Solved

Create a group policy to disable a service called K9 and enable the windows time service

Posted on 2007-11-26
26
10,708 Views
Last Modified: 2009-07-24
I was hoping someone could walk me throught the steps to create a GPO that will disable a windows service called K9 and enable the windows time service for all the computers in a particular Active Directory OU.
0
Comment
Question by:rorybrady
  • 8
  • 8
  • 4
  • +2
26 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 20351062
Hello again,

Install the GPMC on a machine that has the K9 service installed: http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Next load the GPMC
Select the target desktop OU and right click and select Create and link a new gpo here...
Give it an appropriate name
Now select that GPO and right click and Edit
Select Computer Configuration\Window Settings\Security Settings\System Services
From that list, K9 should show up, double click that one
Click Define this policy setting, leave security at default or edit as desired, click ok
Set service startup mode as disabled.  Click ok

Select the Windwos time service and do the same as above, but select automatic startup.

Now move to the Administrative Templates node of the GPMC
Select System, Windows Time Service, time Providers
Enable: Enable windows ntp client
Enable:Configure windows ntp client
configure above as:
Type NT5DS, leave the rest at defaults
Disable: Enabled Windows NTP server

That should do it...

Do not use this same policy on the OU that contains DC's.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20351160
One minor point to add to Pber's instructions - you must edit the GPO from a machine that has the K9 service installed in order for it to populate in the GP Editor list, if your administrative workstation does not have this service installed, you will not see it in the service list.  It's an idiosyncracy of the GPO Editor that can be annoying at times.
0
 

Expert Comment

by:eng_khalid101
ID: 20351259
I don't know what K9 service do but I can give you the way to force any service to be enabled or disabled on specific OU and you can give or deny the ability for users to change the status, please follow the instucions below,
(1) create new OU
(2) Create new policy
(3) edit the new policy and go to Computer Configuration > Security settings > system Services
(4) Double click on the service you like and specify the status you want
(5) Press Edit Secrity to specify the users that have permission to change the status of this service

please let me know if you need help in any step.
0
 

Author Comment

by:rorybrady
ID: 20351619
Thanks aagain for all your help. I need to add something to  this question, I need a script to run on these same computers that will remove the k9 service from windows. I can do it throught the command line but my scripting skills are limited.

This would be the command to remove the service from the command line now I just need to add it to a script that can run against all the computers in an OU

K9NT remove           to remove the service

Thanks,
Rory

0
 

Expert Comment

by:eng_khalid101
ID: 20351650
you can just disable it as I mentioned previously and restrict the ability to change the status
0
 

Author Comment

by:rorybrady
ID: 20351690
I appreciate that but I would like to remove the service.
0
 

Expert Comment

by:eng_khalid101
ID: 20351738
there is two way to do that
(1)
To Delete A Service
Start | Run and type cmd in the Open: line. Click OK.
Type: sc delete <service name>
Reboot the system

(2)
Click Start | Run and type regedit in the Open: line. Click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Scroll down the left pane, locate the service name, right click it and select Delete.
Reboot the system
0
 
LVL 26

Expert Comment

by:Pber
ID: 20351783
Method 1,
You could use the same GPO and add a shutdown or startup script.

Load the GPO in GPMC as before, then go to
Computer configuration\Windows settings\Scripts
Select startup or shutdown depending on when you want it to uninstall

Click Add
under script name put: k9nt.exe
under script parameters put: remove
click ok

Click Show files.
Copy the k9nt.exe file from a machine and place it in the folder that opened when you pressed show files.

this should remove the service at startup or shutdown for all machines.  This is temporary until all the machines have restated.

Method 2,
You could also do the same thing with psexec: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx

If you want to remove all instances of k9 on ALL computer including servers you can do this:
psexec \\* k9nt remove
You may need to add the path to k9nt if it isn't in the path

Method 3,
Same psexec method, but a specific list of computers.
Extract a list of computer that you want the service removed from, call it "machines.txt"
issue this command:
psexec @machines.txt k9nt remove


0
 

Author Comment

by:rorybrady
ID: 20351786
This K9 program has a command line command that will remove the service. I need to know how to run the command from a script that I can run on all the computers in a particular OU so I don't have to visit 200 computers.

