The syntax of this tool is much easier and more convenient. It is easier to use a command line tool SubInACL from the Sysinternals (by Mark Russinovich) to manage the service permissions. Sc sdset Spooler "D:(A CCLCSWRPWPDTLOCRRC SY)(A CCDCLCSWRPWPDTLOCRSDRCWDWO BA)(A CCLCSWLOCRRC IU)(A CCLCSWLOCRRC SU)(A RPWPCR S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO WD)" Using the SubInACL to Allow a User to Start/Stop/Restart Service For example, the permissions can be granted to a user with the following command: In order to assign the SDDL permissions string for a specific service, you can use the sc sdset command. You can get the SID of the AD security group using the Get-ADGroup cmdlet: Get-ADUser -Identity 'sadams' | select SID Or you can find the SID for any domain user using the Get-ADUser cmdlet: To get the SID for the current user, you can use the command: Instead of a predefined group, you can explicitly specify a user or group by SID. The last 2 characters are the objects (user, group or SID) that are granted permissions. LC - SERVICE_QUERY_STATUS (service status polling) CC - SERVICE_QUERY_CONFIG (request service settings)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |