tavseth
asked on
How to find StartName accounts for use with service installation
Hi,
I am attempting to find a list of the users available to run a service (StartName). I have unsuccessfully sought good info on this topic, and I find that even the SCM doesn't list all the service StartName users available.
Names that should be returned would be along the line of:
NT AUTHORITY\LocalService
LocalSystem
.\ASPNET
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\NetworkService
is there a way for me to do this, preferrably in Delphi? Do you know of any good sources for info on this topic?
Kind regards,
Tor Avseth
I am attempting to find a list of the users available to run a service (StartName). I have unsuccessfully sought good info on this topic, and I find that even the SCM doesn't list all the service StartName users available.
Names that should be returned would be along the line of:
NT AUTHORITY\LocalService
LocalSystem
.\ASPNET
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\NetworkService
is there a way for me to do this, preferrably in Delphi? Do you know of any good sources for info on this topic?
Kind regards,
Tor Avseth
ASKER
See, I already have the WMIset from online-admin, and I have used e.g. the WMIquery which they supply. I can read the different StartNames that are used with the currently installed services.
However, what I want is to fill e.g. a list box with the names that I may legally (or practically) use for StartName when installing a service...
-Tor
However, what I want is to fill e.g. a list box with the names that I may legally (or practically) use for StartName when installing a service...
-Tor
look at: LsaEnumerateAccountsWithUs erRight() maybe this will help
i think that account should have SE_SERVICE_LOGON_NAME privilage
ziolko.
i think that account should have SE_SERVICE_LOGON_NAME privilage
ziolko.
Maybe you could see these links
It's in French but the unit is in English:
http://tothpaul.free.fr/sources.php?tools.ntservice (He wrote the Book Delphi 7 Studio - Publisher :Eyrolles)
See the code in the NTService.zip if it can help you
See also (German Site - also in English)
http://assarbad.net/en/stuff
and on the same site :
http://assarbad.net/en/stuff/tutorials/ntsvc/
It's in French but the unit is in English:
http://tothpaul.free.fr/sources.php?tools.ntservice (He wrote the Book Delphi 7 Studio - Publisher :Eyrolles)
See the code in the NTService.zip if it can help you
See also (German Site - also in English)
http://assarbad.net/en/stuff
and on the same site :
http://assarbad.net/en/stuff/tutorials/ntsvc/
>i think that account should have SE_SERVICE_LOGON_NAME privilage
AFAIK: depending on what the service needs to access, the user used will need the logon as a service right before anything else. I personally never set that privilage for any user account I used for services.
also keep in mind that you will have to precede the name with a ".\" to mark local machine ;)
AFAIK: depending on what the service needs to access, the user used will need the logon as a service right before anything else. I personally never set that privilage for any user account I used for services.
also keep in mind that you will have to precede the name with a ".\" to mark local machine ;)
ciuly as i understand question it's not about setting privileges but enumerating accounts which can be used to run service
like i said I THINK that it's that priv
ziolko.
like i said I THINK that it's that priv
ziolko.
ASKER
Ziolko,
that is right, I wish to list the users that have permission to run services. I might toss in an admin-rights prerequisite as well later..
My intention is to make the UI as simple as possible, to reduce the amount of traffic on customer support. So I wish to do most of the thinking for the admin... ;)
Currently looking across the net for more on the leads you gave me, it seems Colin Wilson's Delphi pages contain utilities that I can use to access LSA. Too bad I am a bit of a rookie and not knowing how to use it yet.
Rgds, Tor
that is right, I wish to list the users that have permission to run services. I might toss in an admin-rights prerequisite as well later..
My intention is to make the UI as simple as possible, to reduce the amount of traffic on customer support. So I wish to do most of the thinking for the admin... ;)
Currently looking across the net for more on the leads you gave me, it seems Colin Wilson's Delphi pages contain utilities that I can use to access LSA. Too bad I am a bit of a rookie and not knowing how to use it yet.
Rgds, Tor
ziolko, I understood what he wanted. but I know for a fact that a user needs the logon as a service priv (SeServiceLogonRight) in order for a service to be run under that users context.
so what I was trying to say is that indeed use that enum function, but use another priv which makes sure you will get correct accounts ;)
what I do for my tipical applications is create a user then grant about 22 privileges (this makes sure that my service is allowed to do most stuff, including networking, registry and suer management, without being in teh admin group). but SeServiceLogonRight IS the one that is needed 100% in order for a service to be able to start under a specified user. the rest depend on what the service needs to do.
and ... I don't set the SE_SERVICE_LOGON_NAME name :)
so what I was trying to say is that indeed use that enum function, but use another priv which makes sure you will get correct accounts ;)
what I do for my tipical applications is create a user then grant about 22 privileges (this makes sure that my service is allowed to do most stuff, including networking, registry and suer management, without being in teh admin group). but SeServiceLogonRight IS the one that is needed 100% in order for a service to be able to start under a specified user. the rest depend on what the service needs to do.
and ... I don't set the SE_SERVICE_LOGON_NAME name :)
hehe. I just did some googeling and found
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight" )
so we were talking about the same thing :))
#define SE_SERVICE_LOGON_NAME TEXT("SeServiceLogonRight"
so we were talking about the same thing :))
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Russel,
this looks to be working wonders. Short the definition of NTSERVICE and MAX_BUFFER your code was paste and play.
I do wonder though, how it is I don't get the LocalSystem or NT AUTHORITY\LocalService returned? LocalService and LocalSystem seems to run most of the services installed on my computer, then why don't they show up in this lookup? If I make another lookup towards SeIncreaseQuotaPrivilege, I do get the NT-AUTHORITY\Local Service
Do you know?
