Allow another user on the network to start/stop a service on the server - long post

[silvere]

I am trying to allow another user on the network to start/stop a
service on the server. The server is windows 2000 adv server and the
workstations are xp pro. I have done a lot of research on this, but
still need some direction.

A utility named svcacls.exe is apparently what I need and it was
suppose to come with the resource kit, but they took it out at the
last second. http://support.microsoft.com/default.aspx?scid=kb;en-us;269875
They say that it was taken out because the tool subinacl.exe performs
the same functions.

I've downloaded subinacl from microsoft's resource web page. I found
these three web pages that attempt to explain the process.

http://www.jsiinc.com/subf/tip2900/rh2928.htm - set permissions in
active directory
http://www.jsiinc.com/subh/tip3800/rh3896.htm - use subinacl to grant
rights. http://www.jsiinc.com/subh/tip3800/rh3897.htm I believe this
article doesn't apply to what I want.

I successfully set the permissions as mentioned in the first article.
I used subinacl has described in the second article and I entered:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant puck\PDMWorks=F

I get an error: Warning : Error parsing line +service\\pdmworks
server/grant

The name of the server is: apgserver
The service is: PDMWorks Server
The domain is: puck
The user name I want to give access to is PDMWorks

I've tried different variations such as:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=puck\PDMWorks=F
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=[puck\]PDMWorks[=F]

I get error messages with these too that are like the error message,
but slightly different. I believe the first one I entered it just
like the example in the second article. But, I don't understand in
the example why they omitted the [] around domain name and around =A.
They also omitted the = sign between grant and domain name.

No one is on a domain because all but 5 of the machines here are xp
home and they can't join a domain. Do you have to be a member of a
domain for this to work? I can make this user join the puck domain if
I need to. Can someone please shed some light on this for me?

Thanks
Andy

 

[SaltPeter]

I am trying to allow another user on the network to start/stop a
service on the server. The server is windows 2000 adv server and the
workstations are xp pro. I have done a lot of research on this, but
still need some direction.

Correction: you are trying to allow a user that isn't participating in the
domain to start/stop a service. You might consider giving a Guest account
the right to do this but that's russian roulette. Its not a question of
whether you'll be hacked, but WHEN.

A utility named svcacls.exe is apparently what I need and it was
suppose to come with the resource kit, but they took it out at the
last second. http://support.microsoft.com/default.aspx?scid=kb;en-us;269875
They say that it was taken out because the tool subinacl.exe performs
the same functions.

An administrator can't delegate to an object that doesn't exist. No matter
how much you modify the Access Control List, you won't give a user the right
to start/stop a service if the user doesn't exist.

I've downloaded subinacl from microsoft's resource web page. I found
these three web pages that attempt to explain the process.

http://www.jsiinc.com/subf/tip2900/rh2928.htm - set permissions in
active directory
http://www.jsiinc.com/subh/tip3800/rh3896.htm - use subinacl to grant
rights. http://www.jsiinc.com/subh/tip3800/rh3897.htm I believe this
article doesn't apply to what I want.

I successfully set the permissions as mentioned in the first article.
I used subinacl has described in the second article and I entered:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant puck\PDMWorks=F

I get an error: Warning : Error parsing line +service\\pdmworks
server/grant

The name of the server is: apgserver
The service is: PDMWorks Server
The domain is: puck
The user name I want to give access to is PDMWorks

I've tried different variations such as:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=puck\PDMWorks=F
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=[puck\]PDMWorks[=F]

I get error messages with these too that are like the error message,
but slightly different. I believe the first one I entered it just
like the example in the second article. But, I don't understand in
the example why they omitted the [] around domain name and around =A.
They also omitted the = sign between grant and domain name.

No one is on a domain because all but 5 of the machines here are xp
home and they can't join a domain. Do you have to be a member of a
domain for this to work? I can make this user join the puck domain if
I need to. Can someone please shed some light on this for me?

Unfortunately, in order to join any NT based domain, 2 conditions must be
asserted. One: a valid user account must be provided. Two: a valid computer
account must exist in the domain. W2K Home can't support the later.

 

[Andy]

finally someone that knows what they're talking about!!! this certain
computer that I'm trying to allow to start/stop the service is xp pro and
it's the only one that needs to. I set the user (PDMWorks) up to connect to
the domain. can you tell me where to go from here?


thanks
Andy

I am trying to allow another user on the network to start/stop a
service on the server. The server is windows 2000 adv server and the
workstations are xp pro. I have done a lot of research on this, but
still need some direction.

Correction: you are trying to allow a user that isn't participating in the
domain to start/stop a service. You might consider giving a Guest account
the right to do this but that's russian roulette. Its not a question of
whether you'll be hacked, but WHEN.

