locked
Remote query -Class Win32_Service does not show all services when executed by normal domain user RRS feed

  • Question

  • when I run the following WMI query on powershell using a domain admin user:

    gwmi -query "select * from win32_service where name like 'ReportServer%' and started = 1" -computername VM-SRV-01

    I got the following result:

    but if you run the same using normal domain user I get nothing:

    Actually when I run the following command with admin user:

    Get-WmiObject -class Win32_Service

    I get more services than when I run the same command with a normal domain user, and ReportServer is one of those services that appear just with admin users and disappear with normal user.

    what permissions should I give SQLSrvInventoryUsr (a normal domain user) to be able to get all the services when executing the mentioned WMI queries? 



    • Edited by Butmah Saturday, January 24, 2015 6:29 PM
    Saturday, January 24, 2015 6:23 PM

Answers

  • I believe it's the same solution as the original question, but a different permission that needs to be granted.

    http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

    I believe the permission you'll need to grant is RP (Read All Properties)


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 7:23 PM
  • DUPLICATE TOPIC: https://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/f2418859-29d0-4111-a6c1-b1d5ea8d012e/#206bf55d-a0b8-430e-a6ce-360138b02134

    AQs in the othe5r thread follow the ijnstructions on how to modify services.  There is no permission short of administrator that will change the user account.

    The links I posted exaplin this very completely.

    Post all issues here: https://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/f2418859-29d0-4111-a6c1-b1d5ea8d012e/#206bf55d-a0b8-430e-a6ce-360138b02134

    This thread will likely be merged.


    ¯\_(ツ)_/¯

    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 6:46 PM
  • I think mjolinor has the answer. Read all properties is more than you actually need, though. If all you're interested in is the name and whether it's started, I think you just need the QueryStatus (0x4) right. If you want to know what the start mode is, e.g., Auto, Manual, etc, I think you'll also need Interrogate (0x80) and QueryConfig (0x1).

    Can I suggest this module for viewing and possibly changing the permissions? I'm going to give examples below for version 3.0, but keep an eye out for an update to the version 4.0 preview (the preview up now will only let you view the permissions).

    Each of the examples assumes the user you're interested in is named 'limiteduser', so you'll need to change that in your test environment (remember to do this in a test environment before using it on a live system).

    I couldn't figure out how to get the scmanager permissions with Get-SecurityDescriptor, so here's how you could use sc.exe and New-AdaptedSecurityDescriptor to view and change it:

    $ScManagerSddl = sc.exe sdshow scmanager | ? { $_ }
    $ScManagerSD = New-AdaptedSecurityDescriptor -Sddl $ScManagerSddl -AccessMaskEnumeration PowerShellAccessControl.ServiceAccessRights -DisplayName SCManager
    $ScManagerSD | Get-AccessControlEntry
    
    # Make  a change:
    $ScManagerSD | Add-AccessControlEntry -Principal limiteduser -ServiceAccessRights QueryConfig
    
    # Get the SDDL:
    $ScManagerSD.Sddl
    
    # sc.exe sdset <modified SDDL goes here>
    

    Here's an example of adding the QueryConfig right to every service:

    Get-Service | Add-AccessControlEntry -Principal limiteduser -ServiceAccessRights QueryConfig

    Finally, if you want a list of services that don't allow your limited user to query the status, you can use the Get-EffectiveAccess. To be honest, you shouldn't have to jump through the hoops that my example does, but the function wasn't behaving quite the way I wanted it to. It will be much easier to do this type of check in version 4.0:

    $UserName = "limiteduser"
    Get-Service | ForEach-Object {
        $SD = Get-SecurityDescriptor -InputObject $_
    
        # Comment this out if you want to be able to query the access from a remote system.
        #
        # This alters the in memory security descriptor (it won't save any changes) to create fake
        # ACEs mimicking the INTERACTIVE user, since the $UserName user would be given any rights
        # specified in these ACEs while logged on interactively.
        $SD | Get-AccessControlEntry -Principal INTERACTIVE | Add-AccessControlEntry -Principal $UserName -SDObject $SD
    
        # See if the security descriptor lacks the 'QueryStatus' right. If so, return it
        if ($SD | Get-EffectiveAccess -Principal $UserName -ListAllRights | ? { $_.Permission -eq "QueryStatus" -and $_.Allowed -eq $false }) {
            $_
        }
    }
    

    If you like version 3.0, keep an eye out for version 4.0. I'll probably have another update up this week that brings Add-AccessControlEntry, Remove-AccessControlEntry, Enable-AclInheritance, Disable-AclInheritance, Set-Owner, and Set-SecurityDescriptor back in.

    If you have any problems or suggestions, please let me know.

    • Proposed as answer by jrv Saturday, January 24, 2015 10:16 PM
    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 9:27 PM

All replies

  • DUPLICATE TOPIC: https://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/f2418859-29d0-4111-a6c1-b1d5ea8d012e/#206bf55d-a0b8-430e-a6ce-360138b02134

    AQs in the othe5r thread follow the ijnstructions on how to modify services.  There is no permission short of administrator that will change the user account.

    The links I posted exaplin this very completely.

    Post all issues here: https://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/f2418859-29d0-4111-a6c1-b1d5ea8d012e/#206bf55d-a0b8-430e-a6ce-360138b02134

    This thread will likely be merged.


    ¯\_(ツ)_/¯

    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 6:46 PM
  • No please ... 

    The two threads for me and if you please read _carefully and patiently_ you will see the difference...

