How to restart a specific service, when non-administrator ; windows seven
Hi,
On a windows 7 business, used at home (no domain),
I'm trying to make my family (non-admin users) able to restart a specific service with a simple double-clic on an icon (some application that goes wrong sometimes)
Every method leads to a blocking situation. Something's always missing. Can you help?
1) I tried a simple .bat with "net stop/start myservice".
I tried a 3rd-party tool to elevate privileges automatically (http://www.winability.com/elevate/) to avoid these boring UAC confirmation windows. I don't want to disable UAC.
But, as it's a .bat, I can't modify its properties to "run as administrator" for everyone.
2) OK, then I compiled it as a .exe with some "bat to exe" tool.
Now I can modify its compatibility settings to make it run as administrator. Works for me, let say user "MYHOST\me".
BUT, the .exe is not signed, so "MYHOST\me" can confirm this other UAC window ("allow unknown publisher blah blah") it with a simple click, but "MYHOST\mywifeorchild" has to authenticate as the only admin user - MYHOST\me - for which they don't have the password.
3) Then I tried to create a scheduled task and a shortcut to it (http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html).
(By the way, I got rid of "elevate" program this way. My .bat is just "net stop / net start")
That's OK, I created my shortcut to "schtasks.exe /run /tn MyTask". Runs for MYHOST\me.
But MYHOST\mywife can't launch it "access denied". Furthermore, the task doesn't appear in the list, when she's logged in. Like the task is for one user only (I didn't know that). I tried different setting with the running user (me, her) and the "logged on or not" option. Still not working.
I thought there could be an answer here https://www.experts-exchange.com/questions/26571977/Cannot-get-scheduled-tasks-to-run-under-Windows-7-for-non-admins.html but I don't understand.
How can I finally make it possible? by either
- allowing one specific .exe as an exception for signed application check in UAC? some place in regedit?
- making this bat/exe/scheduled task/whatever runnable as admin for anyone?
- Add some specific permission to my non-admin users (something like LogonAsBatch?) luckily, a windows business might allow it (VS home edition)
- the script might be a powershell stuff as well, provided a non-admin can start it without authenticating.
Of course, I don't want them to get the full admin right.
Thank you,
On a windows 7 business, used at home (no domain),
I'm trying to make my family (non-admin users) able to restart a specific service with a simple double-clic on an icon (some application that goes wrong sometimes)
Every method leads to a blocking situation. Something's always missing. Can you help?
1) I tried a simple .bat with "net stop/start myservice".
I tried a 3rd-party tool to elevate privileges automatically (http://www.winability.com/elevate/) to avoid these boring UAC confirmation windows. I don't want to disable UAC.
But, as it's a .bat, I can't modify its properties to "run as administrator" for everyone.
2) OK, then I compiled it as a .exe with some "bat to exe" tool.
Now I can modify its compatibility settings to make it run as administrator. Works for me, let say user "MYHOST\me".
BUT, the .exe is not signed, so "MYHOST\me" can confirm this other UAC window ("allow unknown publisher blah blah") it with a simple click, but "MYHOST\mywifeorchild" has to authenticate as the only admin user - MYHOST\me - for which they don't have the password.
3) Then I tried to create a scheduled task and a shortcut to it (http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html).
(By the way, I got rid of "elevate" program this way. My .bat is just "net stop / net start")
That's OK, I created my shortcut to "schtasks.exe /run /tn MyTask". Runs for MYHOST\me.
But MYHOST\mywife can't launch it "access denied". Furthermore, the task doesn't appear in the list, when she's logged in. Like the task is for one user only (I didn't know that). I tried different setting with the running user (me, her) and the "logged on or not" option. Still not working.
I thought there could be an answer here https://www.experts-exchange.com/questions/26571977/Cannot-get-scheduled-tasks-to-run-under-Windows-7-for-non-admins.html but I don't understand.
How can I finally make it possible? by either
- allowing one specific .exe as an exception for signed application check in UAC? some place in regedit?
- making this bat/exe/scheduled task/whatever runnable as admin for anyone?
- Add some specific permission to my non-admin users (something like LogonAsBatch?) luckily, a windows business might allow it (VS home edition)
- the script might be a powershell stuff as well, provided a non-admin can start it without authenticating.
Of course, I don't want them to get the full admin right.
Thank you,
ASKER
OK, that's what I said : If I create my .exe from my .bat, I can set the permission you're talking about, BUT : UAC stills asks admin rights to confirm this unsigned binary is trustworthy.
And admin right means :
- a single click for me
- my password for the non-admin users
And admin right means :
- a single click for me
- my password for the non-admin users
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll check this quickly, thank you
ASKER
davorin, I tried setACL
I ran this as admin :
But it told me:
Strange thing: Windows didn't ask for elevated privileges when I started this command.
I tried to use "elevate setacl...", it all sys it's OK but when I list:
Any idea?
I ran this as admin :
setacl -on "My service" -ot srv -ace "n:A-Non-Admin-User;p:start_stop,read" -actn aceBut it told me:
WARNING: Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted.
WARNING: Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted.
INFO: Processing ACL of: <My service>
ERROR: Writing SD to <My service> failed with: Access denied.Strange thing: Windows didn't ask for elevated privileges when I started this command.
I tried to use "elevate setacl...", it all sys it's OK but when I list:
setacl -on "My service" -ot srv -actn listAny idea?
ASKER
OK, I tried with "subinacl"
It worked, the trick was to start the "cmd" as administrator.
Maybe it was the same for setacl.
The command was:
Results:
I used:
http://www.eventlogblog.com/blog/2007/11/setting-service-permissions-wi.html
and http://blogs.msdn.com/b/astebner/archive/2006/09/04/739820.aspx
It worked, the trick was to start the "cmd" as administrator.
Maybe it was the same for setacl.
The command was:
C:\Program Files\Windows Resource Kits\Tools>subinacl /service "My Service" /GRANT=MYHOST\My-user=TOResults:
My Service : delete Perm. ACE 4 myhost\my-user
My Service : new ace for myhost\my-user
My Service : 2 change(s)
Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : My ServiceI used:
http://www.eventlogblog.com/blog/2007/11/setting-service-permissions-wi.html
and http://blogs.msdn.com/b/astebner/archive/2006/09/04/739820.aspx
ASKER
Thank you for pointing me to these tools.
Temporary enabling built-in administrator account and starting a new command prompt with "runas /user:administrator cmd" should help with that problem.
I type too slow ;)
I'm glad you have solved your problem and thx for points.
I'm glad you have solved your problem and thx for points.
http://helpdeskgeek.com/windows-7/always-run-as-administrator/
//zaZagor