Default ZAM 10 Windows Service Accounts
Hi there,
My customer's security department did a review and noticed some strangely named service accounts in this Windows 2008 member server running just ZAM 10. They would like to get more info on these accounts but we could find none in the documentation.
Here is part of the conversation:
Our security people are questioning some logon accounts used by Novell Zam/ZCM on servers. (See Below). It has proven impossible so far to find definitive info about these accounts possibly due to Google not liking the format of the account name. The account used on the main server is slightly different (.\__z_1_200__). These accounts were created by Zam on install. Any information on them would be greatly appreciated and in particular the rights they require on the server.
There is a strange local admin user set up <server-name>.
The account is called _z_1_80_ . Does anyone know what it is?
It must be created as part of the zcm product that is installed on this server. The server <another-server> also has an account like this and this has zcm installed also.
Also is a screen shot of the services aplet.
cheers,
Kirk
They are created during the install for using in various ZEN Services.
There is nothing special about the accounts other than that they are
local administrators.
The Services using those accounts can be changed to use another local
administrators accounts by using the services control panel.
On 7/21/2010 11:46 AM, kmaule wrote:
>
> Hi there,
>
> My customer's security department did a review and noticed some
> strangely named service accounts in this Windows 2008 member server
> running just ZAM 10. They would like to get more info on these accounts
> but we could find none in the documentation.
>
> Here is part of the conversation:
>> Our security people are questioning some logon accounts used by Novell
>> Zam/ZCM on servers. (See Below). It has proven impossible so far to find
>> definitive info about these accounts possibly due to Google not liking
>> the format of the account name. The account used on the main server is
>> slightly different (.\__z_1_200__). These accounts were created by Zam
>> on install. Any information on them would be greatly appreciated and in
>> particular the rights they require on the server.
>>
>>
>> There is a strange local admin user set up<server-name>.
>> The account is called _z_1_80_ . Does anyone know what it is?
>> It must be created as part of the zcm product that is installed on
>> this server. The server<another-server> also has an account like this
>> and this has zcm installed also.
>
> Also is a screen shot of the services aplet.
>
> cheers,
> Kirk
>
>
> +----------------------------------------------------------------------+
> |Filename: ZAM10WindowsServices.jpg |
> |Download: http://forums.novell.com/attachment....achmentid=4626 |
> +----------------------------------------------------------------------+
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
Similar Messages
-
Process in C# with Windows Service Account
Hi,
I would like to launch SQL Server Management Studio from C# Process Class thru windows service account. When I start the process, I got the in Win32Exception ( “Logon failure: unknown user name or bad password”). I verified the User credentials
as well. Please let me if you have any idea on this issue.
Code:
private
void cmdSqlServer2012_Click(object sender,
EventArgs e)
Process objProcess =
null;
ProcessStartInfo objProcessStart =
null;
string strSqlServer =
@"C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe";
//string strSqlServer = "ssms.exe";
string strUserID = ConfigurationManager.AppSettings["UserID"];
string strUserPwd = ConfigurationManager.AppSettings["Password"];
try
objProcess =
new Process();
objProcess.StartInfo.LoadUserProfile =
false;
objProcess.StartInfo.FileName = strSqlServer;
objProcess.StartInfo.UseShellExecute =
false;
objProcess.StartInfo.UserName =
"Senthil.Krishnamoort";
objProcess.StartInfo.Domain =
"Services";
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
objProcess.Start();
catch (Win32Exception w32E)
// The process didn't start.
MessageBox.Show(w32E.Message);
catch (Exception ex)
MessageBox.Show(ex.Message);
finally
objProcess.Dispose();
objProcess =
null;
public static
SecureString ConvertToSecureString(string password)
if (password == null)
throw new
ArgumentNullException("password");
SecureString secureString =
new SecureString();
foreach (char ch
in password)
secureString.AppendChar(ch);
secureString.MakeReadOnly();
return secureString;Hi
Krish0609,
Firstly please try do the following steps
Service____rightclik___Propertise___Logon___allow service to interact with desktop.
Secondly, from your code, I would suggest you used
ProcessStartInfo.Arguments
Property
to sets the set of command-line arguments to use when starting the application.
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
I doubt this issue maybe you have converted to secure string.
By the way, here is how to use SSMS command line.
Usage:
sqlwb.exe [-S server_name[\instance_name]] [-d database] [-U user] [-P password] [-E] [file_name[, file_name]] [/?]
[-S The name of the SQL Server instance to which to connect]
[-d The name of the SQL Server database to which to connect]
[-E] Use Windows Authentication to login to SQL Server
[-U The name of the SQL Server login with which to connect]
[-P The password associated with the login]
[file_name[, file_name]] names of files to load
[-nosplash] Supress splash screen
[/?] Displays this usage information
Please also refer to Bruce Prang's Blog
to learn more.
Best regards,
kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Use SIA service account for SQL Server reporting connections (BIP4.1)
Is it possible to use the SIA service account as a proxy for a SQL Server connection using OLE DB? This way, anytime a report was refreshed, the SIA service account would be used when authenticating to the reporting database? This is a common pattern in software development to minimize database maintenance (when there is sufficient security being enforced at the application layer - BOBJ provides this).
This would make SQL Server database security management very easy for the DBAs (just add the BOBJ service account to the database and assign dbreader).
I would think this would be an option, but a Relational Connection only provides the following 3 Authentication modes when using the IDT to create and publish a Relational Connection (OLEDB/MSSQL):
Use BusinessObjects credential mapping
This takes the username and password from the "Database Credentials" section of the BusinessObjects User object for the user in the current session. It passes the info as hard-coded SQL authentication.
Use single sign-on when refreshing reports at view time
This is ONLY for end-to-end single-sign-on (as the error message in the next paragraph specifies) and uses the Windows AD credentials for the user in the current session. It is this method of authentication that I'd like to use, i.e. Windows Integrated Security, but I'd like to have the SIA account act as the account that makes the connection, not end-to-end.
Use specified username and password
This is for hard-coding usernames and passwords (only SQL authentication in OLE DB).
I've tried leaving the "Cache security context" option OFF in Windows AD Authentication settings, hoping it would default to using the service account for authentication to the database... to no avail. It fails during tests in the IDT with the message:
"Single Sign-On failed in the CMS. Please contact your system administrator for details. : The authentication provider (secWinAD) associated with this logon session does not have inter-process Single Sign-On enabled. Contact your system administrator for details. (FWB 00019)"
Alternatively, a SQL user could be hard-coded into the connection (same simple maintenance on the DBA side), but we'd really like to rely on Windows Integrated Security if possible!
Is there a way?
Any help is greatly appreciated!
DavidHey David,
Did you ever solve this? We get the same SSO error when indexing information spaces in Explorer.
Thanks,
Brandon -
Group managed service accounts for SQL Server
Hey guys,
Unfortunately I missed that (g/s)MSAs aren't supported yet for SQL Servers but I'm using them without any worries since ages.
As i digged a bit deeper I could find different informations due to the related TechNet entrys. So it seems Microsofts Informations about (s)MSAs and gMSAs aren't consistent.
I'm not a SQL Server guy and use SQL only for System Center testing stuff so i would like to get a real world exps of SQL Server guys.
Should I continue using gMSAs or are there any worries I should know?
some sources I found so far:
Not supported:
"Hi Adam,
Thank you for your feedback. Windows Server 2012 Group Managed Service Account is not currently supported as SQL 2012 released earlier than Windows Server 2012. We will consider to support gMSA in future SQL Server release.
Regards,
Min He, Program Manager, SQL Server"
11.2012 -
https://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-Clusters
gMSA are not yet available, are not yet supported for SQL Server. gMSA exist and are available and supported in Windows Server 2012 and higher. SQL does not support them , but
from an OS perspective, they exist and are supported.
http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
Within the FAQ Task Scheduler isn't supported as well ...
http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
... but also PFEs using them for Tasks... this is confusin... 0o
http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx
supported?:
Configure Windows Service Accounts and Permissions
... New Account Types Available with Windows 7 and Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx#Default_Accts
The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
others sources won't mentioning s/gMSAs...
I couldn't find clear informations about using gMSA for SQL Server 2014.
only the same page which also Looks like the page for 2008 R2 and SQL 2012.
Configure Windows Service Accounts and Permissions
SQL Server 2014
http://msdn.microsoft.com/en-us/library/ms143504.aspx
annoying topic so far... ;)Hi Enrico
aside from what Dan says about the risk for support, on which I agree, the following thread may clear it up a bit:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/acb2048c-ffce-4d44-b882-6aafc7eb689d/managed-service-accounts-to-run-sql-server-service?forum=sqlsecurity
Andreas Wolter (Blog |
Twitter)
MCM - Microsoft Certified Master SQL Server 2008
MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
www.andreas-wolter.com |
www.SarpedonQualityLab.com -
Question : Service Accounts for SQL Server 2012
Hello,
I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
I was reading the following
Configure Windows Service Accounts and Permissions
and
Windows Privileges and Rights
Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
Isn't it recommended to create separate account for every service and they should not be local accounts ?
Hope to hear soon as to what industry standards are being followed for production systems ?
Thank you very much in advance.
Regards
NikunjFrom MSDN:
Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
From Glen Berry's Blog:
You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
location.
Please Mark This As Answer if it solved your issue
Please Mark This As Helpful if it helps to solve your issue
Thanks,
Shashikant -
Deleted "Managed Service Accounts" Container
Unaware that the container was created as part of our 2008 R2 AD Upgrade I deleted this container (thinking that another admin was doubling up efforts) on a pre-existing "Service Accounts" OU that was created in the past. While doing some
research months later, I was looking for a better way to deploy service accounts and ran across this new container. I looked for various ways of recovering this including:
ldp
adrestore
browsing for the object via adexplorer.exe
I'm unable to see the object so I think my next option is to either recreate it via some sort of script or some form of re installation. This is a highly utilized production environment therefore I'm looking for the least invasive way of
approaching this. If it is going to be a huge hassle we'll continue down the road of the specific OU already designated and continue using policies to limit thier access to the systems.
Thanks in advance!
KyleDelete the following container as well: d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d
As the operations for the "Managed Service Accounts" container preformed by adprep is as shown below. (if this dosen't help, e.g. adprep still dosen't try to re-run the operation, remove the value of the revision attribute for the CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=ForestRootDomain
- it should be '5' now)
Operation 75: {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}
Create the following object:
• CN=Managed Service Accounts
Attributes:
• objectClass: Container
• Description: Default container for managed services accounts
• ShowInAdvancedViewOnly: FALSE
Permissions:
• (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
• (A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)
• (OA;;CCDC;ce206244-5827-4a86-ba1c-1c0c386c1b64;;AO)
• OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
• (OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
• (A;;RPLCLORC;;;AU)
Operation 76: {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}
Add the following value to the multivalued attribute otherWellKnownObject of the domain directory partition:
• B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,<distinguished name of the domain>
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Using Managed Service Accounts for App Activities
I know and understand the introduction of windows service accounts, and how various applications run as Windows Service Account or a virtual account. I also know that one can connect to things such a File Share etc using a Managed Service Account.
Has anyone ever tried to do anything like FTP or anything with a Managed Service Account?
If so do can you provide locations on where this information is documented.
Currently we have applications & scripts that rely on things like FTP, for doing their various jobs, these apps & scripts use, domain creds like FTPUser to connect to the FTP service. Having these domain level (user accounts) for these types of a tasks
is a maintenance nightmare and a security risk. I would like to replace FTPUser with something like TRANS_APP_FTP_USER$ (Managed Service Account) so that the transfer app, will use a MSA instead of a domain account to connect to the FTP server.
So far all the docs I've seen have explained how to get the TransApp to run using an MSA... but I want the TransApp to connect to something like an FTP server.
Some documentation (links) discussing this would be helpful.Hi,
>>these apps & scripts use, domain creds like FTPUser to connect to the FTP service. Having these domain level (user accounts) for these types of a tasks
is a maintenance nightmare and a security risk.
As stated in the Wikipedia article:
FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects
the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS).
File Transfer Protocol
http://en.wikipedia.org/wiki/File_Transfer_Protocol
Besides, for FTP related questions, in order to get better help, it’s recommended that we ask for suggestions in the following IIS forum.
