Igore65
asked on
Remotely stop service without Admin permissions
I know that you can stop services with the SC command, but that requires Admin rights on the target machine. I have used the SC SDSET command to modify the SDDL set for the service in question. Now I have it so that the non-admin user can stop and start the service locally. This command will not work remotely. User VPN's into the netowrk and I have tried several combinations to use the SC Stop command and always get Access is Denied. I tested it locally by giving the user account Logon Locally, and the user can only stop/start the 2 services that I modified, but cannot do it remotely.
Tried creating scripts that would run the SC Stop command on the remote Server, but is being accessed via a share and therefore seems to detect that the command is not local. I have tried a local (to the VPN user's PC) script that calls a script on the remote Server that runs the SC Stop command and it still fails.
What am I missing?
Tried creating scripts that would run the SC Stop command on the remote Server, but is being accessed via a share and therefore seems to detect that the command is not local. I have tried a local (to the VPN user's PC) script that calls a script on the remote Server that runs the SC Stop command and it still fails.
What am I missing?
Alternatively, thinking of this another way, write a batch file to run the SC command, but like this....
Get the date & time as an env variable, use that env variable to run a scheduled task within so many seconds .. The scheduled task under the system account can now turn on the service with SC
Regards
Get the date & time as an env variable, use that env variable to run a scheduled task within so many seconds .. The scheduled task under the system account can now turn on the service with SC
Regards
Correction .. I meant turn off the service
ASKER
I can't use GPO as the user is a contractor and not directly in the domain. The PC is remote and just comes in through a VPN account. I am trying to give the user (who has a domain account) limited access to a few folders and to manage just the 2 services that he is writing App code for...
I changed the SDDL to allow his SID to start/stop the needed services. This works locally. I have tried the script files thing... Wrote a couple of simple scripts and have them on the Server. I VPN in and open the folder with the scripts and run them and it says Access is Denied... But if logged in locally, they work great. They even work well if the user is logged on in the LAN and not coming in through a VPN... There is something about the VPN...
Scripts:
runas /user:username@damin_name \\server_name\informz\Serv ice_MGMT\F ormatter_S top.cmd
This calls the script that runs the sc command:
sc \\Server_Name stop informzformatter
Stumped on where to go... I am investigating other apps developed to stop services using admin permissions that will allow me to encrypt the PW.
I changed the SDDL to allow his SID to start/stop the needed services. This works locally. I have tried the script files thing... Wrote a couple of simple scripts and have them on the Server. I VPN in and open the folder with the scripts and run them and it says Access is Denied... But if logged in locally, they work great. They even work well if the user is logged on in the LAN and not coming in through a VPN... There is something about the VPN...
Scripts:
runas /user:username@damin_name \\server_name\informz\Serv
This calls the script that runs the sc command:
sc \\Server_Name stop informzformatter
Stumped on where to go... I am investigating other apps developed to stop services using admin permissions that will allow me to encrypt the PW.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think its something to do with the local security policy of that server.Check the settings on that server.
When he does VPN does he logon the domain?
When logging on locally does he logon to domain?
When he does VPN does he logon the domain?
When logging on locally does he logon to domain?
ASKER
The solution turned out to be using a 3rd party utility to doa hybrid of the SC command. Using SVCUtil.exe allows the user to stop and start the needed services. I am not sure how this App connects to the Server differently than the Native SC command does, but it allows the user to manage the needed Services.
ASKER
I just want it closed
Define the permissions of the service in a GP opbject via
Computer configuration > Windows Settings > Security Settings > System Services >
Regards