在windows 2003~2012上远程启动服务
我的老板要求我在XXX百台服务器(2003~20012)上授权访问~5种不同的服务 我已经尝试在每个服务上设置SDDL(我已经在我的特定帐户上测试了BITS服务),甚至我已经为我的帐户设置了访问权限:example command::在windows 2003~2012上远程启动服务,windows,service,windows-services,Windows,Service,Windows Services,我的老板要求我在XXX百台服务器(2003~20012)上授权访问~5种不同的服务 我已经尝试在每个服务上设置SDDL(我已经在我的特定帐户上测试了BITS服务),甚至我已经为我的帐户设置了访问权限:example command:: sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU) (A;;CCLCSWLOCRRC;;;SU)(A;;**
sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;**[startStopListSettings]**;;;**MY-SID**)S:
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
即使我创建了这个新条目,我也无法以非管理员用户的身份从另一台计算机上使用SC启动/停止服务
我还需要做什么才能允许非管理员用户在远程计算机上启动服务?
有人有什么解决办法吗?
谢谢好的,我知道了如何编辑服务权限,我创建了3个函数get/add/remove:
#Requires -version 3
#####################
# Cod info :Set Service Rights on remote computer. By this script you can set rights on service on many computers modding SDDL remotely.
# You need - service name - object SID you want to add/remove access and computer name(s)
# V :1.3.2.0
# D :01-06-2017
# Author : stackoverflow.com - gsky
# INFO :All credits go to the autor of this script. No changes without confirmation
# Compatibiliy :Powershell 3 and up (.net 3.5 and up)
# Supported :From Windows 2003 to 2016
#keywords: : Windows, Wintel, Service, Remote,Add Rights, Remove Rights
#####################
function Get-MGServiceRights
{
<#
.DESCRIPTION
Gets Service rights from (remote)Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.EXAMPLE
Get-MGServiceRights -computerName testComputer123 -ServiceName BITS
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName
)
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
ServiceName = $ServiceName
Acl = $null
}
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdshow'
$arg3 = "$ServiceName"
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
$msgError += $queryResult[$i] | ? -filter { $_ -ne '' }
}
$Output.acl = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', "GET: "
}
else
{
$Output.acl = ($queryResult | ? -filt { $_ -ne '' }) -replace ""
}
$Output
}
}
function Add-MGServiceRights
{<#
.DESCRIPTION
Adds Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's sid is: S-1-5-00-0000000-000000000-00000000)
.PARAMETER ACL
Specifies the level of rights - you can select one from three options: Control (start/stop/query status of service), List (query status of service), FullControl (full conotrol)
.EXAMPLE
Add-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 -ACL FullControl
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID,
[parameter(Mandatory = $true,
Position = 3)]
[System.Management.Automation.ValidateSetAttribute("Control", "Read", "FullControl")]
[string]$ACL = "Control"
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
switch ($acl)
{
Read {
$permissions = "CCLCSWLOCRRC"
}
FullControl {
$permissions = "CCDCLCSWRPWPDTLOCRSDRCWDWO"
}
default
{
$permissions = "CCLCSWRPWPDTLOCRRC"
}
}
$scRightsForNewObject = ("(A;;$permissions;;;$($objectSID.value))").ToUpper()
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "ADD: $ScriptResult"
}
else
{
if ($ScriptResult -like "*$scRightsForNewObject*")
{ $Output.CommandResponse = "ADD: Object already exists with same level of rights." }
else
{
$SDDLtoADD = $ScriptResult -replace "[S]\:", "$scRightsForNewObject`S:"
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "ADD:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'ADD: '
}
}
}
$Output
}
}
}
function Remove-MGServiceRights
{<#
.DESCRIPTION
Removes Service rights - on remote Computer(s)
.PARAMETER computername
Specifies the computername.