IIS
http://forums.iis.net/
Best regards,
Frank Shen -
NT Authority and NT Service Accounts
I have the following logins on my SQL Server with sysadmin privileges.
NT AUTHORITY\SYSTEM
NT SERVICE\{instance name}
NT SERVICE\SQLAgent{instance name}
NT SERVICE\SQLWriter (for SQL2012)
NT SERVICE\Winmgmt (for SQL2012)
If I use a domain service account on my Sql Server and Sql Server Agent services (Log on as:),
1. do I need Logins mentioned above as sysadmin?
2. can / should I remove them as security hardening?
on SQL Server 2008 and SQL Server 2012
thanksThanks! So, I should just remove SYSADMIN from those logins, correct?
Edit: Report findings - NT SERVICE\SQLSERVERAGENT does need SYSADMIN. Else, SQL Server Agent service cannot be started.
Hi Amy2013,
According to the discussion in the similar
blog, it depends on the software and services in use that if there is any downside impact on revoking "sysadmin" privileges on these logins.
In addition, particularly, for the NT SERVICE\winmgmt login, if you revoke “sysadmin" privileges on it, please ensure that it is configured with the following permissions:
•Membership in the db_ddladmin or db_owner fixed database roles in the msdb database.
• CREATE DDL EVENT NOTIFICATION permission in the server.
• CREATE TRACE EVENT NOTIFICATION permission in the Database Engine.
• VIEW ANY DATABASE server-level permission.
Reference:
Configure Windows Service Accounts and Permissions
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support -
Hi all,
I have read in the documentation(Design Client) that OIM connector provides different prvisioning process for Service account (there are alltogether separate tasks for these accounts under process definition) and Normal account for each target resource. Could any one please elaborate me how to process service account provisioning (if there is any difference) as there is no documentation stating underline.Hi ,
I am having the same concern. I want to implement service account management through OIM ,OOB AD connector provides by default tasks to handle service account scenerio. Please provide the suggestion regrding the implementation of service account provisioning, if there is any document related to it, will be quite helpfull.
Thanks
Edited by: user8634889 on Sep 15, 2009 11:09 PM -
Here is the case:
OS environment: Windows 7
There are two user accounts in my system, standard user "S" and administrator account "A", and there is a windows service running with "Local System" privilege.
Now i logged-in with account "S", and i want to launch an application with elevated administrator account "A" from that service program, so here is the code snippet:
int LaunchAppWithElevatedPrivilege (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute e.g. L"C:\\windows\\regedit.exe"
DWORD dwExitCode = 0;
HANDLE hToken = NULL;
HANDLE hFullToken = NULL;
HANDLE hPrimaryFullToken = NULL;
HANDLE lsa = NULL;
BOOL bResult = FALSE;
LUID luid;
MSV1_0_INTERACTIVE_PROFILE* profile = NULL;
DWORD err;
PTOKEN_GROUPS LocalGroups = NULL;
DWORD dwLength = 0;
DWORD dwSessionId = 0;
LPVOID pEnv = NULL;
DWORD dwCreationFlags = 0;
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
__try
if (!LogonUser( lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if( !GetTokenInformation(hToken, (TOKEN_INFORMATION_CLASS)19, (VOID*)&hFullToken,
sizeof(HANDLE), &dwLength))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if(!DuplicateTokenEx(hFullToken, MAXIMUM_ALLOWED, NULL,
SecurityIdentification, TokenPrimary, &hPrimaryFullToken))
LOG_FAILED(L"DuplicateTokenEx failed!");
__leave;
DWORD dwSessionId = 0;
WTS_SESSION_INFO* sessionInfo = NULL;
DWORD ndSessionInfoCount;
bResult = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &sessionInfo, &ndSessionInfoCount);
if (!bResult)
dwSessionId = WTSGetActiveConsoleSessionId();
else
for(unsigned int i=0; i<ndSessionInfoCount; i++)
if( sessionInfo[i].State == WTSActive )
dwSessionId = sessionInfo[i].SessionId;
if(0 == dwSessionId)
LOG_FAILED(L"Get active session id failed!");
__leave;
if(!SetTokenInformation(hPrimaryFullToken, TokenSessionId, &dwSessionId, sizeof(DWORD)))
LOG_FAILED(L"SetTokenInformation failed!");
__leave;
if(CreateEnvironmentBlock(&pEnv, hPrimaryFullToken, FALSE))
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
else
pEnv=NULL;
