Trying to configure group policies on a stand alone server.

ttysnoop · May 14, 2007

I'm trying to run a service as a user account on a stand-alone Win2k
server. When I try to run the service using 'net start srvname' i get:

"System error 5 has occurred.

Access is denied."

I quick google lead me to this KB article that i'm 90% sure is my
current problem: http://support.microsoft.com/?kbid=256299

It's resolution involves using 'Active Directory Users and Computers'
to reconfigure the permissions for the user and/or its group. When I
try to run dsa.msc I get an error message, 'To manage users and groups
on this computer, use local users and groups. To manage users, groups
and computers in a domain, log on as a user with Domain Administration
rights.'

'Local Users and Groups' doesn't seem to have any advanced permissions
tabs or ability to do much except add/remove users and change their
groups.

So my question is how do i edit group/user policies and add 'service
read' privileges to a user/group on a server without a domain
controller?

Thanks for any info, It's probably a simple answer involving a non-
default tool but I couldn't find anything on google.
-Zim

Ace Fekay [MVP] · May 14, 2007

In

I'm trying to run a service as a user account on a stand-alone Win2k
server. When I try to run the service using 'net start srvname' i get:

"System error 5 has occurred.

Access is denied."

I quick google lead me to this KB article that i'm 90% sure is my
current problem: http://support.microsoft.com/?kbid=256299

It's resolution involves using 'Active Directory Users and Computers'
to reconfigure the permissions for the user and/or its group. When I
try to run dsa.msc I get an error message, 'To manage users and groups
on this computer, use local users and groups. To manage users, groups
and computers in a domain, log on as a user with Domain Administration
rights.'

'Local Users and Groups' doesn't seem to have any advanced permissions
tabs or ability to do much except add/remove users and change their
groups.

So my question is how do i edit group/user policies and add 'service
read' privileges to a user/group on a server without a domain
controller?

Thanks for any info, It's probably a simple answer involving a non-
default tool but I couldn't find anything on google.
-Zim

It really doesn't work that way with stand alone machines. However you can
get into the machine's local GP by typing 'gpedit.msc' and apply local
policy settings to local users only on a stand alone machine. The local
security policy can be accessed by going to Start, Administrative Tools,
Local Security Policy.

What type of settings were you looking for or expecting in a local user
properties compared to a domain user properties?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

ttysnoop · May 14, 2007

(e-mail address removed) <[email protected]> typed:

It really doesn't work that way with stand alone machines. However you can
get into the machine's local GP by typing 'gpedit.msc' and apply local
policy settings to local users only on a stand alone machine. The local
security policy can be accessed by going to Start, Administrative Tools,
Local Security Policy.

What type of settings were you looking for or expecting in a local user
properties compared to a domain user properties?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet Newshttp://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

According to http://support.microsoft.com/?kbid=256299, "When you add
a user through Group Policy Editor in the System Service Security
Policy, the default permissions are start, stop, and pause.", the
problem I'm having is caused by, "This behavior occurs because you
need the following permissions to open the properties of a service,
and to stop, start, or pause a service: Read, Stop, Start, and Pause."

So If I'm understanding it right I need to give the user or the user's
group the read service permission for it to be able to start/stop a
service. The KB article only tells of one way to do this through
'Active Directory Users and Computers.'

So what I'm looking for is how to give a user or a group the read
service permission without using 'Active Directory Users and
Computers'.

Ace Fekay [MVP] · May 14, 2007

In

According to http://support.microsoft.com/?kbid=256299, "When you add
a user through Group Policy Editor in the System Service Security
Policy, the default permissions are start, stop, and pause.", the
problem I'm having is caused by, "This behavior occurs because you
need the following permissions to open the properties of a service,
and to stop, start, or pause a service: Read, Stop, Start, and Pause."

So If I'm understanding it right I need to give the user or the user's
group the read service permission for it to be able to start/stop a
service. The KB article only tells of one way to do this through
'Active Directory Users and Computers.'

So what I'm looking for is how to give a user or a group the read
service permission without using 'Active Directory Users and
Computers'.

It's probably easier to just add them to the local Power Users group.

Or

As the article mentions in a GPO. But for a stand alone, you can still go
thru the steps to create the settings in the local GP on a stand alone. The
settings are the same. In article
http://support.microsoft.com/kb/256345/EN-US/, follow steps 7 and onward.