A utility named svcacls.exe is apparently what I need and it was
suppose to come with the resource kit, but they took it out at the
last second. http://support.microsoft.com/default.aspx?scid=kb;en-us;269875
They say that it was taken out because the tool subinacl.exe performs
the same functions.

An administrator can't delegate to an object that doesn't exist. No matter
how much you modify the Access Control List, you won't give a user the right
to start/stop a service if the user doesn't exist.

I've downloaded subinacl from microsoft's resource web page. I found
these three web pages that attempt to explain the process.

http://www.jsiinc.com/subf/tip2900/rh2928.htm - set permissions in
active directory
http://www.jsiinc.com/subh/tip3800/rh3896.htm - use subinacl to grant
rights. http://www.jsiinc.com/subh/tip3800/rh3897.htm I believe this
article doesn't apply to what I want.

I successfully set the permissions as mentioned in the first article.
I used subinacl has described in the second article and I entered:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant puck\PDMWorks=F

I get an error: Warning : Error parsing line +service\\pdmworks
server/grant

The name of the server is: apgserver
The service is: PDMWorks Server
The domain is: puck
The user name I want to give access to is PDMWorks

I've tried different variations such as:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=puck\PDMWorks=F
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=[puck\]PDMWorks[=F]

I get error messages with these too that are like the error message,
but slightly different. I believe the first one I entered it just
like the example in the second article. But, I don't understand in
the example why they omitted the [] around domain name and around =A.
They also omitted the = sign between grant and domain name.

No one is on a domain because all but 5 of the machines here are xp
home and they can't join a domain. Do you have to be a member of a
domain for this to work? I can make this user join the puck domain if
I need to. Can someone please shed some light on this for me?

Unfortunately, in order to join any NT based domain, 2 conditions must be
asserted. One: a valid user account must be provided. Two: a valid computer
account must exist in the domain. W2K Home can't support the later.

Thanks
Andy

 

[Andy]

any suggestions?

finally someone that knows what they're talking about!!! this certain
computer that I'm trying to allow to start/stop the service is xp pro and
it's the only one that needs to. I set the user (PDMWorks) up to connect to
the domain. can you tell me where to go from here?


thanks
Andy

I am trying to allow another user on the network to start/stop a
service on the server. The server is windows 2000 adv server and the
workstations are xp pro. I have done a lot of research on this, but
still need some direction.

Correction: you are trying to allow a user that isn't participating in the
domain to start/stop a service. You might consider giving a Guest account
the right to do this but that's russian roulette. Its not a question of
whether you'll be hacked, but WHEN.

A utility named svcacls.exe is apparently what I need and it was
suppose to come with the resource kit, but they took it out at the
last second. http://support.microsoft.com/default.aspx?scid=kb;en-us;269875
They say that it was taken out because the tool subinacl.exe performs
the same functions.

An administrator can't delegate to an object that doesn't exist. No matter
how much you modify the Access Control List, you won't give a user the right
to start/stop a service if the user doesn't exist.

I've downloaded subinacl from microsoft's resource web page. I found
these three web pages that attempt to explain the process.

http://www.jsiinc.com/subf/tip2900/rh2928.htm - set permissions in
active directory
http://www.jsiinc.com/subh/tip3800/rh3896.htm - use subinacl to grant
rights. http://www.jsiinc.com/subh/tip3800/rh3897.htm I believe this
article doesn't apply to what I want.

I successfully set the permissions as mentioned in the first article.
I used subinacl has described in the second article and I entered:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant puck\PDMWorks=F

I get an error: Warning : Error parsing line +service\\pdmworks
server/grant

The name of the server is: apgserver
The service is: PDMWorks Server
The domain is: puck
The user name I want to give access to is PDMWorks

I've tried different variations such as:
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=puck\PDMWorks=F
SUBINACL/SERVICE\\apgserver\PDMWorks Server/Grant=[puck\]PDMWorks[=F]

I get error messages with these too that are like the error message,
but slightly different. I believe the first one I entered it just
like the example in the second article. But, I don't understand in
the example why they omitted the [] around domain name and around =A.
They also omitted the = sign between grant and domain name.

No one is on a domain because all but 5 of the machines here are xp
home and they can't join a domain. Do you have to be a member of a
domain for this to work? I can make this user join the puck domain if
I need to. Can someone please shed some light on this for me?

Unfortunately, in order to join any NT based domain, 2 conditions must be
asserted. One: a valid user account must be provided. Two: a valid computer
account must exist in the domain. W2K Home can't support the later.

Thanks
Andy