Is it possible to allow read-only mode so that someone to use management console to 'connect to another computer' and see the services running? This is a Win2008 server, and the users will not have any rights except to be able to see the windows services. Or is there a better way of achieving the same thing?
Asked
Active
Viewed 1,506 times
2 Answers
2
Each service has a ACL. This controls who can see the status, stop/start and configure. There is no inbuilt UI to give access to it, but sc.exe sdshow service" will show the ACL in [SDDL][1] form, thesdsetcommand forsc.exe` allows the ACL to be set.
Based on the default for one service I looked at ("Windows Search"), all interactive users can query this service, but for Windows Update the access is different and based on all users (i.e. remote as well as logged in locally).
Since the access rights flags are expanded symbolically, but generically it will be necessary to work out the underlying bit pattern to translate to service ACE flag names.
(There is an interactive services ACL editor when using Group Policy to enforce services configuration.)
Richard
- 5,324
- 1
- 23
- 20
0
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html
Last entry in "Table 2..."
user48838
- 7,431
- 2
- 18
- 14