7. Click Computer Configuration, click Windows Settings, click
Security Settings, and then click System Services.
8. Double-click the service on which you want to apply permissions.
The security policy setting for that specific service is displayed.
9. Click to select the Define this Policy Setting check box. This
action automatically creates security permissions with Everyone having Full
Control.
10. Click Remove to remove the Everyone group.
11. Click Add to add the System account and any other user accounts to
which you want to grant access.
12. Set the permission for the System account at Full Control, as well
as the appropriate permissions for user accounts or groups. By default, only
the start, stop, and pause permissions are granted to all new users.
13. After you finish adding the appropriate users and groups with the
appropriate permissions to the service, click OK.
14. The service startup mode is set to disabled by default. Change
this setting to the correct startup mode (usually automatic).
15. Click OK, close the policy, and then click OK.

Ace

ttysnoop · May 14, 2007

(e-mail address removed) <[email protected]> typed:

It's probably easier to just add them to the local Power Users group.

Or

As the article mentions in a GPO. But for a stand alone, you can still go
thru the steps to create the settings in the local GP on a stand alone. The
settings are the same. In articlehttp://support.microsoft.com/kb/256345/EN-US/, follow steps 7 and onward.

7. Click Computer Configuration, click Windows Settings, click
Security Settings, and then click System Services.
8. Double-click the service on which you want to apply permissions.
The security policy setting for that specific service is displayed.
9. Click to select the Define this Policy Setting check box. This
action automatically creates security permissions with Everyone having Full
Control.
10. Click Remove to remove the Everyone group.
11. Click Add to add the System account and any other user accounts to
which you want to grant access.
12. Set the permission for the System account at Full Control, as well
as the appropriate permissions for user accounts or groups. By default, only
the start, stop, and pause permissions are granted to all new users.
13. After you finish adding the appropriate users and groups with the
appropriate permissions to the service, click OK.
14. The service startup mode is set to disabled by default. Change
this setting to the correct startup mode (usually automatic).
15. Click OK, close the policy, and then click OK.

Ace

Thanks for the help. I tried starting the service with the user in the
power user group and got the same system error 5, access denied. Then
tried your other way only to find the 'System Services' branch missing
from my 'Security Settings' branch. It has; 'Account Policies', 'Local
Policies', 'Public Key Policies', 'Software Restrictions', and 'IP
Security Policies'. Is there any other way to change it that you know
of?

Also, I just double checked and the server is actually running Windows
Server 2003 SP2. It must have been upgraded the last go around and I
forgot or simply wasn't told. Too many servers to keep track of. I
doubt it matters that much but the more info the better.

Thanks.

Ace Fekay [MVP] · May 14, 2007

In

Thanks for the help. I tried starting the service with the user in the
power user group and got the same system error 5, access denied. Then
tried your other way only to find the 'System Services' branch missing
from my 'Security Settings' branch. It has; 'Account Policies', 'Local
Policies', 'Public Key Policies', 'Software Restrictions', and 'IP
Security Policies'. Is there any other way to change it that you know
of?

Also, I just double checked and the server is actually running Windows
Server 2003 SP2. It must have been upgraded the last go around and I
forgot or simply wasn't told. Too many servers to keep track of. I
doubt it matters that much but the more info the better.

Thanks.

SP2 does do some changes, but I don't believe it has anything to do with
this. I would suggest to keep all your servers to at least the 'download and
notify to install' setting for WIndows updates. We do not allow any updates
to auto install and restart a machine for NONE of our clients.

I assume if you add them to the admin group they can?

Also, go into the reg and look at the service properties to see if there is
a permissions subkey.

Ace

ttysnoop · May 14, 2007

(e-mail address removed) <[email protected]> typed:

SP2 does do some changes, but I don't believe it has anything to do with
this. I would suggest to keep all your servers to at least the 'download and
notify to install' setting for WIndows updates. We do not allow any updates
to auto install and restart a machine for NONE of our clients.

I assume if you add them to the admin group they can?

Also, go into the reg and look at the service properties to see if there is
a permissions subkey.

Ace

There are other admins that update software, nothing is automatic. But
this was a problem before SP2. I was laying it on the table.

Yes if I add the user to the admin group it runs.

There is a security key.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,...

