none
How to manage services remotely

    Question

  • Hello,

    I've tried granting a user the right to start a single service on a Windows Server 2003 SP2 box using GPO and importing templates via the SCM.  Either way I do it, when attempting to manage the service on the box, I receive the error below.


    Unable to open service control manager database
    Access Denied

    Any help would be appreciated.

    Thanks
     
    Friday, August 15, 2008 7:51 PM

Answers

  • Hello,
     
    This may be an known issue. Please follow the steps in the following Microsoft KB article and check if the issue still exists.
     
    Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;907460
     
    By granting the rights to service control manager to the specific user who can connect to DC and view services, the user should manager the specific service remotely.
     
    Hope it helps.

    David Shen - MSFT
    • Marked as answer by David Shen Thursday, August 21, 2008 5:52 AM
    Monday, August 18, 2008 9:14 AM
  • Hi,
     
    Thanks for the reply.
     
    Assuming that you encountered the error message when you attempted to access and view any of the services on the Windows 2003 server remotely with a non-administrative user on a client.
     
    Cause:
     
    By default non-administrators do not have permissions to remotely view and change a service in a startup mode on the server.
     
    Solution 1.
     
    Please put the user account in the built-in administrators group on the target server. This is a simple solution to resolve the issue.
     
    Solution 2.
     
    Set a new Group policy to grant the user with proper permission to access and view the service.
     
    Please perform the following steps on the domain controller.
     
    1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
     
    2. Find and locate the organizational unit which contains the user, Right-click on it and click Properties
     
    3. Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.
     
    4. Click the new Group Policy object in the Group Policy Objects Links list (if it is not already selected), and then click Edit.
     
    5. Expand Computer Configuration -> Windows Settings -> Security Settings -> System Services
     
    6. In the right pane, double-click the target service to that you want to apply permissions. The security policy setting for that specific service is displayed.
     
    7. Click to select the "Define this policy setting" checkbox.
     
    8. Click "Edit Security"
     
    9. Add the user account and grant it with "Start, stop and pause" and "Read" permissions to the user account that you want to access the service remotely, and then click OK.
     
    10. Under "Select service startup mode", click "Automatic" startup mode option, and then click OK.
     
    11. Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.
     
    12. Please run "gpupdate /force" on both the DC and the client to make the GPO settings come into effect.
     
    13. Reset the problematic client and then check if the issue can be resolved.
     
    Hope it helps.

    David Shen - MSFT
    • Edited by David Shen Tuesday, August 19, 2008 6:53 AM modify
    • Marked as answer by David Shen Thursday, August 21, 2008 5:52 AM
    Tuesday, August 19, 2008 6:42 AM

All replies

  • Hello,
     
    This may be an known issue. Please follow the steps in the following Microsoft KB article and check if the issue still exists.
     
    Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;907460
     
    By granting the rights to service control manager to the specific user who can connect to DC and view services, the user should manager the specific service remotely.
     
    Hope it helps.

    David Shen - MSFT
    • Marked as answer by David Shen Thursday, August 21, 2008 5:52 AM
    Monday, August 18, 2008 9:14 AM
  • Hi David,

    Thank you for the tip, that seems to have resolved one problem, but presented a different one.  I can now view the services on the server.  If I try to open any of the services, including the one I granted access to, I receive the error below.  Again, any help would be appreciated.

    Configuration Manager: Access Denied.

    Thank you

    Monday, August 18, 2008 12:55 PM
  • Hi,
     
    Thanks for the reply.
     
    Assuming that you encountered the error message when you attempted to access and view any of the services on the Windows 2003 server remotely with a non-administrative user on a client.
     
    Cause:
     
    By default non-administrators do not have permissions to remotely view and change a service in a startup mode on the server.
     
    Solution 1.
     
    Please put the user account in the built-in administrators group on the target server. This is a simple solution to resolve the issue.
     
    Solution 2.
     
    Set a new Group policy to grant the user with proper permission to access and view the service.
     
    Please perform the following steps on the domain controller.
     
    1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
     
    2. Find and locate the organizational unit which contains the user, Right-click on it and click Properties
     
    3. Click the Group Policy tab, and then click New. Type a name for the new Group Policy object (for example, use the name of the organizational unit for which it is implemented), and then press ENTER.
     
    4. Click the new Group Policy object in the Group Policy Objects Links list (if it is not already selected), and then click Edit.
     
    5. Expand Computer Configuration -> Windows Settings -> Security Settings -> System Services
     
    6. In the right pane, double-click the target service to that you want to apply permissions. The security policy setting for that specific service is displayed.
     
    7. Click to select the "Define this policy setting" checkbox.
     
    8. Click "Edit Security"
     
    9. Add the user account and grant it with "Start, stop and pause" and "Read" permissions to the user account that you want to access the service remotely, and then click OK.
     
    10. Under "Select service startup mode", click "Automatic" startup mode option, and then click OK.
     
    11. Close the Group Policy Object Editor, click OK, and then close the Active Directory Users and Computers tool.
     
    12. Please run "gpupdate /force" on both the DC and the client to make the GPO settings come into effect.
     
    13. Reset the problematic client and then check if the issue can be resolved.
     
    Hope it helps.

    David Shen - MSFT
    • Edited by David Shen Tuesday, August 19, 2008 6:53 AM modify
    • Marked as answer by David Shen Thursday, August 21, 2008 5:52 AM
    Tuesday, August 19, 2008 6:42 AM
  • Here are two good articles when granting accessing to SCManager remotely.

    Configuration Manager Access Denied and Win32 Access Denied Errors
    http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Configuration%20Manager%20Access%20Denied%20and%20Win32%20Access%20Denied%20Errors.aspx

    How to troubleshoot access to the SC Manager and other Object Access
    http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20troubleshoot%20access%20to%20the%20SC%20Manager%20and%20other%20Object%20Access.aspx

    Thursday, June 04, 2009 2:06 AM
  • I hate to (possibly) revive an old thread like this, but there are so many people trying to solve the same problem... for years. I've created a tool that lets you easily delegate access to manage Windows services using a central, role based web console. It's called System Frontier. Giving non-admin users rights to start and/or stop services is very simple and you can even be very granular as to which services they can manage and on what servers. With dynamic containers of servers, you can set it and forget it. Check out all the details and let me know what you think: www.systemfrontier.com
    Tuesday, December 11, 2012 4:53 AM