Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2012 R2 / Granting Remote Access on SCManager to Non-admin Users

October 21, 2016 Windows Server 2012 R2

Granting Remote Access on SCManager to Non-admin Users

Let’s consider the peculiarities of granting remote access permission to enumerate the list of services running on a remote server to domain users without rights of local administrators. In fact, the task comes down to providing remote connection to the Service Control Manager (SCManager).

Here is what the problem looks like. Suppose, we want a remote user or monitoring system can query the status of services on some server. On obvious reasons, this remote user doesn’t have any administrative rights and a privilege to access the server locally.

When trying to connect and get the list of services on the remote computer using services.msc console, the user sees the following error:

Windows was unable to open service control manager database on computer_name

Error 5: Access is denied.

Windows was unable to open service control manager database on computer_name Error 5: Access is denied

If you try to get the list of services on a remote server using sc.exe, the error is as follows:

C:\Windows\system32>sc \\lonts-01 query

[SC] OpenSCManager FAILED 5:
Access is denied.

OpenSCManager FAILED 5: Access is denied

The access to the list of services is controlled by the security descriptor of Service Control Manager database, for which the remote access of the users from the “Authenticated Users” was restricted in Windows 2003 SP1 already (that is quite logical). Only members of the Local Administrators group have the right to access this service remotely.

Let’s consider how to grant the remote access to Service Control Manager to get the list of services on a server and how common users (without administrative rights) can get statuses of these services in Windows Server 2012 R2.

Current Service Control Manager (SCM) permissions can be obtained using sc.exe by running the following command in the command prompt run with the administrator privileges:

sc sdshow scmanager

The command returns a similar SDDL string:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

sc sdshow scmanager

In this case you can see that by default the Authenticated Users (AU) group is allowed only to connect using SCM, but not to poll (LC) the services. Copy this string to any text editor.

The next step is to get an SID of a user or group we want to grant the right on the remote access to SCM to (How to get a user SID by username). For example, let’s get an SID of the AD group lon-hd:

Get-ADgroup -Identity lon-hd | select SID
SID
---
S-1-5-21-2470146451-39123456388-2999995117-23338978

Copy the block (A;;CCLCRPRC;;;IU) – (IU means Interactive Users) from the SDDL string in your text editor, replace IU in the copied block with the SID of a user/group and paste the string you get before S:

In our case we have got the following string:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;S-1-5-21-2470146451-39123456388-2999995117-23338978)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Now let’s change the parameters of Service Control Manager security descriptor:

sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;S-1-5-21-2470146451-39123456388-2999995117-23338978)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)“

sc sdset scmanager

The string [SC] SetServiceObjectSecurity SUCCESS tells that the new security parameters have been successfully applied, and the user has got the privileges similar to those of locally authenticated users: SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS and STANDARD_RIGHTS_READ.

Make sure that a remote user can get the list of services and their status from services.msc console using sc \\srv-name1 query

sc query on remote computer

Naturally, you don’t have any privileges to manage the services, since the access to each service is controlled by an individual ACL. To grant the privileges to start/stop server services to a user, follow the instructions in the article How to Grant Permissions to Manage (Start, Stop or Restart) Windows Services to a User.

Tip. If you assign any SCManager rights different from typical ones, they are saved in HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security branch of the registry. Anf if you have made a mistake when preparing an SDDL string, you can delete this branch and restart your computer to reset the current permissions to the default ones.HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security

1 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Downgrade Windows 10 and Rollback to Windows 7 or 8.1
next post
How to Run File Explorer Elevated

Related Reading

Integrating Windows Updates into Windows 10 Install Image

February 12, 2019

Copying Large Files over an Unreliable Network Using...

February 11, 2019

“The update is not applicable to your computer”:...

February 10, 2019

Fix: Clock Reverts to Wrong Time After Computer...

February 8, 2019

WSUS Windows Update Error 0x80244010: Exceeded max server...

January 31, 2019

1 comment

Jay Adams November 4, 2016 - 1:29 pm

If you’d like to grant permissions to manage services without dealing with SDDL strings or changing the registry on every machine, take a look at System Frontier.
You can centrally delegate rights through a web interface and even use wildcards to give access to specific services by name. It’s a paid product, but still free up to 5 nodes.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • ESXi: Slow Disk Performance on HPE Gen8

    February 15, 2019
  • Integrating Windows Updates into Windows 10 Install Image

    February 12, 2019
  • Copying Large Files over an Unreliable Network Using BITS and PowerShell

    February 11, 2019
  • Fix: Clock Reverts to Wrong Time After Computer (Server) Reboot

    February 8, 2019
  • Fix: BSOD Error 0x0000007B on Boot on Windows 7 and Server 2008 R2

    February 7, 2019
  • How to Disable Automatic Driver Updates in Windows 10?

    February 6, 2019
  • WSUS Windows Update Error 0x80244010: Exceeded max server round trips

    January 31, 2019
  • Configuring SSO (Single Sign-On) Authentication on Windows Server RDS

    January 29, 2019
  • Unable to Start or Connect to Virtual Disk Service in Disk Management

    January 28, 2019
  • How to Inject Drivers into a Windows 10 WIM/ISO Install Image?

    January 15, 2019
woshub.com

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Installing SFTP (SSH FTP) Server on Windows Server 2012 R2
  • FTP Server with User Isolation on Windows Server 2012 R2
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • Windows Server 2012 R2 Licensing and Virtualization
  • The Remote Desktop Session Host Server Does Not Have a Remote Desktop License Server Specified
  • Schedule Task to Start When Another Task Finishes
  • How to Install and Configure SMTP Server on Windows Server 2012 R2
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top