(2008-02-26) Delegating Monitoring/Stopping/Starting Services On Servers
Posted by Jorge on 2008-02-26
Delegating permissions to manage services on servers is not the easiest thing to do. You can do it from the command line or through a GPO in the "System Services" node. Either way you MUST take the current configured permissions into account, otherwise you might/will experience issues!
I do not like to use a GPO to do this and prefer to use command line tools in scripts. I’m not going to post a script, but I’m going to provide the information for the delegation of the permissions required and how to achieve that. For the scripting part, what you need to do is retrieve the current SDDL, add what you want to add and write the complete new SDDL back.
Monitoring of Services on Servers (W2K3/W2K8)
- ACE on SCM object for "<AD group>" –> **ADD** SDDL part "(A;;CCLCRPRC;;;<AD group>)" to existing SDDL
- ACE on service object for "<AD group>" –> **ADD** SDDL part "(A;;GR;;;<AD group>)" to existing SDDL
REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see http://support.microsoft.com/?kbid=914392
Monitoring of Services on Servers (W2K)
- All users, local and remote, are allowed to monitor all services on W2K
Stopping/starting of Services on Servers (W2K3)
- ACE on service object for "<AD group>" –> **ADD** SDDL part "(A;;RPWP;;;<AD group>)" to existing SDDL
REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see http://support.microsoft.com/?kbid=914392
Stopping/starting of Services on Servers (W2K)
- ACE on SCM object for "<AD group>" –> SUBINACL /service "\<SERVER><SERVICE>" /grant="<DOMAIN><AD GROUP>"=TO
REMARK: T = right to start a service & O = right to stop a service
REMARK: Always use the latest version of SUBINACL!
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
PlaceHolder_After_Migration said
I have been looking at these things a year ago and at that time I aslo wanted to delegate the right to read the Eventlogs.
Heres how you can do that:
5. Event Viewer
This show how you can delegated the rights to the Eventlogs.
5.1 Windows 2000
By default domain users have the right to read the Application and System-Log on a Window 2000 Server. This works by default.
5.2 Windows Server 2003
By default this is the security for the Application event log:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
By default this is the security for the System event log:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;; 0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;; 0x2;;;NS)
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x2;;;LS) Allow Local Service WRITE.
(A;;0x2;;;NS) Allow Network Service WRITE.
To give the group rights to read the Application and System event log you have to modify the security of each log. This is configured locally through the values in the following registry key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog
For example the Application log Security Descriptor is configured through the following registry value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD
And the System log Security Descriptor is configured through the following:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogSystemCustomSD
Reference:
How to set event log security locally or by using Group Policy in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
So, for example to give your group read permissions add the following to the CustomSD value (A;;0x1;;; [Your Group Name] ) at the end of the current string.
Regards
Robin G
LikeLike