Thanks
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20351824
Best way to do that would be to run the command remotely using PSExec (free download available here: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx) - create a text file containing all computer names in the OU, then use PSExec to run the command remotely against each computer.
0
 

Expert Comment

by:eng_khalid101
ID: 20351859
you can install software called "dameware" which give you alot of features on of them you can control all services on any computer since you are admin and you can delete any sevice just by one click
0
 

Author Comment

by:rorybrady
ID: 20352769
Hi LauraEHunterMVP:, this is a great little tool but how would I use it to apply this command to all the computers in a list?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 26

Expert Comment

by:Pber
ID: 20353037
0
 
LVL 26

Expert Comment

by:Pber
ID: 20353044
woops sorry for the typo on your name.
(;
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 20353427
Assuming that the command-line string is "uninstall.exe -t", and your computer names are listed one per line in a file called computers.txt, your syntax would be something along the lines of:

psexec @c:computers.txt "uninstall.exe -t"

psexe /? will give you the full syntax - you may need to add additional command-line switches depending on your specific scenario.
0
 

Author Comment

by:rorybrady
ID: 20354247
Hi Pber: when I run this command I get an access denied error

psexec @K9.txt -u strathcona\administrator k9nt remove

Access is denied. (0x5)k9nt exited on lkdgp7c with error code 1.

Even though I am using the domain admin credentials. Any idea why?

Thanks,
Rory
0
 
LVL 26

Expert Comment

by:Pber
ID: 20358027
If you run it with domain admin privs, you won't need to specify the userid...

psexec @k9.txt k9nt remove
0
 
LVL 26

Expert Comment

by:Pber
ID: 20358091
You could also create a batch file and use SC as per eng_khalid101's solution

Create a batch file and past this in:

REM Start
for /F "tokens=1*" %%a in (k9.txt) do sc \\%%a delete k9
REM end

...This will run through all the entries in k9.txt and use SC to remove the service.

0
 

Author Comment

by:rorybrady
ID: 20358754
Hello, the problem with eng_khalid101's solution is that it requres a reboot. Lots of these machines don't get rebooted for months. Using the k9nt remove command removes the service without rebooting the box.

How do  I run the command with domain privlages? I tried psexec @k9.txt k9nt remove while logged on as a domin admin and I still get the access denied error.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 20358843
Do your clients have the Windows Firewall enabled?  They may be blocking the inbound ports required by PsExec
0
 
LVL 26

Expert Comment

by:Pber
ID: 20358985
It just gets placed in a pending deletion state until reboot.  Does it really matter if it isn't removed completely?  The original question was how to disable it via GPO, I presume it is already disabled so it shouldn't be an issue.

Anyhow,  can you connect to the machine like this:

psexec \\somemachine cmd

...then do a:

k9nt delete

...this should at least narrow down where the access denied is.



0
 

Author Comment

by:rorybrady
ID: 20359311
This is a weird issue. Since running the command to remove the service on the remote machine I am no longer able to manipulate the service. Its like the command screwed up the service. Even if I logon locally I can not stop or start the service, I get the access denied message even when I go through services.msc.
0
 
LVL 26

Assisted Solution

by:Pber
Pber earned 250 total points
ID: 20359436
Is the service disable via the GPO as per the original question of this post?

Personally I would do the: "for /F "tokens=1*" %%a in (k9.txt) do sc \\%%a delete k9" thing.  Even the k9nt remove probably won't completely remove the service until the next reboot anyhow.

If you really need it removed right now, reboot the machines.  Normally you should be patching your systems on a regular basis, so squeeze it into one of those reboots.   Or just say it's high priority because of timesync issues and kerberos authentication and notify your users and reboot the machines.
0
 

Author Comment

by:rorybrady
ID: 20359829
So I finally got this to work the way I need it to. I created a group policy obect that tells all machines to look at the domain controller to get the time. The batch script that I works for me is:

  psexec @K9.txt K9nt remove -s
  psexec @K9.txt sc config w32time start= auto
  psexec @K9.txt net start w32time

Without the -s switch the command screws up the k9 service. So now I have to figure out how to remove a service that won't let any users access it. Oh well at least I have everything I need to make this work.

Thanks everyone for all the help!!
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20532234
Forced accept.

Computer101
EE Admin
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now