Re: Grant Object Access

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/22/05 

Date: Sun, 21 Aug 2005 23:58:29 -0500

Possibly logon as a batch job? The link below may help with explanations of
logon user rights.

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnd_urs_wyxu.asp
OR
http://tinyurl.com/26nqu

Another thing to try is to enable auditing of privilege use for failure and
then looking in the security log to see if a failure Event ID for privilege
use has been recorded when the account usage fails which may provide a
ue. --- Steve

"Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
news:OFCkn9spFHA.3084@TK2MSFTNGP09.phx.gbl...
> False alarm. Sorry folks. :-(
>
> The reason I got past the previous error when trying to get service status
> was that I had added IUSR_ to the local administrators group. Adding the
> Legacy Component does not correct the problem if I remove IUSR_ from the
> local admin group.
>
> So the question is, what rights do I give IUSR_ to allow it to use the
> Schedule service correctly without making it a local administrator?
>
> I'll be taking a look at NTRights that Roger mentioned.
>
> Regards...Andrew
>
> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
> news:uvhwklspFHA.764@TK2MSFTNGP14.phx.gbl...
>> From what you have said, Roger, and from what the various KB articles
>> concerning that error has lead me to, is that the IUSER_ account doesn't
>> have the privileges. Right enough.
>>
>> Now, how to set those privileges?
>>
>> I finally found one way to do it.
>>
>> Using DCOMCNFG, I opened the COM+ library application that contains all
>> the COM+ components for the web application, and tried adding a
>> "Component", selecting the Install New Component option and browsing to
>> the MSTASK.DLL file. This gives me the error "One or more files do not
>> contain component or type libraries. These files cannot be installed."
>>
>> So much for Scheduler being a COM component, but then, I use COM to work
>> with it from the VC++ code. Very strange. So I tied to add a new "Legacy
>> Component"...
>>
>> Although the Scheduler doesn't show up with a human-friendly name, as it
>> has no ProgID, it's CLSID was listed so I added it using that. Seemed to
>> work, although it creates an icon with no name. I then changed the
>> identify of the created object to one that has local administrator
>> rights, and gave local Launch, Activation and Access permissions to the
>> local IUSER_ and NETWORK_SERVICE accounts.
>>
>> Ran through my process again, and I no longer get the 560 for the
>> Schedule object acccess but it is generating an Exception that I need to
>> track down.
>>
>> Still, I'm a little further along than I had been, and I hope what I
>> discovered would be useful to someone.
>>
>> Regards...Andrew
>>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:utWtGYWpFHA.3940@TK2MSFTNGP14.phx.gbl...
>>>I am not aware what your COM+ component is attempting to do,
>>> but from the event message you post it would appear to me that
>>> a chain of events leading to attempt to get a handle to the Schedule
>>> service that allows querying and starting that service is denied.
>>> One does not grant rights to services in the ways you have attempted
>>> by altering the NTFS permissions on the binaries. Rather you need
>>> to either use security templates of such as NTrights.exe from the
>>> resource kit.
>>>
>>> --
>>> Roger Abell
>>> Microsoft MVP (Windows Security)
>>> MCSE (W2k3,W2k,Nt4) MCDBA
>>> "Andrew Hayes" <AndrewHayes@discussions.microsoft.com> wrote in message
>>> news:%23Xp7hLJpFHA.708@TK2MSFTNGP09.phx.gbl...
>>>> Hi All,
>>>>
>>>> As part of my continuing efforts to get COM+ components running under
>>>> Windows 2003 Server SP1, I enabled Object Access auditing and File
>>> auditing,
>>>> and ran through the process that is failing.
>>>>
>>>> One failure event was logged in the security log:
>>>>
>>>> Event Type: Failure Audit
>>>> Event Source: Security
>>>> Event Category: Object Access
>>>> Event ID: 560
>>>> Date: 2005/08/19
>>>> Time: 16:10:44
>>>> User: WIN2003\IUSR_WIN2003
>>>> Computer: WIN2003
>>>> Description:
>>>> Object Open:
>>>> Object Server: SC Manager
>>>> Object Type: SERVICE OBJECT
>>>> Object Name: Schedule
>>>> Handle ID: -
>>>> Operation ID: {0,84340653}
>>>> Process ID: 476
>>>> Image File Name: C:\WINDOWS\system32\services.exe
>>>> Primary User Name: WIN2003$
>>>> Primary Domain: DOMAIN
>>>> Primary Logon ID: (0x0,0x3E7)
>>>> Client User Name: IUSR_WIN2003
>>>> Client Domain: WIN2003
>>>> Client Logon ID: (0x0,0x504A958)
>>>> Accesses: Query status of service
>>>> Start the service
>>>>
>>>> Privileges: -
>>>> Restricted Sid Count: 0
>>>> Access Mask: 0x14
>>>>
>>>>
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>
>>>> This most certainly is the culprit of the Access Denied error I'm
>>>> getting
>>> in
>>>> my component.
>>>>
>>>> Now... Can anyone help me with granting access to Schedule? I've tried
>>>> giving IUSR_WIN2003 "read and execute" and "read" permissions to
>>>> services.exe and mstask.dll, but to no avail.
>>>>
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;833001&sd=ee
>>>> mentions something similiar with OWA and clusters, but uses Active
>>> Directory
>>>> Users and Computers to change the settings, which doesn't exist on this
>>>> server as it's not part of Active Directory.
>>>>
>>>> Regards...Andrew
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: OpenVMS - When downtime is not an option
    ... application bug to provide access to protected data and/or provides ... elevated rights on the system, does sit matter if it is an application ... privilege (certainly not including the parsing functions that these bugs ... Server* design flaw, not a Windows flaw. ...
    (comp.os.vms)
  • RE: IDS and Spywares
    ... > rights if they aren't actually a sysadm. ... > absolutely no reason for a user to be a local admin all the time. ... I totally agree with, you, and I use privilege restrictions a lot (O.S. ...
    (Focus-IDS)
  • Re: "Navy rule on prayer ignites a debate"
    ... Hence the Supreme Court saying that military don't ... :> have those rights due to 'exigencies of military service'. ... In this article Professor Van Alstyne reviews the uses and misuses to which the "privilege" concept has been put and then examines those doctrines whose flanking attacks have gradually eroded its efficacy. ... This was certainly one of the most influential law review articles ever written Cited numerous times in Supreme Court proceedings ...
    (sci.military.naval)
  • RE: Question regarding su.exe
    ... Many so called "administrator" applications do ... For instance, loading a driver should require admin rights, ... If you use su.exe to elevate the privilege ... Rather than using su or giving admin access, have you looked at what the app ...
    (Focus-Microsoft)
  • Re: Error message in SecuritySyncXML.log
    ... The Sync tools is ... running under administrative rights (local administrator account) The log ... I have placed the local administrator and the computername to the SMS admins ... > running does not have rights to the new Software_Updates class. ...
    (microsoft.public.sms.admin)