What program sets who can start/stop services.

[MauriceN]

I have used it before and cannot remember what program to use to set who can start and stop services. This is without giving the user admin privliges to the server.

Thanks in advance.

Maurice

 

[Jpoandl]

http://www.pchsinfo.com/paper/SecDefs.htm#_Toc473691978

What if I don’t want end users to be Power Users when running legacy applications?
Some system administrators may consider the Power Users group too liberal because of the built-in permissions that members of the Power Users group have:

· Create local users and groups.

· Modify users and groups that they have created.

· Create and delete non-admin file shares.

· Create, manage, delete and share local printers.

All other additional rights, such as Change System Time, or Stop and Start non-autostarted services, can be reconfigured for the Power User by modifying the appropriate user rights or configuring the appropriate ACL.

Since there is no way to disable the built-in permissions allotted to Power Users, administrators who need to support non-certified legacy applications must loosen up the permissions allotted to members of the Users group to the point where their installed base of applications can be successfully run. The Windows 2000 operating system includes a security template for precisely this purpose. The template is named compatws.inf and can be found in the %windir%\security\templates directory. The template can be applied to a system using the Security Configuration Toolset. For example, the secedit.exe command line component of the Toolset can apply the template as follows:

secedit /configure /cfg compatws.inf /db compatws.sdb

This template loosens up security for Users in a matter consistent with the requirements of most legacy applications.

Why can’t I install ActiveX controls as a normal User?
ActiveX controls are treated just like any other application, and because ActiveX controls are installed on a per-machine basis, they cannot be installed by normal Users. Instead, trusted ActiveX controls should be published in the Active Directory™ service from which they can be deployed on-demand using Microsoft Installer technology. For further information, consult Knowledge Base articles Q241163 and Q240897.

What can an Administrator do that a Power User can’t?
By default, an administrator can:

· Install the operating system.

· Install or configure hardware device drivers, although Power Users are allowed to install Print Drivers.

· Install system services.

· Install Service Packs, hotfixes, and Windows Updates.

· Upgrade the operating system.

· Repair the operating system.

· Install applications that modify Windows system files.

· Configure password policy.

· Configure audit policy.

· Manage security logs.

· Create administrative shares.

· Create administrative accounts.

· Modify groups or accounts created by other users.

· Remotely access the registry.

· Stop or start any service.

· Configure services.

· Increase quotas.

· Increase execution priorities

· Remotely shutdown the system.

· Take ownership of arbitrary objects.

· Assign User rights.

· Override a locked computer.

· Format a hard drive.

· Modify system-wide environment variable’s

· Access other Users’ private data.

· Backup and restore files.

What can a Power User do that a User can’t?
A Power User can:

· Create local users and groups.

· Modify users and groups that they have created.

· Create and delete non-administrator file shares.

· Create, manage, delete and share local printers.

· Change system time (default user right).

· Stop or start non auto-started services.



By default, Power Users also have

· Modify access to the Program Files directory.

· Modify access to many locations within the HKEY_LOCAL_MACHINE\Software registry hive.

· Write access to most system directories including %windir% and %windir%\system32.



These permissions allow Power Users to

· Perform per-computer installation of many applications. For example, applications that do not modify Windows system files or do not modify HKEY_LOCAL_MACHINE\System.

· Run legacy applications that improperly store per-user data in per-computer locations (without receiving error messages).

Unfortunately, these permissions are also the same permissions that allow Power Users to

· Plant Trojan horses that, if executed by administrators or other users, can compromise system and data security.

· Make system-wide operating system and application changes that affect other users of the system.



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[Jpoandl]

On news groups I see lots of discussion centering around granting admin access to DNS services. This is usually couched in an arguement about whether unix admins should or should not have admin access to the DNS service. If you do that, you give them admin access to everything. What you can do is give the DNS admins the right to start / stop the DNS services through Group Policy objects. Open the GPO for the server's container:
Computer Configuration
Windows Settings
Security Settings
System Services
DNS Server
check Define this policy setting
click the Edit Security button.
There you can set security for the service, specifically which group or users have the right to start/stop/pause the service. Delegation of authority is the fundamental advance W2K has over NT.

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)