Regards, Tor
PS: I added some privilege names (though they're irrelevant when it comes to starting services?) copied from C.Wilson:
SE_CREATE_TOKEN_NAME = 'SeCreateTokenPrivilege';
SE_ASSIGNPRIMARYTOKEN_NAME = 'SeAssignPrimaryTokenPrivi lege';
SE_LOCK_MEMORY_NAME = 'SeLockMemoryPrivilege';
SE_INCREASE_QUOTA_NAME = 'SeIncreaseQuotaPrivilege' ;
SE_UNSOLICITED_INPUT_NAME = 'SeUnsolicitedInputPrivile ge';
SE_MACHINE_ACCOUNT_NAME = 'SeMachineAccountPrivilege ';
SE_TCB_NAME = 'SeTcbPrivilege';
SE_SECURITY_NAME = 'SeSecurityPrivilege';
SE_TAKE_OWNERSHIP_NAME = 'SeTakeOwnershipPrivilege' ;
SE_LOAD_DRIVER_NAME = 'SeLoadDriverPrivilege';
SE_SYSTEM_PROFILE_NAME = 'SeSystemProfilePrivilege' ;
SE_SYSTEMTIME_NAME = 'SeSystemtimePrivilege';
SE_PROF_SINGLE_PROCESS_NAM E = 'SeProfileSingleProcessPri vilege';
SE_INC_BASE_PRIORITY_NAME = 'SeIncreaseBasePriorityPri vilege';
SE_CREATE_PAGEFILE_NAME = 'SeCreatePagefilePrivilege ';
SE_CREATE_PERMANENT_NAME = 'SeCreatePermanentPrivileg e';
SE_BACKUP_NAME = 'SeBackupPrivilege';
SE_RESTORE_NAME = 'SeRestorePrivilege';
SE_SHUTDOWN_NAME = 'SeShutdownPrivilege';
SE_DEBUG_NAME = 'SeDebugPrivilege';
SE_AUDIT_NAME = 'SeAuditPrivilege';
SE_SYSTEM_ENVIRONMENT_NAME = 'SeSystemEnvironmentPrivil ege';
SE_CHANGE_NOTIFY_NAME = 'SeChangeNotifyPrivilege';
SE_REMOTE_SHUTDOWN_NAME = 'SeRemoteShutdownPrivilege ';
this looks to be working wonders. Short the definition of NTSERVICE and MAX_BUFFER your code was paste and play.
I do wonder though, how it is I don't get the LocalSystem or NT AUTHORITY\LocalService returned? LocalService and LocalSystem seems to run most of the services installed on my computer, then why don't they show up in this lookup? If I make another lookup towards SeIncreaseQuotaPrivilege, I do get the NT-AUTHORITY\Local Service
Do you know?
Regards, Tor
PS: I added some privilege names (though they're irrelevant when it comes to starting services?) copied from C.Wilson:
SE_CREATE_TOKEN_NAME = 'SeCreateTokenPrivilege';
SE_ASSIGNPRIMARYTOKEN_NAME
SE_LOCK_MEMORY_NAME = 'SeLockMemoryPrivilege';
SE_INCREASE_QUOTA_NAME = 'SeIncreaseQuotaPrivilege'
SE_UNSOLICITED_INPUT_NAME = 'SeUnsolicitedInputPrivile
SE_MACHINE_ACCOUNT_NAME = 'SeMachineAccountPrivilege
SE_TCB_NAME = 'SeTcbPrivilege';
SE_SECURITY_NAME = 'SeSecurityPrivilege';
SE_TAKE_OWNERSHIP_NAME = 'SeTakeOwnershipPrivilege'
SE_LOAD_DRIVER_NAME = 'SeLoadDriverPrivilege';
SE_SYSTEM_PROFILE_NAME = 'SeSystemProfilePrivilege'
SE_SYSTEMTIME_NAME = 'SeSystemtimePrivilege';
SE_PROF_SINGLE_PROCESS_NAM
SE_INC_BASE_PRIORITY_NAME = 'SeIncreaseBasePriorityPri
SE_CREATE_PAGEFILE_NAME = 'SeCreatePagefilePrivilege
SE_CREATE_PERMANENT_NAME = 'SeCreatePermanentPrivileg
SE_BACKUP_NAME = 'SeBackupPrivilege';
SE_RESTORE_NAME = 'SeRestorePrivilege';
SE_SHUTDOWN_NAME = 'SeShutdownPrivilege';
SE_DEBUG_NAME = 'SeDebugPrivilege';
SE_AUDIT_NAME = 'SeAuditPrivilege';
SE_SYSTEM_ENVIRONMENT_NAME
SE_CHANGE_NOTIFY_NAME = 'SeChangeNotifyPrivilege';
SE_REMOTE_SHUTDOWN_NAME = 'SeRemoteShutdownPrivilege
These 2 built-in accounts are not recognized by the security security subsystem (eg, you cant specify either name in a call to the LookupAccountName function), so I would venture this might have something to do with it. But when dealing with service logon rights, it would be correct in adding both these accounts to your list.
-- LocalSystem Account --
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.
-- LocalService Account --
The LocalService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and presents anonymous credentials on the network. The name of the account in all locales is NT AUTHORITY\LOCALSERVICE. This account does not have a password. If you specify the LocalService account in a call to the CreateService function, any password information you supply is ignored
---
Russell
-- LocalSystem Account --
The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService function, any password information you provide is ignored.
-- LocalService Account --
The LocalService account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has minimum privileges on the local computer and presents anonymous credentials on the network. The name of the account in all locales is NT AUTHORITY\LOCALSERVICE. This account does not have a password. If you specify the LocalService account in a call to the CreateService function, any password information you supply is ignored
---
Russell
ASKER
I simply have no further questions...
-Tor :)
-Tor :)
You can download WMI components from http://www.online-admin.com/wmiset.html
ziolko.