Archived from groups: microsoft.public.win2000.security (
More info?)
Thanks, Steve. I found another thread under Windows Server 2003 that helped,
though I am not sure it will be a long term solution. The permissions on the
service control manager database did change with SP1 (see below). We used
the SC sdset command to reset them. Problem is we have 50 servers and what
happens with next patch or SP? thanks for your response
C:\>sc sdshow scmanager
This is SP1 info
D
A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S
AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the RTM info:
D
A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S
AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Comparing the 2 show that in Windows 2003 RTM version, Authenticated users
have read and write permission. In SP1 they do not have this permission. They
do not even have LC (List Contents) permission on scmanager. The requisite
permissions were added to scmanager for Authenticated Users with the
following command:
SC.EXE sdset scmanager
D
A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S
AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This adds the following permissions for authenticated users:
List Contents
Read All Properties
Read Permissions
This enabled sufficient access to the service control manager for
authenticated users.
"Steven L Umbach" wrote:
> Check to see if the Windows Firewall is enabled on the target server and if
> it is temporarily disable it to see if that fixes your problem and/or see if
> a domain admin or a domain user that is local administrator on the server
> can manage the service remotely. If an admin can then it sounds like the
> service permissions got mucked up and if they can not it is some other
> problem probably networking related. To check the permissions on the server
> for the service to see if it is what you expect in case that changed for
> some reason use the Security Configuration and Analysis mmc snapin as shown
> in the link below or a tool such as subinacl. The Resultant Set of Policy
> mmc snapin on a Windows 2003 domain controller or the W2003 server itself
> can also be used to see if the Group Policy is being applied correctly to
> the server. --- Steve
>
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
>
> "cfsHighland" <cfsHighland@discussions.microsoft.com> wrote in message
> news
3A16233-6414-4CAC-8FA5-AE1EF2C213AA@microsoft.com...
> > Have group policy set up to allow the HelpDesk to manage print spooler
> > services on all servers. The group is not member of local Admin group.
> >
> > Installed SP1 on one of the servers. The group is now unable to open the
> > services on this server. Full error:
> >
> > Unable to open service control manager database on servername.
> > Error 5: Access is denied.
> >
> > Am able to open computer in computer management, but still get access
> > denied
> > when try to access services.
> >
> > Thanks in advance for your help
> >
> >
>
>
>
Facebook
Twitter
Instagram