12

Before I get shot down, I know how to schedule a task, restart a service with powershell or give a non-admin account the privileges to restart a service. That isn't the problem. The problem however is the combination of all these three tasks combined.

I have a windows service that needs to process files on a network folder. Therefore it logs on with a "service account" that is actually just a regular domain account. This domain account is not an administrator but has access rights to said folder. The service runs fine and does it's job.

However, sometimes there is an error in one of the files that prevents other files from being processed. Usually it takes a while for someone to notice and there's some backlog.

So, I created a monitoring script in powershell that polls the network folder for these erroneous files. If they are found, the files are moved to a temporary folder for review and the service needs to be restarted.

I gave the service account privileges through group policy to start and stop the service.

enter image description here

When I logon to the server with the service account, I am able to restart the service manually using the Services MMC. I am also able to execute the powershell script and it does exactly what it's supposed to do: poll the folder, move the files and restart the service. Great!

In the next phase, I created a scheduled task that runs every 10 minutes. The task uses the same service account as the service to execute the powershell script. The box "execute with the highest privileges" is checked. Like I said, the powershell script needs access to the network drive, so I can't run it as the local server admin and I don't want to use domain admin credentials for such a menial task like this. (I try to implement the principle of least privilege as much as I can.)

I gave the service account the "logon as batch job" rights on the local server using the Local Security Policy MMC.

Now for the part that I can't figure out: At the scheduled time the scheduled tasks completes successfully and the powershell script is being executed. The script polls the folder and the error files are moved. The only thing that doesn't work is restarting the service...?! Again, running the script manually as the same user worked perfectly.

I don't see much in the event viewer, but the logging on my script states this error:

TerminatingError(Stop-Service): "Cannot open Service Control Manager on computer '.'. This operation might require other privileges."

The commands I use to restart the service are:

Stop-Service -Verbose -DisplayName $($service[1])
...
Start-Service -Verbose -DisplayName $($service[1])

(I am using windows server 2012 R2 and powershell version 4 on a 2008 R2 Domain.)

Update: I both tried setting the service permissions for the user using subinacl (as described here) and setting the SDDL string manually (as described here), so my control flags look like this (A;;CCLCSWRPWPDTLOCRRC;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX). I also tried setting the privileges on the service to Full Control in the GPO. None of these resolved the issue either. It must me a an issue with privileges somewhere that I am still overlooking, because when I schedule the task with a domain account that is a local admin on the server, it works just fine.

Community
  • 1
VolrathTheFallen
  • 318
  • 2
  • 11
  • This might be of some help http://serverfault.com/questions/357424/how-do-i-grant-permissions-to-remotely-start-stop-a-service-using-powershell/357753#357753 it seems powershell is very picky about permissions and not the obvious ones – Drifter104 Dec 29 '16 at 13:45
  • http://stackoverflow.com/questions/4436558/start-stop-a-windows-service-from-a-non-administrator-user-account – myron-semack Dec 29 '16 at 13:47
  • @Drifter104: Eventhough I use GPO to set the permissions on the service, not subinacl, I gave it a try anyway with the STOE parameters, but still seeing the same result. Double Checked my GPO settings and they have the Enumerate Dependent Services option enabled as well. – VolrathTheFallen Dec 29 '16 at 14:45
  • @MyronSemack-msemack I tried setting the SDDL string for the service manually like described in the article, but still no luck I think ultimately a GPO and subinacl do the same thing, as they seem to override one and other. – VolrathTheFallen Dec 30 '16 at 08:55
  • Do you get more information if you use the `-Debug` parameter when executing the `Stop-Service` CmdLet? – John K. N. Dec 30 '16 at 09:35
  • @hot2use like this `Stop-Service -Debug -Verbose -DisplayName "ServiceName"`? Then no... – VolrathTheFallen Dec 30 '16 at 09:52
  • 1
    How about trying `Set-Service $($service[1]) -status stopped -ComputerName . -Verbose ....` instead of the `Stop-Service` CmdLet? Stop-Service and Start-Service are apparently not remote-able according to this answer: [Can't use Get-Service –ComputerName on remote computer](http://stackoverflow.com/a/10748844/1820861) and your error message might be related to trying to connect to a "remote" localhost '.' (<== that's a dot there.) – John K. N. Dec 30 '16 at 10:15
  • @hot2use still no dice, although I am getting a different error now. `Performing the operation "Set-Service" on target "NameOfService". Set-Service : Service 'NameOfService' cannot be configured due to the following error: Access is denied At C:\NameOfScript.ps1:38 char:9 + Set-Service $($service[1]) -status stopped -ComputerName . -Verbose` – VolrathTheFallen Dec 30 '16 at 11:05
  • A bit far fetched now, but does the service account you are using have the permissions to `logon as a service` in the local security policy (secpol.msc)? – John K. N. Dec 30 '16 at 11:52
  • @hot2use Yes, it does. – VolrathTheFallen Dec 30 '16 at 11:53

1 Answers1

3

The anwser to another question resolved my issue as well.

The steps I did were:

  1. enable-psremoting on the server in an admin powershell prompt
  2. Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI on the server in an admin powershell prompt
  3. Added the service account (or security group) with full privileges
  4. sc sdshow scmanager on the server in an admin command prompt
  5. Copy the SDDL output
  6. Add (A;;KA;;;SID_OF_USER_OR_SECURITY_GROUP) to the SDDL before the S: part
  7. sc sdset scmanager THE_MODIFIED_SDDL mine looked like this: sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;KA;;;S-1-X-XX-XXXXXXXXXX-XXXXXXXX-XXXXXXXXX-XXXX)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  8. Change my powershell script so it makes use of the Start-Service CmdLet instead of Set-Service (Set-Service did not work).

Looks like something simple turned out way, WAY more complicated than it should have been...

Community
  • 1
VolrathTheFallen
  • 318
  • 2
  • 11