Solved

local system account

Posted on 2014-01-23
6
360 Views
Last Modified: 2014-01-28
I have been asked to grant user "local system" of a server permission to restart a service.

It's not a user account in the security system to edit permissions on.

The service has a service account already tied to it so I'm not sure how another account would be able to manage that account...

This is for a 2008R2 and the service is for a sql instance.

Can anyone lead me down the right path of understanding this?

Thanks
0
Comment
Question by:DB1947
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39804339
Hi

I dont understand the question they have asked you, the LocalSystem account has complete unrestricted access to local resources on the machine.
How would the machine to be able to shutdown SQL after installing Windows Updates and needs a reboot? LocalSystem CAN.
0
 

Author Comment

by:DB1947
ID: 39804390
verbatim minuse names and IP addresses...

I'm at a complete loss.

Can you please grant user ‘local system’ of server SERVERNAME (10.10.10.10), permission to restart app services (e.g. 'serviceone', 'servicetwo').

We do NOT want you to change the service accounts.

We only need for user ‘local system’ of server SERVERNAME (10.10.10.10) to have service account right to the NT Authority \ System on the sql instance.
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39804438
Ok... something i hate to say, but in my opinion the guys that asked you this have no clue on what they are talking about. So ask them to clarify and confront them with the below statement.

There is nothing on a single box that LocalSystem account can not do and is even more trusted then the local administrator.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:DB1947
ID: 39804641
I posted it here to see if anyone could add clarity to something that was unclear to everyone here.

I guess we need to dig deeper with the requester
0
 
LVL 11

Accepted Solution

by:
Venugopal N earned 500 total points
ID: 39807181
In our environment we used to get such a kind of request with the service account and the service for which the account need to be allow to stop and start the service.

If this is the request , then on the specified server need to add the user account ( Service account ) as per the below link..

http://www.dscentral.in/2011/10/11/allow-non-admin-control-windows-service/

Check if this the request for in your case.
0
 

Author Closing Comment

by:DB1947
ID: 39815200
This is exactly what we were looking for.  Thank you sir
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 Firewall question 5 73
SQL Server Communications Audit 5 70
Creating and Connection two new domains 5 79
Auto Login Script 3 19
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now