Re: Listing user privileges
- From: "Dave Williams" <davewilliams29@xxxxxxxxx>
- Date: Fri, 3 Mar 2006 15:21:40 -0000
Thanks for your feedback. I did look at sysinternals before making this
posting (as I've got handy apps from them before). The only thing I can see
that might be appropriate is TokenMon, which lists live privilege
allocations, rather than listing the static state which I think would be
adequate for my purposes.
Your description is quite correct. The service is not running on a DC, it's
on a member server.
Currently I have discovered that the service user being a member of the
Domain Admins group resolves the issue, and I'm suspecting (but not yet
confirmed) that being a member of the Administrators group for the domain
will also resolve the issue. The user is already a member of the
Administrators group for the machine, so my task will be to identify what
are the privilege differences between those two groups, then incrementally
add and remove those until I work out what's the key one.
The problem is on a customer site, which slows down testing of the issue,
and the customer requires that we set minimal rights on the user running the
service, so just leaving it as member of the domain's Administrators group
is not considered to be a solution.
Any suggestions would be appreicated :)
Dave
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eqiPN2sPGHA.5464@xxxxxxxxxxxxxxxxxxxxxxx
I believe that www.sysinternal.com has tool you might use that
looks at the live token and lists out the privileges. It seems to
me the problem going that route is you will see very many that
are not involved as admins have most all.
To clarify the situation . . .
You have developed a true service
When you define this service with the service control manager
to start in a custom account (that has right to log in as service)
the service starts, but cannot write files to specificed area.
If you add that custom account to administrators group of the
machine where installed then the file write works.
???
Notice I got rid to the Domain Admins part, and implied this
is not installed on a DC (administrators group of the machine).
Can you narrow it down to a non-DC install or do you really
need to take the discussion onto DC territory (Adminsitrators
group in domain) ?
"Dave Williams" <davewilliams29@xxxxxxxxx> wrote in message
news:e%23rwpwsPGHA.3192@xxxxxxxxxxxxxxxxxxxxxxx
Hi all, is there a simple utility I can use that will list all the
privileges a user has in a Windows 2000 environment?
A service I've develeoped is getting a failure to create a file on one
user's disk drive but not on another drive in the same system. The
problem is not fixed by granting the user that runs the service full
access to the base directory, but it is fixed by adding the user that
runs the service to the Domain Admins group.
I figure the only way to diagnose this is to work out what the privilege
difference between the user that runs the service as it is, and that user
when it's added to Domain Admins (I will test if the problem occurs if
the user is added to the Administrators group for the domain, which I
believe is the one with all the privileges).
I'd ideally like something that would list all the privileges a user has,
pref using the descriptive name not the symbolic name for the privilege,
and which group they were got through etc.
Or any other suggestions for tracking down this issue!
Thanks,
Dave
.
- Follow-Ups:
- Re: Listing user privileges
- From: Roger Abell [MVP]
- Re: Listing user privileges
- References:
- Listing user privileges
- From: Dave Williams
- Re: Listing user privileges
- From: Roger Abell [MVP]
- Listing user privileges
- Prev by Date: Re: Listing user privileges
- Next by Date: Re: Listing user privileges
- Previous by thread: Re: Listing user privileges
- Next by thread: Re: Listing user privileges
- Index(es):
Relevant Pages
|