.PARAMETER ServiceName
Specifies the Service Name
.PARAMETER objectSID
Specifies the SID of an object you want to add (fe. account's xxxxxx sid is: S-1-5-00-0000000-000000000-00000000)
.EXAMPLE
Remove-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000
.NOTES
version 1.3.2.0
#>
param
(
[parameter(Mandatory = $true,
Position = 0)]
[string[]]$computerName,
[parameter(Mandatory = $true,
Position = 1)]
[string]$ServiceName,
[parameter(Mandatory = $true,
Position = 2)]
[system.Security.Principal.SecurityIdentifier]$objectSID
)
begin
{
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }
}
process
{
foreach ($computer in $computerName)
{
$msgError = $null
$Output = [pscustomobject][ordered]@{
Computer = $computer
Account = $objectSID
ServiceName = $ServiceName
CommandResponse = $null
}
try
{
$ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl
}
catch
{
Write-Error $error[0].Exception.Message
break
}
if ($ScriptResult -like "*Failed*")
{
$Output.CommandResponse = "REMOVE: $ScriptResult"
$Output
}
else
{
$found = $false
$ScriptResult -split "\)" | foreach {
if ($_ -notlike "*$objectSID*")
{
$newAcl_ += $_ + ")"
}
elseif ($_ -like "*$objectSID*")
{
$found = $true
}
}
if ($found)
{
$SDDLtoADD = $newAcl_.Remove($newAcl_.length - 1, 1)
$SC_CMD = 'sc.exe'
$arg1 = "\\$computer"
$arg2 = 'sdset'
$arg3 = $ServiceName
$arg4 = $SDDLtoADD
[string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4
$output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
$output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "REMOVE:"
if ($queryResult[0] -like "*FAILED *")
{
for ($i = 0; $i -lt $queryResult.count; $i++)
{
($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
}
$Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'REMOVE: '
}
}
else
{
$Output.CommandResponse = "REMOVE: Object Not Found"
}
$Output
}
}
}
}
#需要-版本3
#####################
#Cod信息:设置远程计算机上的服务权限。通过该脚本,您可以在远程修改SDDL的许多计算机上设置服务权限。
#您需要-服务名-要添加/删除访问权限和计算机名的对象SID
#V:1.3.2.0
#D:2017年6月1日
#作者:stackoverflow.com-gsky
#信息:所有的信用都归这个脚本的自动人所有。未经确认不得更改
#兼容性:Powershell 3及以上(.net 3.5及以上)
#支持:从Windows 2003到2016
#关键词::Windows、Wintel、服务、远程、添加权限、删除权限
#####################
函数获取服务权限
{
param
(
[参数(必需=$true,
位置=0)]
[字符串[]]$computerName,
[参数(必需=$true,
职位=1)]
[字符串]$ServiceName
)
foreach($computerName中的计算机)
{
$msgError=$null
$Output=[pscustomobject][ordered]@{
计算机=$计算机
ServiceName=$ServiceName
Acl=$null
}
$SC_CMD='SC.exe'
$arg1=“\\$computer”
$arg2='sdshow'
$arg3=“$ServiceName”
[string[]$queryResult=&$SC_CMD$arg1$arg2$arg3
if($queryResult[0]-类似“*失败*”)
{
对于($i=0;$i-lt$queryResult.count;$i++)
{
$msgError+=$queryResult[$i]|?-filter{$|-ne''}
}
$Output.acl=$msgError-replace'\[SC\]\sOpenS.[A-Za-z]*\s',GET:
}
其他的
{
$Output.acl=($queryResult |?-filt{$|-ne'})-替换“”
}
$Output
}
}
函数添加服务权限
{
param
(
[参数(必需=$true,
位置=0)]
[字符串[]]$computerName,
[参数(必需=$true,
职位=1)]
[字符串]$ServiceName,
[参数(必需=$true,
位置=2)]
[system.Security.Principal.SecurityIdentifier]$objectSID
)
开始
{
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=新对象System.Security.Principal.WindowsPrincipal($myWindowsID)
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::管理员
如果(!($myWindowsPrincipal.IsInRole($adminRole)){Write Error“脚本需要提升!。以管理员身份运行控制台;中断}
}
过程
{
foreach($computerName中的计算机)
{
$msgError=$null
$Output=[pscustomobject][ordered]@{
计算机=$计算机
帐户=$objectSID
ServiceName=$ServiceName
CommandResponse=$null
}
尝试
{
$ScriptResult=(Get-MGServiceRights-computerName$computer-ServiceName$ServiceName).acl
}
抓住
{
写入错误$错误[0]。异常。消息
打破
}
if($ScriptResult-如“*失败*”)
{
$Output.CommandResponse=“删除:$ScriptResult”
$Output
}
其他的
{
$found=$false
$ScriptResult-拆分“\)”foreach{
if($\不象“*$objectSID*”)
{
$newAcl\+=$\+''”
}
elseif($类似“*$objectSID*”)
{
$found=$true
}
}
如有($已找到)
{
$SDDLtoADD=$newAcl\uu0.Remove($newAcl\u0.length-1,1)
$SC_CMD='SC.exe'
$arg1=“\\$computer”
$arg2='sdset'
$arg3=$ServiceName
$arg4=$SDDLtoADD
[string[]$queryResult=&$SC_CMD$arg1$arg2$arg3$arg4
$output.CommandResponse=($queryResult |?-filter{$\uOne'})
$output.CommandResponse=$output.CommandResponse-替换“\[SC\]”,删除:
if($queryResult[0]-类似“*失败*”)
{
对于($i=0;$i-lt$queryResult.count;$i++)
{
($msgError+=$queryResult[$i]|?-filter{$|-ne''})out null
}
$Output.CommandResponse=$msgError-替换'\[SC\]\sOpenS.[A-Za-z]*\s',删除:'
}
}
其他的
{
$Output.CommandResponse=“删除:未找到对象”
}
$Output
}
}
}
}