Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Local user can't stop a service

Status
Not open for further replies.
geagle

geagle

IS-IT--Management
Aug 4, 2003
20
0
0
US
Environment: Local computer - WinXP Pro OS, logs into Novell 6 Server, gets Computer Associates Inoculan client signature files updated at time of Novell login (runs script). Is NOT part of a domain. No 2000 or NT server involved.

Problem: If local user is "Limited", cannot stop the antivirus service on the local machine so that the signature files can be updated via file copy, then start service again. If login as "Administrator" to local computer, then service is stopped, files copied, service started just fine. How can I give the local "Limited" user the right to stop and start the needed service? I don't want to set users up as Administrators.


 
Sort by date Sort by votes
Change the way this particular service logs on .
Default is system (witch means admin)
 
Upvote 0 Downvote
I know changing the user to the Administrator type would solve the problem, but makes other problems for me. I don't want the users to be Administrator of their own computers. I just need them to be able to stop a service. Shouldn't I be able to change their security to enable this one thing?
 
Upvote 0 Downvote
Im not meaning the user . But the service .
You can grant a user account to log on as a service .
Change the properties for the antivirus service that need to start/stop to use the limited users account (log on as).

Now the user account is still limited/no admin
but granted the right to logon as service .

And the user can start/stop that particular service

 
Upvote 0 Downvote
If you open Services In Administrative tools from the Control Panel. Right Click on the service. Select Properties and then click the Log On Tab. You can then select which user to use to log on to the service. Change to administrator and add the admin password.

Greg Palmer

----------------------------------------
Any feed back is appreciated.
 
Upvote 0 Downvote
Thanks. I think this will solve my problem. I didn't know this solution existed (a service logging on). I have struggled with this for so long. Thanks again.
 
Upvote 0 Downvote
Another possible workaround, tho not the most secure solution, is to allow the user to logon as a service.
Start -> Run -> gredit.msc
Computer Config -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments: Log on as a service.
Try using gpalmer's solution first tho. Less chance for a user to be where they shouldn't that way.

Good luck

MCSE, A+
 
Upvote 0 Downvote
This works to have the service log on as .administrator, but as long as the user is 'limited', the antivirus files don't get copied to the c:drive. What can I do to let the files get copied?

 
Upvote 0 Downvote
Use the Scheduled Task feature to run a job 'at Logon'. One of the features of Scheduled Tasks is that a job can be run under any credentials you specify. Use Administrator credentials and password to run a job that copies the files and stops/starts the service. At the completion of the job the Administrative credentials expire and the remaining logon session is run under the standard user credentials.
 
Upvote 0 Downvote
That sounds like a good idea and I will try it, but disadvantage that I can see is that I have a script that is running now as part of the Novell login. The script checks the current version of the antivirus, if it doesn't need updating, fine, if it does need updating, it stops the services, copies the files and starts the services. Having the service login as administrator lets the script stop and start the services, but the files won't copy.

When I set up a new XP machine, I would have to Schedule a Task in addition to having the Novell login script. I don't know how that would work.

I need a way to let the Novell login execute everything with administrator rights, I think, similiar to how the Schedule a Task must work.
 
Upvote 0 Downvote
It looks like if I were to use the runas command, I would have to supply the password. That means my users would have to know the Administrator password and that would defeat the purpose of setting the user up as 'limited'.

Can I give the user profile rights to do this process (copy files) for this .exe only?
 
Upvote 0 Downvote
One of the solutions suggested here, was to have the user login as a service then logon that service as administrator. If I do that, would that be the same as making the user account type the same as an Administrator account? In other words, would I be giving out full rights to the user? If so, I might just as well make the user a Computer Administrator.
 
Upvote 0 Downvote
No, you would not.
The logon under alternate credentials would only survive as long as the "job" used for the Scheduled Task.

You could use the "Runas" facility; there are freeware tools to pass alternate credentials in a form that is not revealed in plaintext:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pjw001
  • Question
Latest Windows Update - End of Service
Replies
2
Views
205
pjw001
pjw001
VicM
  • Locked
  • Question
Change name not showing in user account 1
Replies
13
Views
200
guitarzan
guitarzan
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
252
Flinx
Flinx
Sebastian42
  • Locked
  • Question
Getting a drive REdetected
Replies
18
Views
237
Rick998
Rick998
Deniall
  • Locked
  • Question
AutoHotKey for a very simple task 1
Replies
5
Views
140
Deniall
Deniall

Part and Inventory Search

Sponsor

Back
Top