But nothing with permissions. Here is the full reg entry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):44,00,3a,00,5c,00,...
"DisplayName"="FireDaemon Service: <NameAdmitted>"
"ObjectName"="LocalSystem"
"Group"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Parameters]
"ServiceExe"="<admitted>"
"ServiceWorkingDir"="<admitted>"
"ServiceParams"=""
"ServiceDelay"=dword:00000bb8
"DisplayName"="<admitted>"
"DisplayNamePrefixDefined"=dword:00000000
"DisplayNamePrefix"="FireDaemon Service: "
"Description"=""
"ConsoleApp"=dword:00000000
"InteractWithDesktop"=dword:00000000
"PreLaunchDelay"=dword:00000000
"ShowWindow"=dword:00000000
"JobType"=dword:00000000
"IgnoreFlags"=dword:00000003
"SMFEnabled"=dword:00000001
"SMFFrequency"=dword:00001388
"UponExit"=dword:00000001
"ShutdownDelay"=dword:00001388
"UponFlap"=dword:00000000
"FlapCount"=dword:00000000
"AffinityMask"=dword:00000000
"Priority"=dword:00000004
"AppendLogs"=dword:00000001
"EventLogging"=dword:00000001
"RedirStdout"=""
"RedirStderr"=""
"RedirStderrToStdout"=dword:00000000
"Dependencies"=hex(7):
"Environment"=hex(7):
"DebugEnabled"=dword:00000000
"DebugLogFile"=""
"StartTime"=dword:00000000
"EndTime"=dword:00000000
"StartDate"=dword:00000000
"EndDate"=dword:00000000
"RunDays"=dword:0000007f
"MonthFrom"=dword:00000000
"MonthTo"=dword:00000000
"MonthDay"=dword:00000000
"RestartFreq"=dword:00000000
"RestartDelay"=dword:00000000
"Control"=dword:00000000
"ProcessState"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Parameters\Responses]
"Enabled"=dword:00000000
"CloseAll"=dword:00000000
"CheckFrequency"=dword:00001388
"IgnoreUnknowns"=dword:00000001
"LogFile"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>\Enum]
"0"="Root\\LEGACY_<admitted>\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Ace Fekay [MVP] · May 14, 2007

In

There are other admins that update software, nothing is automatic. But
this was a problem before SP2. I was laying it on the table.

Yes if I add the user to the admin group it runs.

There is a security key.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,...

But nothing with permissions. Here is the full reg entry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):44,00,3a,00,5c,00,...
"DisplayName"="FireDaemon Service: <NameAdmitted>"
"ObjectName"="LocalSystem"
"Group"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Parameters]
"ServiceExe"="<admitted>"
"ServiceWorkingDir"="<admitted>"
"ServiceParams"=""
"ServiceDelay"=dword:00000bb8
"DisplayName"="<admitted>"
"DisplayNamePrefixDefined"=dword:00000000
"DisplayNamePrefix"="FireDaemon Service: "
"Description"=""
"ConsoleApp"=dword:00000000
"InteractWithDesktop"=dword:00000000
"PreLaunchDelay"=dword:00000000
"ShowWindow"=dword:00000000
"JobType"=dword:00000000
"IgnoreFlags"=dword:00000003
"SMFEnabled"=dword:00000001
"SMFFrequency"=dword:00001388
"UponExit"=dword:00000001
"ShutdownDelay"=dword:00001388
"UponFlap"=dword:00000000
"FlapCount"=dword:00000000
"AffinityMask"=dword:00000000
"Priority"=dword:00000004
"AppendLogs"=dword:00000001
"EventLogging"=dword:00000001
"RedirStdout"=""
"RedirStderr"=""
"RedirStderrToStdout"=dword:00000000
"Dependencies"=hex(7):
"Environment"=hex(7):
"DebugEnabled"=dword:00000000
"DebugLogFile"=""
"StartTime"=dword:00000000
"EndTime"=dword:00000000
"StartDate"=dword:00000000
"EndDate"=dword:00000000
"RunDays"=dword:0000007f
"MonthFrom"=dword:00000000
"MonthTo"=dword:00000000
"MonthDay"=dword:00000000
"RestartFreq"=dword:00000000
"RestartDelay"=dword:00000000
"Control"=dword:00000000
"ProcessState"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Parameters\Responses]
"Enabled"=dword:00000000
"CloseAll"=dword:00000000
"CheckFrequency"=dword:00001388
"IgnoreUnknowns"=dword:00000001
"LogFile"=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>\Enum]
"0"="Root\\LEGACY_<admitted>\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

When in the registry, and you highlight a service name, go to Edit, then
choose Permissions. Add the user in the ACL. I've never granulated it like
this, but I would imagine to also make sure the user is part of the Power
User group, if not, you may have to add the user to various Security
settings in the local security policy as well as give the user FC or at
least Modify to the C: drive because they must be able to access the file to
run it and to make necessary changes to operating system areas.

