在Windows 2003〜2012上遠程啟動服務
[英]start service remotely on windows 2003~2012
問題描述
我的老板懇求我向XXX百台服務器(2003〜20012)上的〜5種各種服務授予訪問權限。
我試圖在每個服務上設置SDDL(我一直在測試特定帳戶上的BITS服務),甚至我都為我的帳戶設置了訪問權限:示例命令::
sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;**[startStopListSettings]**;;;**MY-SID**)S:
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
即使我創建了這個新條目,我也無法以非管理員用戶身份使用另一台計算機上的SC來啟動/停止服務。
我還需要做些什么來允許非管理員用戶訪問遠程計算機上的啟動服務? 有人有什么解決方案嗎? 謝謝
1 個解決方案
解決方案1
0 已采納 2017-06-02 10:47:12
好的,我弄清楚了如何編輯創建了3個功能get / add / remove的服務權限:
#Requires -version 3
#####################
# Cod info :Set Service Rights on remote computer. By this script you can set rights on service on many computers modding SDDL remotely.
# You need - service name - object SID you want to add/remove access and computer name(s)
# V :1.3.2.0
# D :01-06-2017
# Author : stackoverflow.com - gsky
# INFO :All credits go to the autor of this script. No changes without confirmation
# Compatibiliy :Powershell 3 and up (.net 3.5 and up)
# Supported :From Windows 2003 to 2016
#keywords: : Windows, Wintel, Service, Remote,Add Rights, Remove Rights
#####################
function Get-MGServiceRights
{
<#
.DESCRIPTION
Gets Service rights from (remote)Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.EXAMPLE
Get-MGServiceRights -computerName testComputer123 -ServiceName BITS
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName
)
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
ServiceName = $ServiceName
Acl = $null
}
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdshow'
$arg3 = "$ServiceName"
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
$msgError += $queryResult[$i] | ? -filter { $_ -ne '' }
}
$Output.acl = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', "GET: "
}
else
{
$Output.acl = ($queryResult | ? -filt { $_ -ne '' }) -replace ""
}
$Output
}
}
function Add-MGServiceRights
{<#
.DESCRIPTION
Adds Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's sid is: S-1-5-00-0000000-000000000-00000000)
.PARAMETER ACL
Specifies the level of rights - you can select one from three options: Control (start/stop/query status of service), List (query status of service), FullControl (full conotrol)
.EXAMPLE
Add-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 -ACL FullControl
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID,
[parameter(Mandatory = $true,
Position = 3)]
[System.Management.Automation.ValidateSetAttribute("Control", "Read", "FullControl")]
[string]$ACL = "Control"
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
switch ($acl)
{
Read {
$permissions = "CCLCSWLOCRRC"
}
FullControl {
$permissions = "CCDCLCSWRPWPDTLOCRSDRCWDWO"
}
default
{
$permissions = "CCLCSWRPWPDTLOCRRC"
}
}
$scRightsForNewObject = ("(A;;$permissions;;;$($objectSID.value))").ToUpper()
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "ADD: $ScriptResult"
}
else
{
if ($ScriptResult -like "*$scRightsForNewObject*")
{ $Output.CommandResponse = "ADD: Object already exists with same level of rights." }
else
{
$SDDLtoADD = $ScriptResult -replace "[S]\:", "$scRightsForNewObject`S:"
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "ADD:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'ADD: '
}
}
}
$Output
}
}
}
function Remove-MGServiceRights
{<#
.DESCRIPTION
Removes Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's xxxxxx sid is: S-1-5-00-0000000-000000000-00000000)
.EXAMPLE
Remove-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "REMOVE: $ScriptResult"
$Output
}
else
{
$found = $false
$ScriptResult -split "\)" | foreach {
if ($_ -notlike "*$objectSID*")
{
$newAcl_ += $_ + ")"
}
elseif ($_ -like "*$objectSID*")
{
$found = $true
}
}
if ($found)
{
$SDDLtoADD = $newAcl_.Remove($newAcl_.length - 1, 1)
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "REMOVE:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'REMOVE: '
}
}
else
{
$Output.CommandResponse = "REMOVE: Object Not Found"
}
$Output
}
}
}
}
將Microsoft應用程序從Windows 2003 Server遷移到Windows 2012 Server
[英]migrating Microsoft apps from windows 2003 server to windows 2012 server
Windows Server 2012上服務的命令行網絡啟動返回“發生系統錯誤5。”
[英]Command line net start of a service is returning “System error 5 has occurred.” on Windows server 2012
在win2k3上轉換為VC2012后,Windows Service啟動錯誤錯誤193 0xc1
[英]Windows Service start error error 193 0xc1 after converted to VC2012 on win2k3
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
使用Python在Windows Server 2012上遠程編輯文件
將Microsoft應用程序從Windows 2003 Server遷移到Windows 2012 Server
使用Windows服務在Windows上遠程訪問文件
將IE的Selenium節點作為Windows 2003服務運行
如何在Windows上遠程啟動Tomcat
Windows 2012 Service顯示為Degraded
遠程安裝Windows Service所需的最低特權
如何在 Windows 10 上遠程啟動服務
Windows Server 2012上服務的命令行網絡啟動返回“發生系統錯誤5。”
在win2k3上轉換為VC2012后,Windows Service啟動錯誤錯誤193 0xc1
相關標簽