if (! ImpersonateLoggedOnUser(hPrimaryFullToken) )
LOG_FAILED(L"ImpersonateLoggedOnUser failed!");
__leave;
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = L"winsta0\\default";
bResult = CreateProcessAsUser(
hPrimaryFullToken, // client's access token
NULL, // file to execute
lpCommandLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
RevertToSelf();
if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
WaitForSingleObject(pi.hProcess, INFINITE);
GetExitCodeProcess(pi.hProcess, &dwExitCode);
else
LOG_FAILED(L"CreateProcessAsUser failed!");
__finally
if (pi.hProcess != INVALID_HANDLE_VALUE)
CloseHandle(pi.hProcess);
if (pi.hThread != INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
if(LocalGroups)
LocalFree(LocalGroups);
if(pEnv)
DestroyEnvironmentBlock(pEnv);
if(hToken)
CloseHandle(hToken);
if(hFullToken)
CloseHandle(hFullToken);
if(hPrimaryFullToken)
CloseHandle(hPrimaryFullToken);
return dwExitCode;
I passed in username and password of account "A" to method "LaunchAppWithElevatedPrivilege", and also the application i want to launch, e.g. "C:\windows\regedit.exe", but when i run the service program, i found it do launch
"regedit.exe" with elevated account "A", but the content of regedit.exe is pure back. screenshot as below:
Can anyone help me on this?You code is not dealing with the DACL access to Winsta0\Default. Only the LocalSystem account will have full access and the interactively logged on user which is why regedit is not displaying properly. You'll need to grant access to your user.
You also need to deal with UAC since that code is going to give you a non-elevated token via LogonUser(). You need to get the full token via a call to GetTokenInformation() + TokenLinkedToken.
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK. -
Environment:
OS: Windows 7 32/64 bit, Windows 2008 Server 64
bit/ Windows 2012 Server 64 bit
Priority:
- Critical
Requirement: - Since
the Windows Service is running under the Local System Account, we would like to emulate this same behaviour.
Basically, we would like to run CMD.EXE under the Local System Account. So that we can map a network drive to be used by a service using following
command
net use z: \\servername\sharedfolder /persistent:yes.
Already Attempt:
We tried to launch the CMD.exe using the DOS Task Scheduler AT command. Here’s a sample command:
AT 10:36 /interactive cmd.exe
But I received a warning that “due
to security enhancements, this task will run at the time excepted but not interactively.”
It turns out that this approach will work for XP, 2000 and Server 2003 but due to session isolation
Interactive services no longer work on Windows 7, Windows Server 2008 and above.
2. We
tried to create a secondary Windows Service via the Service Control (sc.exe) which merely launches CMD.exe.
<Drive>:\sc create RunCMDAsLSA binpath= "cmd" type=own type=interact <Drive>:\sc
start RunCMDAsLSA
In this case the service fails to start and results it the following error message:
FAILED 1053: The service did not respond to the start or control request in a timely fashion.
3. One
suggestion, we found to launch CMD.exe via a Scheduled Task, but
it is not giving any option to launch CMD.exe in interactive mode; so that I can map network drive using net command.
4. I read an article, which
demonstrates the use of PSTools from SysInternals. I launched the command line and executed following command
psexec -i -s cmd.exe
PSTools worked fine, but It seems that in scope of Sysinternals Software License
Terms. You may not "use the software for commercial software hosting services."
Application will deploy on client, which will be like commercial,
so we are not able to use PSTools.
Kindly assist us for achieving the requirement. We have tried all the ways, but nothing is working for us. Kindly suggest.
I will be really thankful.Hi Sir,
Nothing worked from above for us. You can see our remarks on posted query.
That’s why, we posted on forum.
And there will not be any vulnerability, because, if we will use "net
use ..."
in network domain; definitely,
we will provide username and password of mapped drive system.
And, that system, itself is given by client; so that, there must not be any vulnerability; they are ready to provide user name and password.
We need a way; by which we can complete the requirement. Kindly assist.
