A domain user asked for permissions to view services on a database server. A remote desktop wasn’t necessary. I decided to create a services.msc snapin to the server. I received an “Access Denied” error.
Error 5: Access is denied.
I tried WMI with a vbscript:
Permission denied: ‘GetObject’
I gave everyone (iedereen in Dutch) remote permissions in dcomcnfg:
This changed the error:
0×80041003
This is a WMI access denied error. I also gave Authenticated Users (Geverifieerde gebruikers in Dutch) Remote Enable permissions in wmimgmt.msc:
I still received the same error. This time however I found an Audit Failure event in Event Viewer:
Event ID: 4656 in Microsoft Windows security auditing. Audit Failure on SC_MANAGER OBJECT (SC Manager)
After some googling I found the command to view and set permission on de Service Control Manger (scmanager from now on)
sc sdshow scmanager
You can find more information on this SDDL syntax with your friend google (or maybe your new friend BING). I found out that Authenticated Users (AU) need LC (List Contents) permissions. In the SDDL string the AU part becomes:
(A;;CCLC;;;AU)
So the final solution becomes:
sc sdset scmanager D:(A;;CCLC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
SUCCESS indeed:
I cleaned up the wmi and dcom permissions, since I don’t need them.
Note: the user only sees the services he’s authorized to see. With the same command you can autorize an user to see additional services. Replace scmanager by the service name. Example:
sc sdset spool D:
If you actually run this command, no one has permissions anymore. I did this by accident. Fortunately you can fix this by running the right sc sdset command as SYSTEM. The RunAsSys tool from my collegue can help you with that. You can download it here
convert this post to pdf.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment