我的老板已经让我在XXX-100服务器(2003~20012)上授予访问~5种不同服务的权限。
我已尝试在每项服务上设置SDDL(我已在我的特定帐户上测试BITS服务),即使我为我的帐户设置了访问权限:example command ::
sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;**[startStopListSettings]**;;;**MY-SID**)S:
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
即使我创建了这个新条目我也无法以非管理员用户的身份从另一台计算机上启动/停止使用SC。
我还需要做些什么来允许非管理员用户访问才能在远程计算机上启动服务? 有没有人有任何解决方案? 感谢
答案 0 :(得分:0)
好的,我想出了如何编辑我创建的3个函数get / add / remove的服务权限:
#Requires -version 3
#####################
# Cod info :Set Service Rights on remote computer. By this script you can set rights on service on many computers modding SDDL remotely.
# You need - service name - object SID you want to add/remove access and computer name(s)
# V :1.3.2.0
# D :01-06-2017
# Author : stackoverflow.com - gsky
# INFO :All credits go to the autor of this script. No changes without confirmation
# Compatibiliy :Powershell 3 and up (.net 3.5 and up)
# Supported :From Windows 2003 to 2016
#keywords: : Windows, Wintel, Service, Remote,Add Rights, Remove Rights
#####################
function Get-MGServiceRights
{
<#
.DESCRIPTION
Gets Service rights from (remote)Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.EXAMPLE
Get-MGServiceRights -computerName testComputer123 -ServiceName BITS
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName
)
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
ServiceName = $ServiceName
Acl = $null
}
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdshow'
$arg3 = "$ServiceName"
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
$msgError += $queryResult[$i] | ? -filter { $_ -ne '' }
}
$Output.acl = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', "GET: "
}
else
{
$Output.acl = ($queryResult | ? -filt { $_ -ne '' }) -replace ""
}
$Output
}
}
function Add-MGServiceRights
{<#
.DESCRIPTION
Adds Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's sid is: S-1-5-00-0000000-000000000-00000000)
.PARAMETER ACL
Specifies the level of rights - you can select one from three options: Control (start/stop/query status of service), List (query status of service), FullControl (full conotrol)
.EXAMPLE
Add-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 -ACL FullControl
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID,
[parameter(Mandatory = $true,
Position = 3)]
[System.Management.Automation.ValidateSetAttribute("Control", "Read", "FullControl")]
[string]$ACL = "Control"
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
switch ($acl)
{
Read {
$permissions = "CCLCSWLOCRRC"
}
FullControl {
$permissions = "CCDCLCSWRPWPDTLOCRSDRCWDWO"
}
default
{
$permissions = "CCLCSWRPWPDTLOCRRC"
}
}
$scRightsForNewObject = ("(A;;$permissions;;;$($objectSID.value))").ToUpper()
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "ADD: $ScriptResult"
}
else
{
if ($ScriptResult -like "*$scRightsForNewObject*")
{ $Output.CommandResponse = "ADD: Object already exists with same level of rights." }
else
{
$SDDLtoADD = $ScriptResult -replace "[S]\:", "$scRightsForNewObject`S:"
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "ADD:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'ADD: '
}
}
}
$Output
}
}
}
function Remove-MGServiceRights
{<#
.DESCRIPTION
Removes Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's xxxxxx sid is: S-1-5-00-0000000-000000000-00000000)
.EXAMPLE
Remove-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "REMOVE: $ScriptResult"
$Output
}
else
{
$found = $false
$ScriptResult -split "\)" | foreach {
if ($_ -notlike "*$objectSID*")
{
$newAcl_ += $_ + ")"
}
elseif ($_ -like "*$objectSID*")
{
$found = $true
}
}
if ($found)
{
$SDDLtoADD = $newAcl_.Remove($newAcl_.length - 1, 1)
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "REMOVE:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'REMOVE: '
}
}
else
{
$Output.CommandResponse = "REMOVE: Object Not Found"
}
$Output
}
}
}
}