GPO and Service SID?

Similar Messages

• Service SID and setup account for DB engine service

  SQL supports service isolation of access control through granting permissions to the service SID. However, we also can give the privileges to service account. Which one of the service
  SID  and service account has higher priority? If we give the conflicting permissions to service SID and service account, which one will work?

  Hi smileahpu,
  In short, for account rights/privileges, there are two general types Allow and Deny. The "Allow" rights/privileges are combined, and the "Deny" rights/privileges are exclused. The DENY(SE_DENY) rights override the corresponding account
  rights. In this case, either the service account or the service sid is denied on a right, the service is denied on the right.
  To be more detailed, we need to go through the following topics:
  How does system validate a process's privileges while accessing securable objects
  How does per-service SID work while accessing securable objects
  How does Access Control work
  How a process accesses securable objects:
  The system uses an access token to identify the user when a thread(or a process) interacts with a securable object or tries to perform a system task that requires privileges.
  An access token is an object that describes the security context of a process or thread.
  Access token contains lots of information. Two of them are:
  •The security identifier (SID) for the user's account
  •A list of the privileges held by either the user or the user's groups
  Please review the following article for more information:
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx
  How does per-service SID work while accessing securable objects
  For a service without per-Service SID enable, we can image the security context is just from the user(service account). With per-Service SID enabled, we can make a security context that is not just a user, but a user AND a particular process.
  Actually, the per-Service SID's SID and privilege are included the access token directly.
  By checking with Windbg, we can see the service SID was included.
  0:072> !token
  Thread is not impersonating. Using process token...
  TS Session ID: 0
  User: S-1-5-21-3485830563-343820118-176642512-1008
  User Groups:
   00 S-1-5-21-3485830563-343820118-176642512-513
      Attributes - Mandatory Default Enabled
   01 S-1-1-0
      Attributes - Mandatory Default Enabled
   02 S-1-5-21-3485830563-343820118-176642512-1009
      Attributes - Mandatory Default Enabled
   03 S-1-5-32-545
      Attributes - Mandatory Default Enabled
   04 S-1-5-6
      Attributes - Mandatory Default Enabled
   05 S-1-2-1
      Attributes - Mandatory Default Enabled
   06 S-1-5-11
      Attributes - Mandatory Default Enabled
   07 S-1-5-15
      Attributes - Mandatory Default Enabled
   08 S-1-5-113
      Attributes - Mandatory Default Enabled
   09 S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003 < -- service SID
      Attributes - Default Enabled Owner
   10 S-1-5-5-0-274023807
      Attributes - Mandatory Default Enabled Owner LogonId
   11 S-1-2-0
      Attributes - Mandatory Default Enabled
   12 S-1-5-64-10
      Attributes - Mandatory Default Enabled
   13 S-1-16-12288
      Attributes - GroupIntegrity GroupIntegrityEnabled
  Primary Group: S-1-5-21-3485830563-343820118-176642512-513
  Privs:
   00 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes -
   01 0x000000005 SeIncreaseQuotaPrivilege          Attributes -
   02 0x000000013 SeShutdownPrivilege               Attributes -
   03 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default
   04 0x000000019 SeUndockPrivilege                 Attributes -
   05 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default
   06 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default
   07 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -
   08 0x000000022 SeTimeZonePrivilege               Attributes -
  Auth ID: 0:105545a6
  Impersonation Level: Anonymous
  TokenType: Primary
  Is restricted token: no.
  SandBoxInert: 0
  Elevation Type: 1 (Default)
  Mandatory Policy: TOKEN_MANDATORY_POLICY_VALID_MASK
  Integrity Level: S-1-16-12288
  Process Trust Level: (null)
  Token Virtualized: Disabled
  UIAccess: 0
  IsAppContainer: 0
  Device Groups:
  How does Access Control work
  Please check from the following article for more information:
  http://technet.microsoft.com/en-us/library/cc740104(v=ws.10).aspx
  In addition, the following articles are helpful for understanding the concepts discussed in this reply:
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
  http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx
  http://blogs.technet.com/b/voy/archive/2007/03/22/per-service-sid.aspx
  Thanks,
  Jinchun Chen

