I'm using VB6 and using ADSI to query for the status (running or not) of a Windows Service. See this MS article: http://msdn.microsoft.com/en-us/library/aa746322(v=vs.85).aspx.
With a user who is a member of the USERS group, I'm receiving a thrown exception. I believe it's on the GetObject method:
Set comp = GetObject("WinNT://.,Computer")
The exception is: 80070005 "General access denied error"
Running the same code as a member of POWER USERS, however, works just fine.
Elevating all users to Power users isn't an option. What exact rights do I need to have granted in order for this function to run successfully?
I've tried running procmon.exe, and wasn't able to determine from the output as to what or where a denial is occurring.
Thanks!
Edit: This is running on XP sp2.
Sounds like you're running into a UAC barrier. I'm not familiar with IADsService, but it is hardly necessary in determining if a Windows service is running. Have you considered using API functions to query your service? Try QueryServiceStatus on a service opened with SERVICE_QUERY_STATUS.
There is no need for heavyweight administrative services or API calls. The Shell Automation interface has offered this for some time (Win2K or later, Shell32.dll v. 5.0 or later):
With CreateObject("Shell.Application")
MsgBox .IsServiceRunning("MSMQ")
End With
Works fine for me without elevation.
Related
We have a process which needs to work with a series of Excel (sigh) files.
The setup is:
SQL agent job run as a SSIS proxy account.
Calls SSIS package on a share on the server.
Which then starts accessing these excel files using the ACE driver.
The process will work under my credentials.
The process will work under other people's credentials.
The process will work in debug mode (although this is not a fair test
as that would use my local machine's driver)
The process will not work using the SSIS proxy account.
The process WILL work if I make the SSIS proxy account an
administrator on the server.
I have ruled out the following:
access to the files share. The account can load text files from
there.
32bit/64bit issues. The account CAN run given sufficient
permissions.
My opinion is that the service account needs some sort of level of permission to be able to use the driver. I can't work out what though.
I have tried LOCAL SECURITY POLICY option "Load and unload device drivers" with no success. ( I did think this had done it, but then realised that I had left the account in the admin group :-( )
Finally, the error message in question:
SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER.
The AcquireConnection method call to the connection manager
"TPR_ReadReportsExcelConnection" failed with error code 0xC0202009.
There may be error messages posted before this with more information
on why the AcquireConnection method call failed.
This seems to be beyond the supported scope depending on how you've set up your SSIS proxy account. See Additional Information section here. Not enough points to post an image so here is the important sentence:
provided the SSIS jobs run in the context of a logged-on user with a valid HKEY_CURRENT_USER registry hive
Folks,
I've got a strange issue at the moment with a visual studio 2010 built MSI...
When I run the msi, it performs a few tasks, then executes a tool we built - this tool then carries out some more advanced work we couldn't do within a custom task.
The issue here, is then when the msi starts my custom built tool, it doesn't execute it with the same credentials as I start the MSI with (i.e. my administrative login).
Is there a parameter I can pass to an MSI to enforece this? Or perhaps I can pass the credentials to the process when I start it?
My process is started using Process process = Process.Start(procInfo) nothing fancy. I've also noted the ability to pass in a parameterised username/password/domain, but this will vary depending on the user who is installing - can this be extracted from the installer somehow?
Any help (or questions) welcomed.
Dave
EDIT: for clarity... I'm running the MSI under my domain account, and I want my custom process to run under that 'context'. At present, it starts (regardless of whether I start as administrator or not) under the SYSTEM account (rather than mydomain\me). I'm using Windows Server DataCenter edition if that helps...
I should also add, I think this is a policy issue, but I've no idea what to check/where to check...
By default Windows Installer runs custom actions as the current user. If the MSI is elevated, custom actions will run as the elevated user.
Please note that if you are running the MSI as an Administrator, it doesn't mean your custom actions will have full Administrator privileges. On Vista or higher any user can gain Administrator privileges through elevation.
So if your custom actions need Administrator privileges, make sure they use the msidbCustomActionTypeNoImpersonate flag so they run under the local system account.
If this is not the problem and you just need access to the current user data, can you please give me more details?
I am trying to use the ColdFusion administrator to schedule a task. It is returning an error which says that there are not enough permissions to execute the task.
I can successfully execute the cfm file in IE, so it's not an error with the actual file.
So from what I've read about this, it appears to be an IIS problem. Do I need to change IIS_WPG permissions on the scheduled tasks folder?
I'm wondering what permissions I need to change to be able to execute scheduled tasks. Also would be interested in best security practices.
Although I was not initially aware of this, I found out that windows integrated authentication was turned on.
I had the server admin set the IIS security on folder to anonymous access which contained the tasks. This fixed the problem.
I wrote a Windows Service using VS 2005 and C# on WinXP Pro SP3. It starts another program which runs to completion and then exits.
The service is installed using installutil and serviceInstaller. It is built release and put into the C:\Program Files\MyService directory. The serviceProcessInstaller Account is set to LocalSystem in it's Properties.
If I set the Log On to Local system I get an 'Access Denied' error (using a try-catch block), but if I set the Log On to my account with the correct password, it runs perfectly.
What am I doing wrong? Any suggestions will be very welcome.
It will be useful to know where the access denied error comes from. Since you say it is from a try/catch block, I assume it is your code that handles it. That would mean that your service is starting just fine, but has problems doing its job.
It could be environment related problem, since the environment for LocalSystem is different than your user account. Also, it could be that the program it starts is not executing properly and it is returning the error.
Without more info, it is just speculation. What is that other program doing? Where is the error occurring? Why don't you debug it and find which part returns the access denied error?
Agreed, it should be on SO. That aside, check your file/folder permission sand ensure System does in fact have the necessary rights. Do the same for the registry keys. The System event log should give you some clues.
Both answers: thanks for the help.
The error orrurs at the Process.Start() call.
The file and directory security shows Everyone has full access to the directories and the executable.
FOUND IT! I had added a user name and password to the ProcessStartInfo object, thinking that it would be useful when the target program tries to get to the database. Oops! When I took that stuff out, the target runs jult like it should.
Thanks again to all who replied. Mea Culpa!
To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?
On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.
Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
This source also describes an alternative if you need more fine-grained control.
(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)
For the security log, users need the privilege "Manage auditing and security log"
For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
One Option is to get a local ID that is on the remote local admin group.
Next, from your system, map to a drive on the remote server using the new remote local ID.
Create a new MMC from the Windows Run start menu - by typing in MMC /a
Add the EventView Snap-in
When it prompts you for local or remote server - put in the Host name of the server that you mapped to.
Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.
Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.
Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.
Please add the domain user (without admin rights) to the "Event Log Readers" group on the target server. Then, from the source server, you can use the standard user credentials to access and read the event logs on the target.
If you could enable web access to the server then you could use an eventlog viewer page that I published a while ago. This would allow the administrators to run the website with just enough permissions to see the eventlog without granting you an account to login...