    You graciously helped me in that thread and solved my problem... thanks :)

    But this one different. Even after applying what is in the link you've posted in the previous thread (and again, which solved my problem there) I now have problem with -class Win32-Service

    please and kindly read it again and carefully keeping in your mind that I applied what you've suggested in that thread

    thanks again :)


    • Edited by Butmah Saturday, January 24, 2015 7:03 PM
    Saturday, January 24, 2015 7:02 PM
  • I believe it's the same solution as the original question, but a different permission that needs to be granted.

    http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

    I believe the permission you'll need to grant is RP (Read All Properties)


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 7:23 PM
  • No please ... 

    The two threads for me and if you please read _carefully and patiently_ you will see the difference...

    You graciously helped me in that thread and solved my problem... thanks :)

    But this one different. Even after applying what is in the link you've posted in the previous thread (and again, which solved my problem there) I now have problem with -class Win32-Service

    please and kindly read it again and carefully keeping in your mind that I applied what you've suggested in that thread

    thanks again :)


    Same question same answer.  You have to follow the instructions an set the security on the individual services.  The link I posted explain how to do that.  I noted that very clearly in your original thread.  I posted two links.  One tells how to adjust only scmanager and the second how to adjust the individual services.  You MUST do both for most system services.

    The threads need to be merged because the questions are inseparable.  That ios why I posted both links.


    ¯\_(ツ)_/¯

    Saturday, January 24, 2015 7:25 PM
  • I think mjolinor has the answer. Read all properties is more than you actually need, though. If all you're interested in is the name and whether it's started, I think you just need the QueryStatus (0x4) right. If you want to know what the start mode is, e.g., Auto, Manual, etc, I think you'll also need Interrogate (0x80) and QueryConfig (0x1).

    Can I suggest this module for viewing and possibly changing the permissions? I'm going to give examples below for version 3.0, but keep an eye out for an update to the version 4.0 preview (the preview up now will only let you view the permissions).

    Each of the examples assumes the user you're interested in is named 'limiteduser', so you'll need to change that in your test environment (remember to do this in a test environment before using it on a live system).

    I couldn't figure out how to get the scmanager permissions with Get-SecurityDescriptor, so here's how you could use sc.exe and New-AdaptedSecurityDescriptor to view and change it:

    $ScManagerSddl = sc.exe sdshow scmanager | ? { $_ }
    $ScManagerSD = New-AdaptedSecurityDescriptor -Sddl $ScManagerSddl -AccessMaskEnumeration PowerShellAccessControl.ServiceAccessRights -DisplayName SCManager
    $ScManagerSD | Get-AccessControlEntry
    
    # Make  a change:
    $ScManagerSD | Add-AccessControlEntry -Principal limiteduser -ServiceAccessRights QueryConfig
    
    # Get the SDDL:
    $ScManagerSD.Sddl
    
    # sc.exe sdset <modified SDDL goes here>
    

    Here's an example of adding the QueryConfig right to every service:

    Get-Service | Add-AccessControlEntry -Principal limiteduser -ServiceAccessRights QueryConfig

    Finally, if you want a list of services that don't allow your limited user to query the status, you can use the Get-EffectiveAccess. To be honest, you shouldn't have to jump through the hoops that my example does, but the function wasn't behaving quite the way I wanted it to. It will be much easier to do this type of check in version 4.0:

    $UserName = "limiteduser"
    Get-Service | ForEach-Object {
        $SD = Get-SecurityDescriptor -InputObject $_
    
        # Comment this out if you want to be able to query the access from a remote system.
        #
        # This alters the in memory security descriptor (it won't save any changes) to create fake
        # ACEs mimicking the INTERACTIVE user, since the $UserName user would be given any rights
        # specified in these ACEs while logged on interactively.
        $SD | Get-AccessControlEntry -Principal INTERACTIVE | Add-AccessControlEntry -Principal $UserName -SDObject $SD
    
        # See if the security descriptor lacks the 'QueryStatus' right. If so, return it
        if ($SD | Get-EffectiveAccess -Principal $UserName -ListAllRights | ? { $_.Permission -eq "QueryStatus" -and $_.Allowed -eq $false }) {
            $_
        }
    }
    

    If you like version 3.0, keep an eye out for version 4.0. I'll probably have another update up this week that brings Add-AccessControlEntry, Remove-AccessControlEntry, Enable-AclInheritance, Disable-AclInheritance, Set-Owner, and Set-SecurityDescriptor back in.

    If you have any problems or suggestions, please let me know.

    • Proposed as answer by jrv Saturday, January 24, 2015 10:16 PM
    • Marked as answer by Butmah Wednesday, January 28, 2015 1:21 PM
    Saturday, January 24, 2015 9:27 PM
  • Rohn - That looks useful.

    ¯\_(ツ)_/¯

    Saturday, January 24, 2015 10:16 PM
  • Jrv, Rohn, and mjolinor thank you all,

    But please excuse my knowledge in this subject, and if you please deign to write a command that I can execute on cmd and it will give that RP (Read All Properties) to a certain domain user... just that simple :). something like the following command that I took from one of the links jrv provided:

    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    I need it cmd command because i want to distribute it to all the machines that I need that domain user to have access to.

    Thanks again for all the information that you gave, but i could not make it work for me. I'm totally new in this ... excuse me please  :) 


    • Edited by Butmah Tuesday, January 27, 2015 5:35 AM
    Tuesday, January 27, 2015 5:34 AM
  • We cannot se you domain or system.  Only you canwrite this command.  Just follow the instructions.  If we do it we will jsut give you the same instructions.    Just do what the article says.  Be sure to back up you system first.

    Please note that the securoty on every servcie can be different. You must follow the instructions to alter the SD by adding the missing pieces.


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, January 27, 2015 5:44 AM
    Tuesday, January 27, 2015 5:41 AM