Scenario / Questions

Before I get shot down, I know how to schedule a task, restart a service with powershell or give a non-admin account the privileges to restart a service. That isn’t the problem. The problem however is the combination of all these three tasks combined.

I have a windows service that needs to process files on a network folder. Therefore it logs on with a “service account” that is actually just a regular domain account. This domain account is not an administrator but has access rights to said folder. The service runs fine and does it’s job.

However, sometimes there is an error in one of the files that prevents other files from being processed. Usually it takes a while for someone to notice and there’s some backlog.

So, I created a monitoring script in powershell that polls the network folder for these erroneous files. If they are found, the files are moved to a temporary folder for review and the service needs to be restarted.

I gave the service account privileges through group policy to start and stop the service.

enter image description here

When I logon to the server with the service account, I am able to restart the service manually using the Services MMC. I am also able to execute the powershell script and it does exactly what it’s supposed to do: poll the folder, move the files and restart the service. Great!

In the next phase, I created a scheduled task that runs every 10 minutes. The task uses the same service account as the service to execute the powershell script. The box “execute with the highest privileges” is checked. Like I said, the powershell script needs access to the network drive, so I can’t run it as the local server admin and I don’t want to use domain admin credentials for such a menial task like this. (I try to implement the principle of least privilege as much as I can.)

I gave the service account the “logon as batch job” rights on the local server using the Local Security Policy MMC.

Now for the part that I can’t figure out: At the scheduled time the scheduled tasks completes successfully and the powershell script is being executed. The script polls the folder and the error files are moved. The only thing that doesn’t work is restarting the service…?! Again, running the script manually as the same user worked perfectly.

I don’t see much in the event viewer, but the logging on my script states this error:

TerminatingError(Stop-Service): “Cannot open Service Control Manager on computer ‘.’. This operation might require other privileges.”

The commands I use to restart the service are:

Stop-Service -Verbose -DisplayName $($service[1])
Start-Service -Verbose -DisplayName $($service[1])

(I am using windows server 2012 R2 and powershell version 4 on a 2008 R2 Domain.)

I both tried setting the service permissions for the user using subinacl (as described here) and setting the SDDL string manually (as described here), so my control flags look like this (A;;CCLCSWRPWPDTLOCRRC;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX). I also tried setting the privileges on the service to Full Control in the GPO. None of these resolved the issue either. It must me a an issue with privileges somewhere that I am still overlooking, because when I schedule the task with a domain account that is a local admin on the server, it works just fine.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

The anwser to another question resolved my issue as well.

The steps I did were:

  1. enable-psremoting on the server in an admin powershell prompt
  2. Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI on the server in an admin powershell prompt
  3. Added the service account (or security group) with full privileges
  4. sc sdshow scmanager on the server in an admin command prompt
  5. Copy the SDDL output
  6. Add (A;;KA;;;SID_OF_USER_OR_SECURITY_GROUP) to the SDDL before the S: part
  7. sc sdset scmanager THE_MODIFIED_SDDL mine looked like this: sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;KA;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  8. Change my powershell script so it makes use of the Start-Service CmdLet instead of Set-Service (Set-Service did not work).

Looks like something simple turned out way, WAY more complicated than it should have been…