify the users that have permission to change the status of this service
please let me know if you need help in any step.
(1) create new OU
(2) Create new policy
(3) edit the new policy and go to Computer Configuration > Security settings > system Services
(4) Double click on the service you like and specify the status you want
(5) Press Edit Secrity to specify the users that have permission to change the status of this service
please let me know if you need help in any step.
ASKER
Thanks aagain for all your help. I need to add something to this question, I need a script to run on these same computers that will remove the k9 service from windows. I can do it throught the command line but my scripting skills are limited.
This would be the command to remove the service from the command line now I just need to add it to a script that can run against all the computers in an OU
K9NT remove to remove the service
Thanks,
Rory
This would be the command to remove the service from the command line now I just need to add it to a script that can run against all the computers in an OU
K9NT remove to remove the service
Thanks,
Rory
you can just disable it as I mentioned previously and restrict the ability to change the status
ASKER
I appreciate that but I would like to remove the service.
there is two way to do that
(1)
To Delete A Service
Start | Run and type cmd in the Open: line. Click OK.
Type: sc delete <service name>
Reboot the system
(2)
Click Start | Run and type regedit in the Open: line. Click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices
Scroll down the left pane, locate the service name, right click it and select Delete.
Reboot the system
(1)
To Delete A Service
Start | Run and type cmd in the Open: line. Click OK.
Type: sc delete <service name>
Reboot the system
(2)
Click Start | Run and type regedit in the Open: line. Click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\
Scroll down the left pane, locate the service name, right click it and select Delete.
Reboot the system
Method 1,
You could use the same GPO and add a shutdown or startup script.
Load the GPO in GPMC as before, then go to
Computer configuration\Windows settings\Scripts
Select startup or shutdown depending on when you want it to uninstall
Click Add
under script name put: k9nt.exe
under script parameters put: remove
click ok
Click Show files.
Copy the k9nt.exe file from a machine and place it in the folder that opened when you pressed show files.
this should remove the service at startup or shutdown for all machines. This is temporary until all the machines have restated.
Method 2,
You could also do the same thing with psexec: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
If you want to remove all instances of k9 on ALL computer including servers you can do this:
psexec \\* k9nt remove
You may need to add the path to k9nt if it isn't in the path
Method 3,
Same psexec method, but a specific list of computers.
Extract a list of computer that you want the service removed from, call it "machines.txt"
issue this command:
psexec @machines.txt k9nt remove
You could use the same GPO and add a shutdown or startup script.
Load the GPO in GPMC as before, then go to
Computer configuration\Windows settings\Scripts
Select startup or shutdown depending on when you want it to uninstall
Click Add
under script name put: k9nt.exe
under script parameters put: remove
click ok
Click Show files.
Copy the k9nt.exe file from a machine and place it in the folder that opened when you pressed show files.
this should remove the service at startup or shutdown for all machines. This is temporary until all the machines have restated.
Method 2,
You could also do the same thing with psexec: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
If you want to remove all instances of k9 on ALL computer including servers you can do this:
psexec \\* k9nt remove
You may need to add the path to k9nt if it isn't in the path
Method 3,
Same psexec method, but a specific list of computers.
Extract a list of computer that you want the service removed from, call it "machines.txt"
issue this command:
psexec @machines.txt k9nt remove
ASKER
This K9 program has a command line command that will remove the service. I need to know how to run the command from a script that I can run on all the computers in a particular OU so I don't have to visit 200 computers.
Thanks
Thanks
Best way to do that would be to run the command remotely using PSExec (free download available here: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx) - create a text file containing all computer names in the OU, then use PSExec to run the command remotely against each computer.
you can install software called "dameware" which give you alot of features on of them you can control all services on any computer since you are admin and you can delete any sevice just by one click
ASKER
Hi LauraEHunterMVP:, this is a great little tool but how would I use it to apply this command to all the computers in a list?
woops sorry for the typo on your name.
