Scenario / Questions
Before I get shot down, I know how to schedule a task, restart a service with powershell or give a non-admin account the privileges to restart a service. That isn’t the problem. The problem however is the combination of all these three tasks combined.
I have a windows service that needs to process files on a network folder. Therefore it logs on with a “service account” that is actually just a regular domain account. This domain account is not an administrator but has access rights to said folder. The service runs fine and does it’s job.
However, sometimes there is an error in one of the files that prevents other files from being processed. Usually it takes a while for someone to notice and there’s some backlog.
So, I created a monitoring script in powershell that polls the network folder for these erroneous files. If they are found, the files are moved to a temporary folder for review and the service needs to be restarted.
I gave the service account privileges through group policy to start and stop the service.
When I logon to the server with the service account, I am able to restart the service manually using the Services MMC. I am also able to execute the powershell script and it does exactly what it’s supposed to do: poll the folder, move the files and restart the service. Great!
In the next phase, I created a scheduled task that runs every 10 minutes. The task uses the same service account as the service to execute the powershell script. The box “execute with the highest privileges” is checked. Like I said, the powershell script needs access to the network drive, so I can’t run it as the local server admin and I don’t want to use domain admin credentials for such a menial task like this. (I try to implement the principle of least privilege as much as I can.)
I gave the service account the “logon as batch job” rights on the local server using the Local Security Policy MMC.
Now for the part that I can’t figure out: At the scheduled time the scheduled tasks completes successfully and the powershell script is being executed. The script polls the folder and the error files are moved. The only thing that doesn’t work is restarting the service…?! Again, running the script manually as the same user worked perfectly.
I don’t see much in the event viewer, but the logging on my script states this error:
TerminatingError(Stop-Service): “Cannot open Service Control Manager on computer ‘.’. This operation might require other privileges.”
The commands I use to restart the service are:
Stop-Service -Verbose -DisplayName $($service) ... Start-Service -Verbose -DisplayName $($service)
(I am using windows server 2012 R2 and powershell version 4 on a 2008 R2 Domain.)
I both tried setting the service permissions for the user using subinacl (as described here) and setting the SDDL string manually (as described here), so my control flags look like this (A;;CCLCSWRPWPDTLOCRRC;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX). I also tried setting the privileges on the service to Full Control in the GPO. None of these resolved the issue either. It must me a an issue with privileges somewhere that I am still overlooking, because when I schedule the task with a domain account that is a local admin on the server, it works just fine.
Find below all possible solutions or suggestions for the above questions..
The anwser to another question resolved my issue as well.
The steps I did were:
enable-psremotingon the server in an admin powershell prompt
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUIon the server in an admin powershell prompt
- Added the service account (or security group) with full privileges
sc sdshow scmanageron the server in an admin command prompt
- Copy the SDDL output
(A;;KA;;;SID_OF_USER_OR_SECURITY_GROUP)to the SDDL before the S: part
sc sdset scmanager THE_MODIFIED_SDDLmine looked like this:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;KA;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
- Change my powershell script so it makes use of the
Start-ServiceCmdLet instead of
Set-Service(Set-Service did not work).
Looks like something simple turned out way, WAY more complicated than it should have been…
Kubernetes Free Online Tutorial, Kubernetes Beginner Tutorial
DevOps Free Online Tutorial, DevOps Beginner Tutorial
Ansible Free Online Tutorial, Ansible Beginner Tutorial
Docker Free Online Tutorial, Docker Beginner Tutorial
Openstack Free Online Tutorial, Openstack Beginner Tutorial
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.