locked
Remotely stop/start services not working for non-admins RRS feed

  • Question

  • On 2019 I am not able to remotely stop/start services for non-administrators.  I am running:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    Then setting ACL's for services via subinacl.exe (sysinternals version) and specifying F for full control.  Also tried stop/start specifically.  Subinacl is reporting "SERVICE_ALL_ACCESS" for the ACE I add.  I am then able to see the services remotely, but no stop/start control.  2000 - 2016 no problem, 2019 this doesn't work.

    http://woshub.com/granting-remote-access-on-scmanager-to-non-admin-users/

    http://woshub.com/set-permissions-on-windows-service/


    Tuesday, May 21, 2019 4:07 PM

Answers

  • https://support.microsoft.com/en-us/help/4457739/blocking-remote-callers-from-starting-or-stopping-services-when-they-a

    I did plenty of googling, never came across this article.  A peer of the Microsoft Premier tech pointed it out to us.  Took a few days of a premier call and convincing the tech that something was wrong.  Kept trying to point out that subinacl.exe isn't supported, etc, etc.

    Fix:

    reg add HKLM\SYSTEM\CurrentControlSet\Control /v RemoteAccessExemption /t REG_DWORD /d 1 /f

    • Marked as answer by tadmaz-quad Wednesday, June 12, 2019 2:35 PM
    Wednesday, June 12, 2019 1:28 PM

All replies

  • Hi,

    What is the error message of failed start/stop operation? 

    I will try to re-produce this problem on my test environment, please provide more information about your current environment:
    1. Run “winver” on both local and remote system, provide me the detail OS version and build number.
    2. Is it domain or workgroup environment? 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 22, 2019 7:30 AM
  • Server with the service is 2019 datacenter 1809 17763.437 .  Remote client is Windows 10 1709 16299.1029.  Also tested on Server 2008 R2 for the client.  Domain environment.

    In service.msc on the remote client, stop and start are grayed out.  The following powershell does not work.

    $service = get-service -ComputerName SERVERNAME -Name SERVICENAME
    $service.Stop()
    $service.Start()

    PS I:\> $service.start()
    Exception calling "Start" with "0" argument(s): "Cannot open SERVICENAME service on computer 'SERVERNAME'."

    Thursday, May 23, 2019 2:10 PM
  • Hi,

    Could you please check if there is any error event has bee logged on both client and remote system via Event Viewer? You can filter event by time to find relate events.

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 27, 2019 2:45 AM
  • Nothing is logged.  Were you able to reproduce?
    Tuesday, May 28, 2019 1:27 PM
  • Hi,

    I am unable to reproduce such problem until now. 

    If you want to narrow down the problem, tool such as Process Monitor may be helpful, it captures the operation and shows real-time file system, Registry and process/thread activity. 

    Process Monitor v3.50:
    https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 30, 2019 8:01 AM
  • Hi,

    Is there any update?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 3, 2019 2:31 AM
  • I've opened a premier call.  We'll see what happens.
    Monday, June 3, 2019 4:33 PM
  • Hi,

    Thank you for taking the time to update the thread, if solution has been found, please share it if possible. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 4, 2019 6:09 AM
  • Any news? Same problem here ...
    Thursday, June 6, 2019 10:27 AM
  • Getting the issue fully conveyed to multiple engineers is going slowly.  We have determined that if I log into the server with the service directly (member of the Users group, not Administrators), for the specific services that I have granted access with subinacl, I can stop/start the services.  So the issue is something to do with the "remote" aspect.
    Thursday, June 6, 2019 1:27 PM
  • Thought I was onto something, didn't pan out.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

    Thursday, June 6, 2019 5:55 PM
  • https://support.microsoft.com/en-us/help/4457739/blocking-remote-callers-from-starting-or-stopping-services-when-they-a

    I did plenty of googling, never came across this article.  A peer of the Microsoft Premier tech pointed it out to us.  Took a few days of a premier call and convincing the tech that something was wrong.  Kept trying to point out that subinacl.exe isn't supported, etc, etc.

    Fix:

    reg add HKLM\SYSTEM\CurrentControlSet\Control /v RemoteAccessExemption /t REG_DWORD /d 1 /f

    • Marked as answer by tadmaz-quad Wednesday, June 12, 2019 2:35 PM
    Wednesday, June 12, 2019 1:28 PM