Ace

ttysnoop · May 14, 2007

(e-mail address removed) <[email protected]> typed:

There are other admins that update software, nothing is automatic. But
this was a problem before SP2. I was laying it on the table.

Click to expand...

Yes if I add the user to the admin group it runs.

Click to expand...

There is a security key.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,...

Click to expand...

But nothing with permissions. Here is the full reg entry.

Click to expand...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):44,00,3a,00,5c,00,...
"DisplayName"="FireDaemon Service: <NameAdmitted>"
"ObjectName"="LocalSystem"
"Group"=""

Click to expand...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NameAdmitted>
\Parameters]
"ServiceExe"="<admitted>"
"ServiceWorkingDir"="<admitted>"
"ServiceParams"=""
"ServiceDelay"=dword:00000bb8
"DisplayName"="<admitted>"
"DisplayNamePrefixDefined"=dword:00000000
"DisplayNamePrefix"="FireDaemon Service: "
"Description"=""
"ConsoleApp"=dword:00000000
"InteractWithDesktop"=dword:00000000
"PreLaunchDelay"=dword:00000000
"ShowWindow"=dword:00000000
"JobType"=dword:00000000
"IgnoreFlags"=dword:00000003
"SMFEnabled"=dword:00000001
"SMFFrequency"=dword:00001388
"UponExit"=dword:00000001
"ShutdownDelay"=dword:00001388
"UponFlap"=dword:00000000
"FlapCount"=dword:00000000
"AffinityMask"=dword:00000000
"Priority"=dword:00000004
"AppendLogs"=dword:00000001
"EventLogging"=dword:00000001
"RedirStdout"=""
"RedirStderr"=""
"RedirStderrToStdout"=dword:00000000
"Dependencies"=hex(7):
"Environment"=hex(7):
"DebugEnabled"=dword:00000000
"DebugLogFile"=""
"StartTime"=dword:00000000
"EndTime"=dword:00000000
"StartDate"=dword:00000000
"EndDate"=dword:00000000
"RunDays"=dword:0000007f
"MonthFrom"=dword:00000000
"MonthTo"=dword:00000000
"MonthDay"=dword:00000000
"RestartFreq"=dword:00000000
"RestartDelay"=dword:00000000
"Control"=dword:00000000
"ProcessState"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Parameters\Responses]
"Enabled"=dword:00000000
"CloseAll"=dword:00000000
"CheckFrequency"=dword:00001388
"IgnoreUnknowns"=dword:00000001
"LogFile"=""

Click to expand...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>
\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,...

Click to expand...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<admitted>\Enum]
"0"="Root\\LEGACY_<admitted>\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Click to expand...

When in the registry, and you highlight a service name, go to Edit, then
choose Permissions. Add the user in the ACL. I've never granulated it like
this, but I would imagine to also make sure the user is part of the Power
User group, if not, you may have to add the user to various Security
settings in the local security policy as well as give the user FC or at
least Modify to the C: drive because they must be able to access the file to
run it and to make necessary changes to operating system areas.

Ace

I gave the user full control over the reg keys for the service and
still still got the access denied error. Being a power user didn't
help either.

The whole point of wanting to run the service as another user is to
keep its power level down. The program will be running untrusted dlls
which could be used maliciously. If it was running as a normal user
then it would go a long way in securing things.

Right now the user group has read access to most of the windows and
system32 folders. More then enough to run the program as the user
account. I can manual right click on it and 'run as' the program with
user account in question. The problem is something specific to a user
run service.

I'm more worried now about where my 'System Services' branch off
Computer Configuration->Windows Settings->Security Settings is. That
sounds like what I need.

Thanks again.

Ace Fekay [MVP] · May 15, 2007

In

I gave the user full control over the reg keys for the service and
still still got the access denied error. Being a power user didn't
help either.

The whole point of wanting to run the service as another user is to
keep its power level down. The program will be running untrusted dlls
which could be used maliciously. If it was running as a normal user
then it would go a long way in securing things.

Right now the user group has read access to most of the windows and
system32 folders. More then enough to run the program as the user
account. I can manual right click on it and 'run as' the program with
user account in question. The problem is something specific to a user
run service.

