Re: Allow non-Administrator to view and terminate processes for all users
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Sat, 29 Jul 2006 00:47:15 -0700
Interesting situation Bruce.
I would try the debug user right first with a third party process monitor.
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxx> wrote in message
news:%23t2ecZUsGHA.2376@xxxxxxxxxxxxxxxxxxxxxxx
Perhaps an explanation might help. We have a line of business application
that is a classic client server implementation. We are running the client
under Terminal Services with Citrix XPe. It uses an Oracle database that
is on a completely seperate system (Sun Solaris actually).
For an unknown reason, the client application randomly goes into a very
tight CPU loop - no page faults, no I/O, no database interaction, no
network activity. There are between 400 and 500 users spread over 24
servers (the application is a real memory hog and also can be quite CPU
intensive when operating normally). The client application is a win32
executable - a classic desktop type application - no web browser/server
involved. It is not unusual for a single user to have multiple instances
of the client running - each process manages one window. At any given
point in time, there are sometimes as many as 100 instances of the client
application running on each server. When one of the client application
instances (.exe - process) gets into this loop situation, it completely
hogs one of the two CPUs on that server, which impacts the performance for
all users on that server. Some days this doesn't happen at all; on other
days we see five or six intances. Unfortunately, most of our users are in
the habit of merely ignoring the "hung" window and starting another
instance of the client application - which works correctly and allows them
to proceed with their work. Sometimes, the user will "Close" the window,
believing that this has "solved the problem", but this unfortunately does
not cause the associated process to terminate.
We're working with the application vendor to find out what triggers this
problem and get it fixed, but the problem is quite random and is proving
hard for the vendor to diagnose. This is a major "system" for our agency
and switching to another vendor would be a multi-year, very expensive
process - its not going to happen!
So, in the mean time, we're faced with these runaway processes on the
Terminal Servers. We monitor the %CPU on all the servers and can see when
this problem is happening on a particular server becuase the %CPU is then
consistently high for a long time. We've decided that a couple of the
staff in our Help Desk are knowledgeable and trusted enough to be able to
identify, track down and terminate the "bad" processes. So I'm looking
for a way to allow these few users to view and terminate processes from
any user without being an administrator. We appreciate that such a
right/privilege/permission could be used to terminate any process,
including vital system processes, but judge that risk slight and
acceptable given the particular people that would be granted that right
and the alternative of suffering degraded performance. If there really
isn't a way without them being administrators, then we'll just live with
that.
I'll take a look at PSTools suite as you suggest. I'm somewhat familiar
with System Internals and have used some of their tools for other
purposes.
Thanks for your time.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:etnmkC$rGHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Bruce,
We need to factor apart what you appear after.
One is to use task manager to view all processes. This appears to be
something hardcoded into task manager as allowed only to admins.
However, if you are willing to use other tools, for example fromt the
PStools suite from www.sysinternals.com (now part of Microsoft)
then you will find that they do not have this restirction.
You also seemed to what to grant the ability for a non-admin account
to access/kill arbitrary processes. I do not believe that there is a
specific user right for that tightly defined purpose. I would also try
debug priv, possibly with load/unload drivers, and if those are not
sufficient then act as part of OS. Any one of these is an unsafe grant
that would allow the account with them to elevate they privs to full
admin, to destabalize the OS, to install code of choice, etc..
Roger
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxx> wrote in message
news:O6FCVy6rGHA.4616@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the reply, Svyatoslav!
I tried granting a user both the "increase scheduling priority" and
"debug programs" "right" under Security Settings, Local Policies, User
Rights Assignment (in Computer Configuration) via GPO to a specific
domain user, but that user still could not add a check mark to the "Show
processes from all users" check box in Task Manager.
I verified using gpresult /v that the settings in the GPO had been
applied to the computer.
Any other ideas come to mind?
It may well be that there is no specific right or permission that grants
this - this ability may be built-in to the Administrators group inherent
rights (unfortunately!) but it would be nice to know definitively.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message
news:%23KT4n%23frGHA.3868@xxxxxxxxxxxxxxxxxxxxxxx
Interesting question... That might be a matter of changing one of the
user rights in the local security policy. Which one? I'd say "Increase
scheduling priority" or "debug programs".
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:uWfQOCRrGHA.4820@xxxxxxxxxxxxxxxxxxxxxxx
In Windows 2003 Enterprise Server, is there a user right or group
policy setting (or other means) to allow someone to view and end
processes from any (all) users (e.g. in Task Manager - "Show processes
from all users") without making that someone's user account a member
of the Administrators group?
--
Bruce Sanderson MVP
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.
.
- References:
- Allow non-Administrator to view and terminate processes for all users
- From: Bruce Sanderson
- Re: Allow non-Administrator to view and terminate processes for all users
- From: Bruce Sanderson
- Re: Allow non-Administrator to view and terminate processes for all users
- From: Roger Abell [MVP]
- Re: Allow non-Administrator to view and terminate processes for all users
- From: Bruce Sanderson
- Allow non-Administrator to view and terminate processes for all users
- Prev by Date: confusion about W2003 SP1 security configuration wizard
- Next by Date: Windows Fault Simulation Tools?
- Previous by thread: Re: Allow non-Administrator to view and terminate processes for all users
- Next by thread: Re: The system administrator has set policies to prevent this installa
- Index(es):
Relevant Pages
|
