- Obtain the user's SID (using a short script)
- Format the SDDL correctly
- Apply the permissions
- Verify the process
Script in VB for SID: (copy past script in notepad and save it as "SID.vbs" and run it)
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='USERNAME',Domain='DomainName'")
Wscript.Echo objAccount.SID
Command for obtaining:
Security Descriptor Definition Language (SDDL)
cmd>>
("Win32_UserAccount.Name='USERNAME',Domain='DomainName'")
Wscript.Echo objAccount.SID
Command for obtaining:
Security Descriptor Definition Language (SDDL)
cmd>>
sc sdshow servicename (the name should be exact service name)
Command to grant permission:
cmd>>
sc sdset servicename D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWP;;;S-1-5-21-671767478-4120628812-988426340-2271)
Command to grant permission:
cmd>>
sc sdset servicename D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWP;;;S-1-5-21-671767478-4120628812-988426340-2271)
Access granted!! your done, Please verify by starting the service with non admin user.
Description:
(A;;RPWP;;;S-1-5-21-671767478-4120628812-988426340-2271)
replace SID with what u get from the above vb script
SID -USERNAME
A -Allow
RP -Read all properties
WP -Service handling
A -Allow
RP -Read all properties
WP -Service handling
No comments:
Post a Comment