Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Comment accorder des permissions de démarrage/arrêt/redémarrage d'un service à un utilisateur quelconque sur un serveur hors domaine ?

ayi

Nous avons a suite of Windows Services running on our servers qui perform a bunch of automated tasks independently of one another, avec le exception of one service qui looks après le autre services.

In le event that one of le services should fail to respond ou hang, this service attempts to redémarrez le service and, si an exception is thrown pendant le attempt, emails le support team instead, so that they can redémarrez le service themselves.

Having done a little research, J'ai come across a peu de 'solutions' qui range depuis le workaround mentioned in KB907460 to giving le account under qui le service is running administrator rights.

Je suis pas comfortable avec soit of these methods - Je ne understand le consequences of le premier method as outlined in Microsoft's knowledge base article, mais I definitely ne want to give administrator access to le account under qui le service is running.

J'ai taken a quick look through le Local Security Policy et autre than le policy qui defines si ou pas an account can log on as a service, Je ne peux pas see anything else qui looks like it refers to services.

We're running this on Server 2003 et Server 2008, so tout ideas ou pointers would be graciously received!

Clarification: Je ne want to grant le ability to start/stop/restart ALL services to a given user ou group - Je veux to be able to grant le permission to do so on specific services only, to a given user ou group.

Further Clarification: The servers J'ai besoin de to grant these permissions on do pas belong to a domain - they are two internet-facing servers qui receive files, process them et send them on to third parties, as well as serving a couple of websites, so Active Directory Group Policy n'est pas possible. Sorry that Je n'ai pas make this clearer.

ayi

There ne appear to be a GUI-based way of doing this sauf si you're joined to a domain - at least pas one I could find anywhere - so I did a bit more digging et J'ai found an answer that works for our situation.

Je n'ai pas understand what le string representation meant in le knowledge base article, mais doing a bit of digging led me to discover that c'est SDDL syntax. Further digging led me to this article by Alun Jones qui explains how to get le security descriptor for a service et what chaque bit means. MS KB914392 has more details.

To append to le service's existing security descriptor, use sc sdshow "Service Name" to get le existing descriptor. If this is a plain old .NET Windows Service - as is le case avec ours - le security descriptor should look something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We needed to grant permissions RP (to démarrez le service), WP (to arrêtez le service), DT (to pause/continue le service) et LO (to query le service's current status). This could be done by adding our service account to le Power Users group, mais I seulement want to grant individual access to le account under qui le maintenance service runs.

Using runas to open a command prompt under le service account, I ran whoami /all qui gave me le SID of le service account, et alors constructed le additional SDDL below:

(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)

This alors gets added to le D: section of le SDDL string above:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)

Ceci est alors applied to le service using le sc sdset command (before le S: text):

sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)

If tous goes according to plan, le service can alors be started, stopped, paused et have c'est status queried by le user defined by le SID above.