Anyone know how you can stop and start services as a non-admin? I don't need to work with all of them, just web related ones (i.e. MySql, IIS, Apache etc).
If Windows permissions are as powerful as some say then this should be possible. If not then it should at least be part of Longhorn.
-
sbc
GW R/Me
-
In Active Directory you can assign permissions which will control who can start/stop specific services from a Group Policy object.
On a standalone machine, I'm not sure there is an easy way (or indeed any way) of doing it.
Could you not use runas to access services.msc? -
sbc
GW R/Me
If you can do it via group policy, then there must be a setting you can tweak (as you don't have to install anything extra for Active Directory).
I stop the services via a batch file, not the console (i.e. net stop W3SVC). -
Each service has a security descriptor. However, there's no UI (that I'm aware of) that allows you to edit that descriptor.
You can set it programmatically using SetServiceObjectSecurity. -
Maurits
AKA Matthew van Eerde
Could you alternatively use runas on the batch file?
-
sbc
GW R/Me
Maurits wrote:Could you alternatively use runas on the batch file?
net is part of the command interpreter, so runas doesn't work on it. i.e. you cannot do the following:
runas /user:Administrator net statistics workstation
-
sbc
GW R/Me
Mike Dimmick wrote:Each service has a security descriptor. However, there's no UI (that I'm aware of) that allows you to edit that descriptor.
You can set it programmatically using SetServiceObjectSecurity.
So there is no program that can do this (even if it is third party)? Don't know enough about Win32/COM development to do this. Would it be easy to do via .NET/C#?
-
Sven Groot
I'm Commander Shepard and this is my favourite store on the Citadel.
sbc wrote:
Maurits wrote: Could you alternatively use runas on the batch file?
net is part of the command interpreter, so runas doesn't work on it. i.e. you cannot do the following:
runas /user:Administrator net statistics workstation
No, but you can do this:
runas /u:Administrator "cmd.exe /k net statistics workstation"
Or you can do this:
runas /u:Administrator "myfile.bat"
Where the bat file calls net. -
sbc
GW R/Me
There should still be a way of doing this without runas. You should be able to do some things without being an overall administrator (like adding a computer to a domain as well). You should be able to do any task without being an administrator (assign rights to do certain things to users/groups, not for all users).
-
sbc wrote:There should still be a way of doing this without runas. You should be able to do some things without being an overall administrator (like adding a computer to a domain as well). You should be able to do any task without being an administrator (assign rights to do certain things to users/groups, not for all users).
So whats the use having an administrator account? -
sbc
GW R/Me
Buzza wrote:
sbc wrote:There should still be a way of doing this without runas. You should be able to do some things without being an overall administrator (like adding a computer to a domain as well). You should be able to do any task without being an administrator (assign rights to do certain things to users/groups, not for all users).
So whats the use having an administrator account?
You still have an administrator account when you want total access. But you also want to give users some administrative rights without making them an administrator. i.e. you may want a web developer to stop and start web hosting services (IIS, Apache) and databases (SQL, MySQL, PostgreSQL), but not other things, like installing software or modifying the registry.
-
sbc wrote:
Mike Dimmick wrote: Each service has a security descriptor. However, there's no UI (that I'm aware of) that allows you to edit that descriptor.
You can set it programmatically using SetServiceObjectSecurity.
So there is no program that can do this (even if it is third party)? Don't know enough about Win32/COM development to do this. Would it be easy to do via .NET/C#?
It's not an easy program to use, but there is sc sdset. sc.exe is part of Windows XP and Windows Server 2003; for Windows 2000 it's part of the Resource Kit. -
sbc
GW R/Me
Doesn't look easy to use. Security Descriptors are no exactly intuitive. If only there was a tool to edit them in a nice friendly interface. Active Directory can do this kind of thing can't it? But no workstation only version (i.e. a tool to run on a standalone PC)?
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.