Regards,
S. P. Singh -
Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts
Hi Folks,
I am an experienced .NET apps developer who has been tasked with writing a bunch of technical controls for all the SQL Server instances on a domain.
So for the last month I have been diving in the deep end learning Powershell, dba and infrastructure tasks. This is still a work in progress, so be kind to me.. ;o)
So the task I am stuck on is described in the section on 'Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts' http://technet.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
I have not been able to find cmdlets that gives me this information. I have found some exes which come frustratingly close like NTRights.exe. This lets me specify a computer name which is great, but only seems to let you set or deny permissions, not just
list them!
Any help with this would be very much appreciated as I am firmly stuck. As per comments above also bear in mind that up until around 1.5 months ago I had never used powershell / knew very much at all about SQL server admin etc. Feeling much more comfortable
with them now, but much less so with Active Directory/ windows permission structures etc so please can I ask anyone kind enough to reply to try and keep the acronyms down as much as humanly possible.. ;o)
Cheers
KieronHi Kieron,
Take a look at this module, it makes permissions much easier to work with than what's currently available:
https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
Don't retire TechNet! -
(Don't give up yet - 13,085+ strong and growing) -
Make WDS Service account approve pending devices in WINDOWS DEPLOYMENT SERVICES
Hi Technet and all other people reading this.
I am at the moment trying to get a Service account(WDSService) to approve pending devices in Windoes Deployment Services on a WDS server.
I have created a domain called LALALA.dk on a server(DNS is included in the domain), and installed windows deployment services on another server. The Deployment service is setup to prestage devices, and therefore devices needs to be approved before it can
be deployed.
My problem is that at the moment, we are using Domain Admin accounts to do the approving and i wish to change that to a service account, made specially for this job which ofc. should have minimum right. Because i have a very hard time understanding
why i NEED to grant domain admin rights or local admin rights to a person just so that he can approve pending devices. There has to be a way to use a service account to do the job.
I have done some research and found out that local admin, domain admins and enterprise admins are the only onces that have the permission to approve pending devices, and that a problem for me, when i want a service account to do it for me(Not automatically)
but a service account that can name and approve devices manually.
Here is what i have allready tried.
1. making WDSService run the Windows Deployment Services (service), but this didnt work because it lacks the permissions needed.
2. I have given the read+write permissions on the remoteinstall folder, even tried with full control.
3. Delegate control on the OU in active directory, to create computer object, with full write permissions. I also tried with full control. I added both WDSServer$ and the service account(WDSService) on the OU. Still nothing.
4. I then downloaded subinacl tool, and granted WDSService account permission to start, stop the service, even tried with full control on the Windows Deployment Service(WDSServer as server_name). I get error 1297 something with priviledge missing from the
service account to perform the actions. So still nothing. Which is really weird when i ran a command i cant remember now, where i could see that the service account had full permission granted to the service, and still was'nt able to start the service.
5. I then tried to create a script using WDSUTIL, but was not able to grant the service account permissions to perform the action of approving pending devices. And i dont want to use a script everytime i need to approve a device.
6. Since the local system account is running the Windows Deployment Service , my thought was to join the WDSService account to the built-in NT AUTHORITY/local system or NT AUTHORITY/local service, this seems impossible from what i experienced, unless you
are super powershell geek i quess you can, so this option didnt get me anywhere as well.
6. I then created a gpo granting wdsservice account the "log on as a service" policy on the Windows deployment service Server, still nothing works as attended. I still get error 1297.
7.I tried copying the registry keys (WDSSERVER) from the HKEY_LOCAL_MACHINE hive on the WDS Server, and imported it into my Domain's registry, but could'nt find the service i wanted to grant permissions to in the group policy settings (computer configuration/policies/windows
settings/security settings/System Services) I then created a registry entry with group policy (computer configuration/policies/windows settings/security settings/registry) to point to (local machine/system/controlset001/services/WDSServer) and granting
WDSService account full control and deployed the policy to the Deployment server. Nothing happend and i still cant approve pending devices with my service account.
from my understanding service account where created to maintain small certain tasks or actions with limited permissions, so if comprimised they could only do very little damage, and so that this account can be setup to perform the tasks without any administation
of the account. So my question is, is it even possible to achieve what i want = granting a service account the permission to perform the action of approving pending devices on a Windows Deployment Server, and if so how ?