I'm more worried now about where my 'System Services' branch off
Computer Configuration->Windows Settings->Security Settings is. That
sounds like what I need.

Thanks again.

Power Users should be able to run services. If not, check in the local sec
policy to see 'to allow services to run' (or something along that line) to
see what groups are in there. They also absolutely need at least Modify to
the folders in the whole C:\ drive (temp folder, etc).

It can be done, but this is the first I've heard this and with some
searching and testing on your part, I think we can find how to do it.

Ace

ttysnoop · May 15, 2007

(e-mail address removed) <[email protected]> typed:

Power Users should be able to run services. If not, check in the local sec
policy to see 'to allow services to run' (or something along that line) to
see what groups are in there. They also absolutely need at least Modify to
the folders in the whole C:\ drive (temp folder, etc).

It can be done, but this is the first I've heard this and with some
searching and testing on your part, I think we can find how to do it.

Ace

It is not a file permission problem, I know this because I've given
the user's group full control over the whole drive to test. The
program can run fine from cmd.exe ran as that user so its not anything
with the program (without full control over the drive).

When starting the service it doesn't even get to running the program.
That leads me to think there is a specific token/policy for running a
service that users does not have. What I can't find is where all the
possible tokens or policies are listed so i can select which one the
users can have.

I've also added the user to the 'Impersonate a client after
authentication', 'Log on as a service', and 'Log on as a batch job'.
None helped.

Do you know of a way I can get a more detailed error report? Like
where it was stopped. I've turned on every audit policy and event
viewer shows lots of successes like Log ons, Special privileges
assigned, a couple Detailed Tracking, Then a log off. No failures.

Ace Fekay [MVP] · May 16, 2007

In

It is not a file permission problem, I know this because I've given
the user's group full control over the whole drive to test. The
program can run fine from cmd.exe ran as that user so its not anything
with the program (without full control over the drive).

When starting the service it doesn't even get to running the program.
That leads me to think there is a specific token/policy for running a
service that users does not have. What I can't find is where all the
possible tokens or policies are listed so i can select which one the
users can have.

I've also added the user to the 'Impersonate a client after
authentication', 'Log on as a service', and 'Log on as a batch job'.
None helped.

Do you know of a way I can get a more detailed error report? Like
where it was stopped. I've turned on every audit policy and event
viewer shows lots of successes like Log ons, Special privileges
assigned, a couple Detailed Tracking, Then a log off. No failures.

I would need to experinment with the machine to test it. I'm sure there is a
security Right that we are both overlooking. You covered the basics, but
keep in mind there are a multitude of other settings under the Usre Rights
Assignments.

Go thru each policy and see where the default Admin is and mimick that. It
could be something as simple as load and unload device drivers or take
owenership. Maybe it is trying to access another part of the reg? Maybe the
service has something to do with DCOM which then gets IIS involved and it's
own set of permissions and adds an additional layer of complexity to your
goals.

Ace

ttysnoop · May 16, 2007

(e-mail address removed) <[email protected]> typed:

I would need to experinment with the machine to test it. I'm sure there is a
security Right that we are both overlooking. You covered the basics, but
keep in mind there are a multitude of other settings under the Usre Rights
Assignments.

Go thru each policy and see where the default Admin is and mimick that. It
could be something as simple as load and unload device drivers or take
owenership. Maybe it is trying to access another part of the reg? Maybe the
service has something to do with DCOM which then gets IIS involved and it's
own set of permissions and adds an additional layer of complexity to your
goals.

Ace

It's pretty sad to admit but at this point figuring out where the
service system is stumbling is more work then just coding a small
program that will launch and watch the process for me. I'm going to
call it quits and just do that.

Thanks for the ideas,
-Z

Also, Do you think there is a better group to post this question in? I
may try in one more group before resorting to a custom app.

Ace Fekay [MVP] · May 16, 2007

In

It's pretty sad to admit but at this point figuring out where the
service system is stumbling is more work then just coding a small
program that will launch and watch the process for me. I'm going to
call it quits and just do that.

Thanks for the ideas,
-Z

Also, Do you think there is a better group to post this question in? I
may try in one more group before resorting to a custom app.

Sorry, no I don't, unless if you may want to try the scripting.vbscript
group, where they may know of specific variables that may attain what you
are looking to do with an account. Otherwise, I am at a loss.

No problem for the help. I hope you find what you need.

Ace

Trying to configure group policies on a stand alone server.

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]

ttysnoop

Ace Fekay [MVP]