(;
(;
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Pber: when I run this command I get an access denied error
psexec @K9.txt -u strathcona\administrator k9nt remove
Access is denied. (0x5)k9nt exited on lkdgp7c with error code 1.
Even though I am using the domain admin credentials. Any idea why?
Thanks,
Rory
psexec @K9.txt -u strathcona\administrator k9nt remove
Access is denied. (0x5)k9nt exited on lkdgp7c with error code 1.
Even though I am using the domain admin credentials. Any idea why?
Thanks,
Rory
If you run it with domain admin privs, you won't need to specify the userid...
psexec @k9.txt k9nt remove
psexec @k9.txt k9nt remove
You could also create a batch file and use SC as per eng_khalid101's solution
Create a batch file and past this in:
REM Start
for /F "tokens=1*" %%a in (k9.txt) do sc \\%%a delete k9
REM end
...This will run through all the entries in k9.txt and use SC to remove the service.
Create a batch file and past this in:
REM Start
for /F "tokens=1*" %%a in (k9.txt) do sc \\%%a delete k9
REM end
...This will run through all the entries in k9.txt and use SC to remove the service.
ASKER
Hello, the problem with eng_khalid101's solution is that it requres a reboot. Lots of these machines don't get rebooted for months. Using the k9nt remove command removes the service without rebooting the box.
How do I run the command with domain privlages? I tried psexec @k9.txt k9nt remove while logged on as a domin admin and I still get the access denied error.
How do I run the command with domain privlages? I tried psexec @k9.txt k9nt remove while logged on as a domin admin and I still get the access denied error.
Do your clients have the Windows Firewall enabled? They may be blocking the inbound ports required by PsExec
It just gets placed in a pending deletion state until reboot. Does it really matter if it isn't removed completely? The original question was how to disable it via GPO, I presume it is already disabled so it shouldn't be an issue.
Anyhow, can you connect to the machine like this:
psexec \\somemachine cmd
...then do a:
k9nt delete
...this should at least narrow down where the access denied is.
Anyhow, can you connect to the machine like this:
psexec \\somemachine cmd
...then do a:
k9nt delete
...this should at least narrow down where the access denied is.
ASKER
This is a weird issue. Since running the command to remove the service on the remote machine I am no longer able to manipulate the service. Its like the command screwed up the service. Even if I logon locally I can not stop or start the service, I get the access denied message even when I go through services.msc.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So I finally got this to work the way I need it to. I created a group policy obect that tells all machines to look at the domain controller to get the time. The batch script that I works for me is:
psexec @K9.txt K9nt remove -s
psexec @K9.txt sc config w32time start= auto
psexec @K9.txt net start w32time
Without the -s switch the command screws up the k9 service. So now I have to figure out how to remove a service that won't let any users access it. Oh well at least I have everything I need to make this work.
Thanks everyone for all the help!!
psexec @K9.txt K9nt remove -s
psexec @K9.txt sc config w32time start= auto
psexec @K9.txt net start w32time
Without the -s switch the command screws up the k9 service. So now I have to figure out how to remove a service that won't let any users access it. Oh well at least I have everything I need to make this work.
Thanks everyone for all the help!!
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
Install the GPMC on a machine that has the K9 service installed: http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
Next load the GPMC
Select the target desktop OU and right click and select Create and link a new gpo here...
Give it an appropriate name
Now select that GPO and right click and Edit
Select Computer Configuration\Window Settings\Security Settings\System Services
From that list, K9 should show up, double click that one
Click Define this policy setting, leave security at default or edit as desired, click ok
Set service startup mode as disabled. Click ok
Select the Windwos time service and do the same as above, but select automatic startup.
Now move to the Administrative Templates node of the GPMC
Select System, Windows Time Service, time Providers
Enable: Enable windows ntp client
Enable:Configure windows ntp client
configure above as:
Type NT5DS, leave the rest at defaults
Disable: Enabled Windows NTP server
That should do it...
Do not use this same policy on the OU that contains DC's.