No announcement yet.

Enumeration of services in services.msc console issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Enumeration of services in services.msc console issue

    Hi, I was given a task to allow non-admin users to restart MSSQLSERVER service on Windows Server 2003 R2 computer which was old core banking database server now used only for finding some archives in SQL databases. I have done the following steps:

    1) Granting permission to start/stop/pause MSSQLSERVER service and dependent SQLSERVERAGENT service to these users using GPO created from old core banking database server on Domain Controller and linked to an OU containing that server
    2) Creating custom .msc console with services snap-in targeting old core banking database server
    3)Deploying that .msc console to these user's desktop using Group Policy Preferences
    4)Granting authenticated users right to enumerate services on server remotely using: SC sdset scmanager DA;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;; SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)SAU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    When I tested this I noticed that when non-admin user double clicked .msc shorcut from their desktop, services on old core banking database server are listed but these two SQL services are not there (by the way I noticed that some other system services are not listed, i.e. print spooler). If user logs on locally on server and opens services.msc console all services are there and user restarts MSSQLSERVER service and thus SQLSERVERAGENT service successfully.

    What is going on here? I do not want users to log on to server using RDP or interactively since only they need is to restart SQL services.

    Thanks in advance!

    PS: I checked the number of listed services using PowerShell, non-admin user lists only 46 and domain admin user lists 109 services. This is weird! ((Get-Service -ComputerName database_server).Count)
    Last edited by boxikg; 13th April 2014, 17:52.

  • #2
    Re: Enumeration of services in services.msc console issue

    I cracked it by granting non-admin users right to Read MSSQLSERVER and SQLSERVERAGENT services along with right to start/stop/pause them. It seems that regardless of giving non-admin users right to enumerate services on server remotely, that right applies only to relatively small number of services. If some services are not visible then I must give users right to Read these services. Who knows what determines which services are visible or not to non-admin user (is there any rule for this) since, as I mentioned, non-admin users in my case only see 46 of 109 services remotely from .msc console.