?
Solved

user does not have permission to start service

Posted on 2006-04-06
6
Medium Priority
?
210 Views
Last Modified: 2013-12-04
I'm trying to lock down a PC that has windows XP Pro running and is not on a domain.

the issue im having is trying to allow specific users to have access to run specific services. IE: DHCP, DNS and pcAnywhere.

ive also tried to use the "LOGON" feature and that doesnt work and i cant seem to find/locate the policy to allow this.

please help



0
Comment
Question by:lgropper
  • 4
6 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16397071
Hi lgropper,

you can or you cant start the services

you do want to be able to or dont

Cheers!
0
 

Author Comment

by:lgropper
ID: 16401433
i cant
0
 

Author Comment

by:lgropper
ID: 16401767
i cant start the services as a user and i need to be able to start them. either selected services or all.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 10

Accepted Solution

by:
Walter Padrón earned 2000 total points
ID: 16404730
To allow/disallow specific users to start/stop services "sc" is the tool you are looking for, you need to edit the discretionary access control lists of the services *** BE careful you can make your system unusable ***

you can set the security descriptor using
Start>RUN>sc sdset service "security descriptor"

you can view the security descriptors
Start>RUN>sc sdshow service

you also need to read this http://support.microsoft.com/kb/914392/  to understand theSecurity Descriptor Definition Language (SDDL) syntax
0
 

Author Comment

by:lgropper
ID: 16420310
thank you, i read the  documentation you provided.

i cant seem to find the syntax to use to change the values.

IE: DHCP is as follows:

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

How do i change (A;;CCLCSWLOCRRC;;;AU) to (A;;CCLCSWRPWPDTLOCRRC;;;AU)

but keeping all the rest of the values intact?
0
 

Author Comment

by:lgropper
ID: 16421220
ADDITION TO THE ABOVE:

i ran SC SDSET DHCP D:(A;;CCLCSW*RPWPDT*LOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

** = my addition

and when i log in as on of the users i'm getting an " ERROR 1079: The account specified for this service is different from the account specified for other services running the in the same process."

i'm not sure why this is. all the users are under the USER group. so wouldnt my changes work for AUTHENTICATED USERS?

PLEASE HELP
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month14 days, 11 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question