Access denied when using runas on Windows Server 2022 - windows

This is something I encountered after upgrading our servers from 2016/2019 to 2022:
When I tried to open our Active Directory with another user, it would always deny the access even though the user has full admin rights.
I do not know what exactly they changed or why it is happening.

Since I do not have access to the Group Policy (outsourced IT), I had to do the following for every server:
Stop the seclogon service (if running) over the console with net stop seclogon
You need to open the console with admin rights for this to work. Paste the following wrapped command into the console and press enter:
sc sdset seclogon D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPDTLOCRRC;;;IU)(A;;CCLCSWDTLOCRRC;;;SU)(A;;CCLCSWRPDTLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
The runas command will now work again.

Related

inconsistent administrator permissions in windows

I'm a mac user making my first foray into windows development and I've run into some confusing admin privilege errors. I'm running a Windows 10 install via Bootcamp on my macbook pro that I just set up yesterday (I haven't "activated windows" ie not paid for it, not sure if that would make a difference with my issue). I'm an administrator and also the only user on the system, which I confirmed by first checking through the Settings app, and then by running these commands:
C:\Users\will\code\chrome-native-messaging>net user "%username%"
User name will
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/26/2016 1:38:13 PM
Password expires Never
Password changeable 9/26/2016 1:38:13 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/28/2016 1:03:42 PM
Logon hours allowed All
Local Group Memberships *Administrators *Ssh Users
Global Group memberships *None
The command completed successfully.
C:\Users\will\code\chrome-native-messaging>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
will
The command completed successfully.
However, when I run another command suggested in an SO thread to verify my admin status, I get an access denied error:
C:\Users\will\code\chrome-native-messaging>fsutil dirty query %systemdrive%
Error: Access is denied.
Any pointers on how to successfully run this command are much appreciated. thanks!
Did you launch the command prompt with Run as Administrator?
fsutil requires the command prompt to be elevated. You can check this by seeing if "Administrator: C:...\cmd.exe" is in the command prompt's title bar.

Execute wamp without asking Admin password (windows)

I have a problem executing WampServer on my user computer
is there a way to permit the user execute WampServer and to restart Apache server without having to enter Admin password ?
login as an administrator;
Install wamp
Download subinacl.exe from microsoft:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=23510
grant permissions to the regular user account to manage the WAMP services:
(subinacl.exe is in C:\Program Files (x86)\Windows Resource Kits\Tools)
subinacl /SERVICE \MachineName\wampapache /GRANT=domainname.com\username=F
subinacl /SERVICE \MachineName\wampmysql /GRANT=domainname.com\username=F
logout and log back in as the user. They should now be able to launch the WAMP taskbar application and control the WAMP service.
copied from my pc solved problem document nd forget wheres the source link hope that work

Execution of postgresql by a user with administrative permissions is not permitted

Win7. Postgres 9.3.
Every time I type "postgres" in cmd I get this error.
Created a new account without any admin rights and with "Log on as" rights and with correct directory access rights to postgres/data, then I set this account as the "Log on as" in the services menu, but I still get the same error.
update2017: I never found a solution to this.
For windows do this:
Start cmd.exe (administrator as you are)
Add postgres user:
net user postgres your_password /add
Start a cmd.exe using your new postgres account:
runas /user:postgres cmd.exe
You can validate you are login correctly using" whoami
Run postgres normally.
It is not clear from your question whether you are trying to start the Postgres service or "manually" start Postgres without having a Windows service registered.
Since 9.x Postgres does not require it's own Windows user account to run the service. It defaults to use the built-in "Network" account.
To start the Postgres service (if it has been correctly installed), simply use use
net start postgresql-9.3
(the actual name might be different)
If you did not register a Windows service you should start Postgres through pg_ctl.exe not through postgres.exe. pg_ctl.exe will drop any administrative privileges from the process when starting the server.
To start Postgres manually from the commandline use:
pg_ctl -w -D c:\Path\To\The\DataDirectory
assuming that the access rights to the data directory are setup correctly so that the current user has full access to the directory.
If you want to install/create the Windows service manually, you can also do this through the pg_ctl program:
pg_ctl register -N "postgresql-9.3" -D c:\Path\To\The\DataDirectory
Again the access rights to the data directory must be setup correctly.

