1. ホーム
  2. 質問と答え
  3. Windows上でリモートからサービスを開始する2003〜2012

Windows上でリモートからサービスを開始する2003〜2012

2017-05-29 8 views
0

私の上司は、XXX-hundredサーバー(2003〜20012)の〜5つのさまざまなサービスへのアクセスを許可しました。Windows上でリモートからサービスを開始する2003〜2012

私は自分のアカウントの、でも私のセットアップへのアクセス(私は特定のアカウントにBITSサービスをテストしてきた)、各サービスのセットアップSDDLに試してみた:でも、私が作成したコマンド例::

sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) 
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU) 
(A;;CCLCSWLOCRRC;;;SU)(A;;**[startStopListSettings]**;;;**MY-SID**)S: 
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

この新しいエントリ私は管理者以外のユーザーとして別のコンピュータからSCを使用してサービスを開始/停止できません。

管理者以外のユーザーがリモートコンピュータでサービスを開始できるようにするには、ほかに何が必要ですか? 誰にも解決策がありますか? [OK]を おかげ

出典

2017-05-29 gsky

答えて

0

は、私は3つの機能が/削除/追加取得に作成したサービスの権限を編集する方法を考え出し:

#Requires -version 3 
    ##################### 
    # Cod info  :Set Service Rights on remote computer. By this script you can set rights on service on many computers modding SDDL remotely. 
    #    You need - service name - object SID you want to add/remove access and computer name(s) 
    # V    :1.3.2.0 
    # D    :01-06-2017 
    # Author  : stackoverflow.com - gsky 
    # INFO   :All credits go to the autor of this script. No changes without confirmation 
    # Compatibiliy :Powershell 3 and up (.net 3.5 and up) 
    # Supported  :From Windows 2003 to 2016 
    #keywords:  : Windows, Wintel, Service, Remote,Add Rights, Remove Rights 
    ##################### 



    function Get-MGServiceRights 
    { 
    <# 
     .DESCRIPTION 
     Gets Service rights from (remote)Computer(s) 

     .PARAMETER computername 
     Specifies the computername. 

     .PARAMETER ServiceName 
     Specifies the Service Name 

     .EXAMPLE 
     Get-MGServiceRights -computerName testComputer123 -ServiceName BITS 

     .NOTES 
     version 1.3.2.0 
     #> 
    param 
    (
     [parameter(Mandatory = $true, 
        Position = 0)] 
     [string[]]$computerName, 
     [parameter(Mandatory = $true, 
        Position = 1)] 
     [string]$ServiceName 
    ) 
    foreach ($computer in $computerName) 
    { 
     $msgError = $null 
     $Output = [pscustomobject][ordered]@{ 
      Computer = $computer 
      ServiceName = $ServiceName 
      Acl = $null 
     } 
     $SC_CMD = 'sc.exe' 
     $arg1 = "\\$computer" 
     $arg2 = 'sdshow' 
     $arg3 = "$ServiceName" 


     [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 

     if ($queryResult[0] -like "*FAILED *") 
     { 
      for ($i = 0; $i -lt $queryResult.count; $i++) 
      { 
       $msgError += $queryResult[$i] | ? -filter { $_ -ne '' } 
      } 
      $Output.acl = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', "GET: " 
     } 
     else 
     { 
      $Output.acl = ($queryResult | ? -filt { $_ -ne '' }) -replace "" 
     } 
     $Output 
    } 
} 


    function Add-MGServiceRights 
    {<# 
     .DESCRIPTION 
     Adds Service rights - on remote Computer(s) 

     .PARAMETER computername 
     Specifies the computername. 

     .PARAMETER ServiceName 
     Specifies the Service Name 

     .PARAMETER objectSID 
     Specifies the SID of an object you want to add (fe. account's sid is: S-1-5-00-0000000-000000000-00000000) 

     .PARAMETER ACL 
     Specifies the level of rights - you can select one from three options: Control (start/stop/query status of service), List (query status of service), FullControl (full conotrol) 


     .EXAMPLE 
     Add-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 -ACL FullControl 

     .NOTES 
     version 1.3.2.0 
     #> 
    param 
    (
     [parameter(Mandatory = $true, 
        Position = 0)] 
     [string[]]$computerName, 
     [parameter(Mandatory = $true, 
        Position = 1)] 
     [string]$ServiceName, 
     [parameter(Mandatory = $true, 
        Position = 2)] 
     [system.Security.Principal.SecurityIdentifier]$objectSID, 
     [parameter(Mandatory = $true, 
        Position = 3)] 
     [System.Management.Automation.ValidateSetAttribute("Control", "Read", "FullControl")] 
     [string]$ACL = "Control" 
    ) 

    begin 
    { 

     $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
     $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) 
     $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator 
     if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break } 

