SubInACL: FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80

• Tuesday, November 20, 2012 10:01 AM

   

   
  

  0

  Morning guys! Today's topic: allow a user to restart a service on a server.

  We have third party software running on one of our servers, and this software also runs a service. This service needs to be restarted every now and then - the software is kinda buggy. And because I'm working in a 24x7 environment in can happen that this service needs to be restarted at 3am. Instead of people calling me at 3am, I want to grant a couple of users the rights to restart the service when they need to.

  In the Server 2003 era, a great tool was available to do this: subinacl. However, this tool was never released for Server 2008 officialy, but I heard about people running it perfectly on ws2008. Before putting this into a production environment, I tried to allow a user to restart the Windows Update service in a testing environment. I downloaded and installed a toolkit containing subinacl. I have one server (lab-dc01) running ws2008r2 and a client running w7.

  I opened a command prompt on the server where I wanted the user to start/stop the Windows update service, and entered this:

  subinacl /service wuauserv GRANT=testlab\s.trekhaak=TO

  But then I got this:

  ==================
  +Service wuauserv
  ==================
  /control=0x0
  /owner             =system
  /primary group     =system
  /audit ace count   =1
  /aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
          FAILED_ACCESS_ACE_FLAG-0x80    FAILED_ACCESS_ACE_FLAG-0x0x80
          SERVICE_QUERY_CONFIG-0x1           SERVICE_CHANGE_CONFIG-0x2          SE
  RVICE_QUERY_STATUS-0x4
          SERVICE_ENUMERATE_DEPEND-0x8       SERVICE_START-0x10                 SE
  RVICE_STOP-0x20                  SERVICE_PAUSE_CONTINUE-0x40
          SERVICE_INTERROGATE-0x80           DELETE-0x10000                     RE
  AD_CONTROL-0x20000               WRITE_DAC-0x40000
          WRITE_OWNER-0x80000
  /perm. ace count   =3
  /pace =authenticated users      ACCESS_ALLOWED_ACE_TYPE-0x0
          SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SE
  RVICE_ENUMERATE_DEPEND-0x8
          SERVICE_START-0x10                 SERVICE_INTERROGATE-0x80           RE
  AD_CONTROL-0x20000
  /pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
          SERVICE_ALL_ACCESS
  /pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
          SERVICE_ALL_ACCESS

  Elapsed Time: 00 00:00:00
  Done:        1, Modified        0, Failed        0, Syntax errors        0
  Last Done  : wuauserv

  Wow, lots of text, not a simple "command executed successfully"... so I tried to restart a service on the server, from a client in the testdomain as a standard user:

  C:\Users\s.trekhaak>sc \\lab-dc01 stop wuauserv
  [SC] OpenService FAILED 5:

  Access is denied.

  Hmm, so it's not working. I am logged on as testlab\s.trekhaak on the client, and as an admin on the server. I tried to specify a server when running the command:

  SUBINACL /service \\lab-dc01\wuauserv GRANT=testlab\s.trekhaak=TO

  But I got the same results. I found another topic about this problem on Technet, which was solved by using this command:

  sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  Unfortunately, that didn't help either. Does anyone know what the error from subinacl means? It's just gibberish to me :(
  • Reply
  • Quote