none
SubInACL: FAILED_ACCESS_ACE_FLAG-0x80 FAILED_ACCESS_ACE_FLAG-0x0x80

    Question

  • Morning guys! Today's topic: allow a user to restart a service on a server.

    We have third party software running on one of our servers, and this software also runs a service. This service needs to be restarted every now and then - the software is kinda buggy. And because I'm working in a 24x7 environment in can happen that this service needs to be restarted at 3am. Instead of people calling me at 3am, I want to grant a couple of users the rights to restart the service when they need to.

    In the Server 2003 era, a great tool was available to do this: subinacl. However, this tool was never released for Server 2008 officialy, but I heard about people running it perfectly on ws2008. Before putting this into a production environment, I tried to allow a user to restart the Windows Update service in a testing environment. I downloaded and installed a toolkit containing subinacl. I have one server (lab-dc01) running ws2008r2 and a client running w7.

    I opened a command prompt on the server where I wanted the user to start/stop the Windows update service, and entered this:

    subinacl /service wuauserv GRANT=testlab\s.trekhaak=TO

    But then I got this:

    ==================
    +Service wuauserv
    ==================
    /control=0x0
    /owner             =system
    /primary group     =system
    /audit ace count   =1
    /aace =everyone         SYSTEM_AUDIT_ACE_TYPE-0x2
            FAILED_ACCESS_ACE_FLAG-0x80    FAILED_ACCESS_ACE_FLAG-0x0x80
            SERVICE_QUERY_CONFIG-0x1           SERVICE_CHANGE_CONFIG-0x2          SE
    RVICE_QUERY_STATUS-0x4
            SERVICE_ENUMERATE_DEPEND-0x8       SERVICE_START-0x10                 SE
    RVICE_STOP-0x20                  SERVICE_PAUSE_CONTINUE-0x40
            SERVICE_INTERROGATE-0x80           DELETE-0x10000                     RE
    AD_CONTROL-0x20000               WRITE_DAC-0x40000
            WRITE_OWNER-0x80000
    /perm. ace count   =3
    /pace =authenticated users      ACCESS_ALLOWED_ACE_TYPE-0x0
            SERVICE_QUERY_CONFIG-0x1           SERVICE_QUERY_STATUS-0x4           SE
    RVICE_ENUMERATE_DEPEND-0x8
            SERVICE_START-0x10                 SERVICE_INTERROGATE-0x80           RE
    AD_CONTROL-0x20000
    /pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
            SERVICE_ALL_ACCESS
    /pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
            SERVICE_ALL_ACCESS

    Elapsed Time: 00 00:00:00
    Done:        1, Modified        0, Failed        0, Syntax errors        0
    Last Done  : wuauserv

    Wow, lots of text, not a simple "command executed successfully"... so I tried to restart a service on the server, from a client in the testdomain as a standard user:

    C:\Users\s.trekhaak>sc \\lab-dc01 stop wuauserv
    [SC] OpenService FAILED 5:

    Access is denied.

    Hmm, so it's not working. I am logged on as testlab\s.trekhaak on the client, and as an admin on the server. I tried to specify a server when running the command:

    SUBINACL /service \\lab-dc01\wuauserv GRANT=testlab\s.trekhaak=TO

    But I got the same results. I found another topic about this problem on Technet, which was solved by using this command:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
    Unfortunately, that didn't help either. Does anyone know what the error from subinacl means? It's just gibberish to me :(
    Tuesday, November 20, 2012 10:01 AM

Answers

All replies