Windows service logon user can not start and stop it? - windows

I have a windows service. The logon user of this service is set to 'domain1\user1'. Its set to delayed start and it works fine.
Now, due to regular housekeeping maintenance, we need to stop this service, perform maintenance and start it back again on a regular schedule. I've written a batch file for that. We are using BMC Control M and I've set 'domain1\user1' as the account under which this batch file executes.
But when the bat file tries to execute 'net stop servicename' statement, I get error...
System error 5 has occurred.Access is denied.
I though that the logon user will automatically get the the start/stop permissions. But that doesn't seems to be the case. And I may have to do something like this...
https://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx
Am I missing something here?

Related

How do you securely have a non-admin run a powershell script?

I have an issue with a remote site whose printer occasionally errors out. The current solution is to restart the print spooler on the server.
I am trying to create a simple powershell script that allows a non-admin user to restart the Spooler service without being able to see the admin credentials or edit the script.
We are replacing the server in a couple of months, so the configuration will be fixable then. We just need a temporary workaround so the user doesn't need to email me every couple of days when the spooler requires resetting.
Ideas?
Create a scheduled task with the admin credentials cached. Under Actions, have the task run the privileged Powershell script: powershell c:\Path\MyScript.ps1. Assign no schedule (i. e. delete all triggers). Change the permissions on the task's XML file under C:\Windows\System32\Tasks to allow read/execute by nonadmins. Create a user facing CMD script (or a shortcut, even) that would run the task: schtasks /Run /TN:MyTaskName /S:Server.
There are other ways to isolate the credentials, but this seems to be the easiest.

How to run a VB6 app from a scheduled task without users being able to run it

We have a legacy VB6 application that automatically emails reports. It runs from a scheduled task on a server. Occasionally a user will run the exe - it's in a folder that we can't lock them out of, and it has to remain in that folder for reasons too complicated to go into here. Is there a way to prevent users from running the exe while still letting it run from the scheduled task? I can modify the source code for the exe, so that's an option if someone can help me figure out how.
I'm going to call your existing app AppChild and a new VB6 (or other program language) program AppParent.
Modify AppChild to test for a command line parameter at either Sub Main() or at the first form loaded in the Form_Load() event. If the command line parameter isn't there, AppChild terminates.
AppParent would be in a location not accessible to the other users. The Scheduled task runs AppParent which runs AppChild and passes the required command line parameter. This could be secured somewhat by passing a calculated hash and decoding it in AppChild if needed.
Or, if the users don't have access to the Scheduled Tasks, you could just run AppChild , passing the required parameter from the Scheduled Task. If the users do have access to the Scheduled Task this won't work because they could then see the passed parameter and create a shortcut which passes the required parameter.
You didn't state which OS the server is running but you may have problems using network resources if you try to run the Scheduled Task without a logged in user. Task Manager got a major update to handle security issues to prevent hackers from running tasks without a logged in user. Essentailly, network resources, .e.g. eMail, are not available unless a user is logged in.
https://technet.microsoft.com/en-us/library/cc722152(v=ws.11).aspx
The only way I found around that problem is to run a machine with a user with the correct permissions logged in all the time.
Are you sure you cannot lock the user out?
You could restrict access to the folder so that the user cannot access it and set up the scheduled task to use an account with access to the folder.
Although the users can't be locked out of the folder (perhaps the reports end up in there?), in Windows you can set the permissions on a per file basis. Make a new user that has the full rights (the same as your users). Schedule the VB6 app to run with that user. Remove the rights for the regular users to see the app. You do this by changing the permissions on just the VB6 app.

Grant IUSR Rights to Use PowerShell Stop-Process Command?

I have a PHP script that runs a Powershell Stop-Process command through shell_exec(). PHP runs as IUSR. When I run the script, I receive an access denied error message. If I run the command in PowerShell using my Administrator account, it works as expected.
How do I grant IUSR the ability to execute Stop-Process in Powershell?
I wasn't able to find a solution to grant IUSR the specific privileges to execute Stop-Process, but I was able to get around this by changing the "Anonymous Authentication" user associated with the kill script from IUSR to Administrator.
In IIS 8.5, go to Sites->My Site->Folder Name. On the main panel, click on Authentication under IIS. Right click on Anonymous Authentication and then click on Edit.
You can set the "Anonymous Authentication" value at any level of your IIS app; from the site level to the sub-directory level. I recommend only changing the value from IUSR to Administrator on the directory that actually hosts your kill script. Changing it for the whole site might create problems for other parts of the application.
I've seen some information that suggests if you add a limited user to the Performance Monitor Users group and grant it debug privileges, it will be able to terminate processes.
You might consider something a bit less risky though, like running another web app as a user with those rights, that can only be accessed from the local machine. Then make your PHP app do a web request to the internal app to do it's killin'.
If you're trying to kill only a specific process this lets you further limit the impact because the internal app could be designed to only kill that one thing.
Other ways to achieve a similar separation is to have for example a scheduled task that looks for a file with specific content in a specific directory, when it sees it, it kills a process and deletes the file. IUSR can be given permission to create files in that directory as a way to trigger this. This method is very easy to implement but isn't synchronous.

Create Batch File, Convert to Service, Schedule to Run Daily

I need to run an offsite backup .cmd script (batch file) on a Windows 7/8 PC, daily, whether a user is logged on or not. Naturally, Task Scheduler's feature "run if user is logged or not" doesn't work (sarcasm .. thanks M$) because the user has to be logged on at some time then signed out. Moreover, because of the urgency of the task, it must run no matter what. For example, if the power goes out and upon restoration the computer reboots, there will be nobody logged on. So, I need to convert the batch file to a service.
I've used NSSM to convert the batch file into a service, but I don't know how to make the service run on a schedule, because, by definition, it's not meant to run that way - I should be using a scheduled task. So, I'm not sure what to do and all the tutorials I've seen on Google imply that I know VB script and/or C#. Unfortunately, I don't and don't plan to ... I just need a quick fix to work like a Linux cron job.
Thanks!
Task Scheduler's feature "run if user is logged or not" doesn't work (sarcasm .. thanks M$) because the user has to be logged on at some time then signed out.
Are you sure? Because "run if user is logged or not" is an option, not a trigger. It should be combined with trigger "At startup" to achieve desired result:
If everything else fails, you can use nncron to schedule tasks and install it as service.

Detecting System Startup Event

I would like to execute a procedure that should be fired only upon windows system startup, and startup here does not mean program startup. Is there anything that I can do to trigger my procedure. If possible, i would like to avoid messing with the registry. I am using delphi 2010.
There are many options, but all will involve settings that require admin rights. These options include:
Put your routine in a service that is set to start automatically. This will start up when the system starts up and before any user has logged on.
Add an entry to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. This will execute when an interactive user logs on.
Add a scheduled task with an appropriate trigger, e.g. At startup.

Resources