Solved

Unable to stop fax service on SBS2003 (Permissions problem)

Posted on 2010-09-13
3
650 Views
Last Modified: 2013-12-04
I'm currently setting up a domain user with slightly less rights than a domain admin but enough to perform daily administration.

It was all going well until I discovered that this new user isnt able to stop the Fax Service (occasionally needs restarting). I can't think of how to grant access to do this and preferably without giving it access to stop/start/restart all services.

I'm probably going about this all wrong bacause this user is now practically everything but a domain admin.

Currently a member of:
Domain Power Users
Domain Users
Fax Operators
Remote Desktop Users
Remote Web Workplace Users
Server Operators
+(Anti-virus and WSUS groups)

Luckily i've started setting this up a good 2 weeks before i go on holiday so i have time to get it sorted.

Thanks in advance
0
Comment
Question by:CaTFiNcH
  • 2
3 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 250 total points
Comment Utility
You have several possibilities to delegate permissions to manage services.
I'd suggest to create a dedicated domain local group like "DL-Svc_FaxService" or whatever, give permissions to this group, and then add the user(s) or a global group with the user(s) to this group. Do NOT assign permissions directly to any resources unless there is a really good reason to do so.
How to grant users rights to manage services in Windows 2000
http://support.microsoft.com/kb/288129

If the user will be controlling the service(s) from a remote machine (which is likely, I guess), you need to change the permissions of the SCM as well, otherwise there won't be access to control any service at all:
Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1
http://support.microsoft.com/kb/907460
0
 

Author Comment

by:CaTFiNcH
Comment Utility
Thanks for the response oBdA, from briefly looking at that solution it seems quite invasive, but i'm more than willing to have a play in the test enviroment. I should get a chance to try this a work tomorrow and post back.
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 250 total points
Comment Utility
You can try the service permission delegation on any machine for testing; it doesn't have to be the DC.
The advantage to setting permissions with a GPO is that you can see where the permissions are coming from even afterwards; but in case you want to do it from the command line using subinacl.exe, and you have the W2k3 ResKit installed already, do NOT use this version (v4.x.), it's buggy and doesn't do anything. The corrected version is here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Learn about cloud computing and its benefits for small business owners.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now