    } 
    process 
    { 
     switch ($acl) 
     { 

      Read { 
       $permissions = "CCLCSWLOCRRC" 
      } 
      FullControl { 
       $permissions = "CCDCLCSWRPWPDTLOCRSDRCWDWO" 
      } 
      default 
      { 
       $permissions = "CCLCSWRPWPDTLOCRRC" 
      } 
     } 


     $scRightsForNewObject = ("(A;;$permissions;;;$($objectSID.value))").ToUpper() 

     foreach ($computer in $computerName) 
     { 
      $msgError = $null 
      $Output = [pscustomobject][ordered]@{ 
       Computer = $computer 
       Account = $objectSID 
       ServiceName = $ServiceName 
       CommandResponse = $null 
      } 
      try 
      { 
       $ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl 


      } 
      catch 
      { 
       Write-Error $error[0].Exception.Message 
       break 
      } 
      if ($ScriptResult -like "*Failed*") 
      { 
       $Output.CommandResponse = "ADD: $ScriptResult" 
      } 

      else 
      { 
       if ($ScriptResult -like "*$scRightsForNewObject*") 
       { $Output.CommandResponse = "ADD: Object already exists with same level of rights." } 
       else 
       { 
        $SDDLtoADD = $ScriptResult -replace "[S]\:", "$scRightsForNewObject`S:" 

        $SC_CMD = 'sc.exe' 
        $arg1 = "\\$computer" 
        $arg2 = 'sdset' 
        $arg3 = $ServiceName 
        $arg4 = $SDDLtoADD 

        [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4 

        $output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' }) 
        $output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "ADD:" 

        if ($queryResult[0] -like "*FAILED *") 
        { 
         for ($i = 0; $i -lt $queryResult.count; $i++) 
         { 
          ($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null 
         } 
         $Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'ADD: ' 
        } 
       } 


      } 
      $Output 
     } 
    } 
} 



    function Remove-MGServiceRights 
    {<# 
     .DESCRIPTION 
     Removes Service rights - on remote Computer(s) 

     .PARAMETER computername 
     Specifies the computername. 

     .PARAMETER ServiceName 
     Specifies the Service Name 

     .PARAMETER objectSID 
     Specifies the SID of an object you want to add (fe. account's xxxxxx sid is: S-1-5-00-0000000-000000000-00000000) 


     .EXAMPLE 
     Remove-MGServiceRights -computerName testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 

     .NOTES 
     version 1.3.2.0 
     #> 
    param 
    (
     [parameter(Mandatory = $true, 
        Position = 0)] 
     [string[]]$computerName, 
     [parameter(Mandatory = $true, 
        Position = 1)] 
     [string]$ServiceName, 
     [parameter(Mandatory = $true, 
        Position = 2)] 
     [system.Security.Principal.SecurityIdentifier]$objectSID 


    ) 

    begin 
    { 

     $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() 
     $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) 
     $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator 
     if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break } 

    } 
    process 
    { 
     foreach ($computer in $computerName) 
     { 
      $msgError = $null 
      $Output = [pscustomobject][ordered]@{ 
       Computer = $computer 
       Account = $objectSID 
       ServiceName = $ServiceName 
       CommandResponse = $null 
      } 
      try 
      { 
       $ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl 

      } 
      catch 
      { 
       Write-Error $error[0].Exception.Message 
       break 
      } 
      if ($ScriptResult -like "*Failed*") 
      { 
       $Output.CommandResponse = "REMOVE: $ScriptResult" 
       $Output 
      } 

      else 
      { 
       $found = $false 

       $ScriptResult -split "\)" | foreach { 

        if ($_ -notlike "*$objectSID*") 
        { 
         $newAcl_ += $_ + ")" 
        } 
        elseif ($_ -like "*$objectSID*") 
        { 
         $found = $true 
        } 
       } 


       if ($found) 
       { 
        $SDDLtoADD = $newAcl_.Remove($newAcl_.length - 1, 1) 

        $SC_CMD = 'sc.exe' 
        $arg1 = "\\$computer" 
        $arg2 = 'sdset' 
        $arg3 = $ServiceName 
        $arg4 = $SDDLtoADD 
        [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4 

        $output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' }) 
        $output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "REMOVE:" 

        if ($queryResult[0] -like "*FAILED *") 
        { 
         for ($i = 0; $i -lt $queryResult.count; $i++) 
         { 
          ($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null 
         } 
         $Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'REMOVE: ' 
        } 
       } 
       else 
       { 
        $Output.CommandResponse = "REMOVE: Object Not Found" 
       } 


       $Output 
      } 
     } 
    } 
}

出典

2017-06-02 10:47:12 gsky

関連する問題

 関連する問題