Getting Started on GPanswers.com
Manage Services as non-admin user
I'm trying to grant permissions to non-administrative users to manage certain application-related services on a subset of 2008 servers. I've configured a GPO that grants them "Stop, Start, Pause" and "Read" permissions on the services in question. Those permissions are getting applied properly, but when these users open an MMC and connect to the server, they're getting squashed with Access Denied.
I've found articles that discuss editing the DACL on the Service Control Manager to allow them the ability to connect remotely. This works, but what I can't find is a way to bake the new DACL into a GPO.
My questions are:
1. Is it truly necessary to edit the DACL on the SCM in order for non-Administrator users to manage services via remote MMC or remote command-line (sc, etc)?
2. If it is necessary, other than a startup script, how can I mass-deploy the SCM security settings via GPO?
3. If it not necessary, then what could be squashing them? What do I need to look at changing? I've swept through all of the security settings that I can find, and I'm not finding anything that's squashing them.
Any help or advice you can offer would be greatly appreciated!
Thanks in advance!
Getting Started on GPanswers.com
I thought a little clarification might be needed. When I said "edit the DACLs on the Service Control Manager to allow them the ability to connect remotely," what I meant was editing the SDDL string on the SCM to allow the users to ENUMERATE services remotely. See this article for more info:
Knowledge Base - How to allow users to enumerate service remotely
Anybody know how to do this (what's described in the above article) via GPO?
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote