none
Does the current user has special rights (start / stop) for a special service? RRS feed

  • Question

  • Hello,

    is there any possibility to check if the current user has the permission to start and stop a special service?

    Thanks in advance.

    Friday, January 13, 2017 3:39 PM

Answers

  • This is not a good idea unless you can guarantee that your check is 100% correct.

    This is probably more difficult than you think it is (for example, nested group memberships).

    This is why what you are doing is not the correct way.

    The correct way is to try and catch the failure if it didn't work.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 17, 2017 5:41 PM
    Moderator

All replies

  • SC /?

    In PowerShell:

     cmd /c "sc sdshow spooler"


    \_(ツ)_/

    Friday, January 13, 2017 4:21 PM
  • sc doen't really help me in this case.

    I need a script solution, which I can use when a logged on user tries to run a special command.

    Before the command is executed, the script would have to check if the user has the start / stop right on a special service.

    Friday, January 13, 2017 4:31 PM
  • There is no script solution.  SC will run from a script.

    The user cannot change or even query a service without the permissions being set first,  SC will let you set the permissions so the user can control the service.

     


    \_(ツ)_/

    Friday, January 13, 2017 4:55 PM
  • Before the command is executed, the script would have to check if the user has the start / stop right on a special service.

    Why? There's no need to check beforehand. Just run the command. If the user doesn't have permission, they will get an error.


    -- Bill Stewart [Bill_Stewart]

    Friday, January 13, 2017 4:59 PM
    Moderator
  • Here is hw to do it in script but only an Administrator can run this command:

    $service = gwmi win32_service -filter "name='spooler'" -EnableAllPrivileges
    $service.GetSecurityDescriptor().Descriptor.DACL| Select -Expand Trustee | select Name


    \_(ツ)_/

    Friday, January 13, 2017 5:02 PM
  • There's no need to check/verify first. Just run the command. If the user doesn't have permission to do it, they will get an error.

    -- Bill Stewart [Bill_Stewart]

    Friday, January 13, 2017 5:04 PM
    Moderator
  • @jrv:

    isn't there any way to check by a non administrative user account?

    Where eactly can I determine, if the listed trustee group / user has start / stop rights?

    Is it possble to check if the current user account belongs to one of the listed groups?

    The current user account might be an AD or local user account.

    The gruop to be checked might be an AD or local group.

    If possible without additional PS modules.
    • Edited by win_admin Monday, January 16, 2017 1:45 PM
    Monday, January 16, 2017 1:40 PM
  • @Bill:

    I don't want to get an error in my software, if the current user's permissions don't suffice.

    Monday, January 16, 2017 1:48 PM
  • @Bill:

    I don't want to get an error in my software, if the current user's permissions don't suffice.

    Only an admin can check that.  As Bill notes - just catch the error and you know if they have rights.


    \_(ツ)_/

    Monday, January 16, 2017 1:56 PM
  • I've found this interesting article:

    https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/

    This way a non administrative user can get information about service's ACLs.

    Monday, January 16, 2017 3:27 PM
  • I've found this interesting article:

    https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/

    This way a non administrative user can get information about service's ACLs.

    I am pretty sure that users who have no rights on a service cannot run that command.


    \_(ツ)_/

    Monday, January 16, 2017 4:05 PM
  • Nope - a user can read the SD with SC.

    It will return an SDDL string.


    \_(ツ)_/

    Monday, January 16, 2017 4:08 PM
  • This will get the accounts that can access the service:

    $sddl=(cmd /c sc sdshow spooler)[1]
    $sd = [wmiclass]'win32_SecurityDescriptorHelper'
    $sd.SDDLToWin32SD($sddl).Descriptor.DACL|
    	Select AccessMask, @{n='Trustee';e={$_.Trustee.Name}}


    \_(ツ)_/

    Monday, January 16, 2017 4:21 PM
  • Here is how to get the start/stop permissions:

    $sddl = (cmd /c sc sdshow Winmgmt)[1]
    $sd = [wmiclass]'win32_SecurityDescriptorHelper'
    $sd.SDDLToWin32SD($sddl).Descriptor.DACL |
    Select AccessMask, 
    		@{ n = 'Trustee'; e = { $_.Trustee.Name } }, 
    		@{ n = 'Start'; e = { [bool]($_.AccessMask -band 0x10) } }, 
    		@{ n = 'Stop'; e = { [bool]($_.AccessMask -band 0x20) } }

    Of course no one would add user accounts directly to a service ACL they would add a group and add the user to the group.


    \_(ツ)_/


    • Edited by jrv Monday, January 16, 2017 4:40 PM
    • Marked as answer by win_admin Tuesday, January 17, 2017 8:45 AM
    • Unmarked as answer by Bill_StewartModerator Tuesday, January 17, 2017 8:24 PM
    Monday, January 16, 2017 4:39 PM
  • I don't want to get an error in my software, if the current user's permissions don't suffice.

    Why not? That's what everyone else does.


    -- Bill Stewart [Bill_Stewart]

    Monday, January 16, 2017 5:13 PM
    Moderator
  • Thanks jrv for the solution.

    The rest shouldn't be that difficult.

    Tuesday, January 17, 2017 8:44 AM
  • This is not a good idea unless you can guarantee that your check is 100% correct.

    This is probably more difficult than you think it is (for example, nested group memberships).

    This is why what you are doing is not the correct way.

    The correct way is to try and catch the failure if it didn't work.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 17, 2017 5:41 PM
    Moderator
  • Thanks Bill for your point of view.

    I'm going to forward this information to our software developers.

    Wednesday, January 18, 2017 8:28 AM