MySql 5.6 Windows reset root password for the service

I did all this: http://dev.mysql.com/doc/refman/5.6/en/resetting-permissions.html
The mysqld is running in the command prompt and I can connect with the new password. But, the database is gone.
Luckily i found my root password again, and tried to login (with workbench) when the service is running normally with the "networkservice" user. Now I wonder why I can't change the password for the networkservice instance. It seems that the database is hooked up to that windows user.
I installed the mysql with the installation wizard.I have tried a lot of things, I cant reset the password for the MySQL 5.6 service running on Windows 8. I have tried running the reset as administrator in cmd, and it starts an instance in the command prompt, I can connect with the new password, but it's not the same as the MySql56 service...
I have tried to run start paramters in the service options, but it seems that windows are ignoring it when starting the services.
Any suggestions why?
I needed to change the defaults-file destination to the hidden folder: C:\ProgramData\MySQL\MySQL Server 5.6\my.ini
http://dev.mysql.com/doc/refman/5.1/en/option-files.html

Using SC.exe to set service credentials password fails

I know this question has been asked in the past, but a satisfactory answer has not been provided.
I am using the SC command to config the credentials for a service.
SC.exe config "SERVICE NAME" obj= "domain\user" password= "password"
This completes successfully, but when I start the service, it fails
to perform the login.
[NET START "service name"]
If I manually update ONLY the password from the services.msc, then
when I start the service it works fine.
I have hundreds of servers to update this change occurs in the middle of a deployment,
so manual intervention is NOT an option.
I have tried using the config to update the login account and then another config command for the password.
From all accounts, the SC.exe does not work for passwords and Microsoft has NO help.
IDEAS?
Besides stopping the service before making the changes, and granting the user permission to logon as a service, I also had to add the type= own parameter, otherwise it would fail with:
[SC] ChangeServiceConfig FAILED 87:
The parameter is incorrect
So this is the command that worked:
SC.EXE config "ServiceName" type= own obj= "domain\user" password= "password"
It even worked with special characters in the password, given I had the password between double brackets.
When you configure a service to run under a specific account via the normal route from the service properties windows automatically grants the account the log in as service right. When you use sc.exe you also have to grant the user the log on as service right.
Log On As Service Right
Before restarting services, you should grant your user permission to logon as a service.
Unfortunately, no way to do it from command line with default windows tools, but you can use small additional util ntright.exe from Windows Server 2003 Resource Kit Tools.
Download it from https://www.microsoft.com/en-us/download/details.aspx?id=17657
After installation you'll get a lot of tools in C:\Program Files (x86)\Windows Resource Kits\Tools (or in Program Files on 32bit machine).
You need ntrights.exe. You can copy it and run from any place on another host.
To grant your user required permission, you should add to your script:
ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%"
After that you can successfully restart services with a new user.
Also there is an option to run ntrights.exe on remote host:
ntrights.exe +r SeServiceLogonRight -u "%DOMAIN%\%USER%" -m %HOSTNAME%
This tool helps me very much when I need reconfigure a lot of hosts remotely.
To enable log on as a service via script I've written this, you can use it as is or pull out what is useful to you
https://raw.githubusercontent.com/cdaf/windows/master/automation/provisioning/setServiceLogon.ps1
Try to stop the service before setting up the password:
sc.exe stop "<my_service>" 4:4:3
sc.exe config "<my_service>" obj= "\.<local_acc_name>" password= "<local_acc_pass>"
sc.exe start "<my_service>"
I had this issue. Thanks to ST's comment on the original post, I realized I needed to research how to type the password. In my case, I needed to double up the percent sign (%%) in the password.
The link ST provided is helpful: Escaping special characters in cmd.
Run against this problem while doing some Powershell scripting and the issue in my case was the special characters in the password.
Got it working by storing the password in a variable with double quotes around it:
$servicePassword = "`"passwordWithSpecialCharacters`""
cmd /c sc config myService obj= mydomain\myuser password= $servicePassword
Special characters are:
()'"$><^?
Try This.
Start menu - type "local security policy" without the quotes. Open the "Local Policies", then left-click on "User Rights Assignment". On the right panel, right-click on "Log on as a service", and select "Properties". Click on "Add User or Group" and add your user. Click OK. You might have to reboot your machine.
After adding you can set the user name and password for the service in cmd.

Resources