I am so confused over this and I am really reaching the limits of my understanding of this.
Help is very much appreciated.
Henrik LarsenHi ZeR1X,
The Require Administrator approval is for unknown computers.
The similar thread:
WDS - Request administrator approval not working
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b9088be7-7afe-4e2b-b5fb-4554a92c4a2a/wds-request-administrator-approval-not-working
More information:
Windows Deployment Service fails to start with error information of 0x5
http://support.microsoft.com/kb/2009647
WDS 3.01 Troubleshooting Guide
http://technet.microsoft.com/en-us/library/cc754828(v=ws.10).aspx
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Hi all,
I'm running into a problem when trying to sysprep and deploy a Windows 7 image with Business Contact Manager pre-install during the audit mode. Before anyone shouts, I have posted the main question in the Windows 7 deployment forum, but I would like some
additional help as to what the "NT Service" Accounts are for with regards to the BCM insatalltion
During the installation of BCM, we get an installation of MSSQL, and during this installation MSSQL creates three user accounts used by the "NT Service" account:
MSSQL$MSSMLBIZ
MSSQLFLDLauncher$MSSMLBIZ
ReportServer$MSSMLBIZ
When you run 'sysprep' with generalise option, and use the CopyProfile in the Specialise pass, sysprep copies the profile information from the last 'changed' profile. Whilst this should be the Administrator profile (as far as I can see), what is happening
is that the profile from 'ReportServer$MSSMLBIZ' is being used.
The rule of thumb when using the CopyProfile option is to ensure that only ONE account is present - i.e. the current administrator profile. The easy option is therefore just to delete the MSSQL accounts.
In the current state of play, even after I deploy the generalized image (with the copied 'ReportServer$MSSMLBIZ' account), I end up with only three users when looking at
"Manage --> Local User and Groups" (the Administrator, Guest (disabled) and HomeGroupUser$ user), so all the above "NT Service\MSSQL" accounts disappear during the sysprep process in any case.
I'm not sure what the effect will be on BCM for the end user. Does anyone have any suggestions as to what might be the best course of action.
Cheers
Chris
ChrisI don't suppose anyone has got any cluse about these users, what they do and how best to then deploy BCM as part of an image?
Chris -
SPUserCodeV4(Windows Service) what account to run this service
Hi I'm getting the feared:
The server farm account should not be used for other services.
Service:
SPUserCodeV4(Windows Service)
Any recommendations on what account type i can use for this service? Just a normal domain user?
My windows service (SharePoint User Code Host) is actually disabled. Not needed here.
br
BjornIt is best practice to use unique service accounts for each service app. Service accounts are just domain user accounts that are registered in SharePoint as service accounts in order to manage their password changes.
Start here:
http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=237
I trust that answers your question...
Thanks
C
http://www.cjvandyk.com/blog |
LinkedIn | Facebook |
Twitter | Quix Utilities for SharePoint |
SharePoint Admin Nav Console (SPANC)
Maybe you are looking for
-
Sharing iphoto library on the same computer between different users
Can anyone tell me how (without having to write my own code) I can share photos easily (so I can teach my parents, who know nothing about mac, how to do it) between different users on the SAME COMPUTER? I am so frustrated! You can share with anyone e
-
I have a macbook the aprostrophe keeps filling in data fields
i have a macbook. In safari, word, excel, and help, the aprostrophe keeps being repeated in the data fields. I have cleaned the keyboards. Would the face cover need to be replaced? Is this a motherboard issue? Thanks
-
Photoshop album starter edition 3.2
Can anyone help me retreive my pictures from photoshop album starter edition 3.2 I have picutres on there of people who are no longer here
-
i used flash player plugin 11. The problem is when I run my application in windows Seven, and it contains errors, the plash player does not show them. Even the same errors are shown by another PC with same configurations. Some help please, Thanks in
-
Displayed page size - Actual Size
Hi, When I set View > Zoom to "Actual Size", the Zoom factor is shown as 100%, but Pages displays my page smaller than the actual size (about 66% width). When I change the Zoom factor to 152% Pages shows the real page width. BTW When I export this pa