• Per-service SID's are not being granted correct permissions

  Hi,
  I had posted this here :
  https://connect.microsoft.com/SQLServer/feedback/details/770984/per-service-sid-s-are-not-being-granted-correct-permissions, but no response as yet.
  When installing SQL 2012 (on a VMWare VM), based on the following article :
  http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110), I have noticed that the SQL per service SIDs are not being granted the correct permissions. From the initial install, the following is what was observed (the red x's being permissions that
  should have been granted but were not).
  When re-installing and changing from specifying a domain account, to the default values, during set-up, the 4 service SIDs that were not added to 'Log on as a Service' initially were then correctly granted permission, but the other 4 in 'Bypass traverse
  checking', 'Adjust Memory Quotas for a process' and 'Impersonate a Client after authentication' were still not added.
  When running a repair on this install, 'NT Service\MSSQLFDLauncher' was then granted the correct permissions, but 'NT SERVICE\MsDtsServer110' was still missing 'Bypass traverse checking' and 'Impersonate a Client after authentication'.
  This also resulted in the installation of Reporting Services - Native failing in the original installation with 'Attempted to perform an unauthorized operation'.
  If anyone has recently installed SQL 2012, can you check (via gpedit.msc) that the correct 'User Right Assignment' was granted to the per Service SIDs as per
  http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110) ?

  Have you resolved this yet?  Group policy for the OU with my desktop removes all SQL per-service rights.  If group policy is your issue, I'd be interested in how some are retained.  
  Randy in Marin

• Delivery and Service Header Fields in RNIF Receiver Adapter for Rosettanet.

  Hello all,
  I need to populate the Delivery and Service header fields in Rosattenet MIME message in the receiver side. 
  For the sender side RNIF adapter, we can very well use the Adapter Specific message to get those fields from Rosattenet MIME message. But in my scenario, I need to use RNIF as the receiver, which will pick messages from other system and post it to RNIF.
  Also, I have checked the receiver RNIF adapter, there I dont find any adapter specific messages to use.
  Regards,
  UP

  Prasad
  You have not mentioned which RNIF Adapter you are using whether 1.1 or 2.0. I will assume that you are using 2.0.
  If you are using Single action responder the parameters you should configure is given here:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/70/d89d40c1252a54e10000000a1550b0/content.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/fa/6b98403de08368e10000000a1550b0/content.htm
  If you are using Two action responder the parameters you should configure is given here:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/6f/dc9d40759c2b54e10000000a1550b0/content.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/2c/7198403de08368e10000000a1550b0/content.htm
  ---Satish

• Client side load balancing and server side load balancing

  Hello Team,
  I need to know how to set up client and server side load balancing in oracle rac.  What all things to be implemented like creating a service, tnsnames.ora settings etc.
  And also if i used SCAN ip instead of VIP. how the settings will change.
  Regards,

  Hi,
  please find here an Whitepaper with the information
  http://www.oracle.com/technetwork/database/features/availability/maa-wp-11gr2-client-failover-173305.pdf
  kind regards

• Host name, port number and service name

  Hi!
  I have a question that will sound easy and stupid, but not for me.
  during the instal of 9iAS.There is a screen ask to provide the host name,port number and service name.
  Did host anme is only the name of my PC?
  and what is the port number?(windows XP)
  what is the format of the service name (orcl)?
  Thanks
  Kamal

  if you used LDW as the connection/service name when you setup this connection to CMS DB, then no further changes to BOE configurations will be needed.
  If you used the service name PO and now it is changes to NEW_PO - then you'll have to update CMS DB connection info in CCM>SIA>Properties>Connection.
  See Admin guide for details.
  p.s.
  BOE services should be stopped while your changes on Oracle side are done and before you change the TNS file and connection info in CCM.

• GPP and services

  I want to implement Group Policy Preferences (GPP) object, which will set startup type to "Automatic" and service status to "Running" for some of Sophos antivirus Services. Reason: for scenarios when service
  crashes by itself or if it is stopped by non-authorised person.
  I chose the following services:
  - Sophos Agent
  - Sophos AutoUpdate Service
  - Sophos Message Router
  - SAVService (Sophos Anti-Virus)
  But I have a problem with the last one. If I stop all of above services and trigger gpupdate /force command, each service starts up except the SAVService.
  You can see the printscreens of both working scenario (Agent) and non-working scenario (SAV). I tried to change Log-On-As section with:
  - "No change"
  - choosing the user by pressing the "..." button
  - typing the username in the textbox
  So far, without success. Has anyone played with those settings for some other services maybe?
  Any suggestions and directions are welcome.
  PS: I'm unable to upload printscreens, since my account isn't verified yet. I'll upload them ASAP my account is verified.

  Hi Frank, thanks for your help.
  I've already asked the same at Sophos Talk forum/community, but so far no answer. Here is the link:
  http://community.sophos.com/t5/Sophos-EndUser-Protection/GPP-and-Sophos-services/td-p/51316
  Anyway, here is some other useful info:
  - there are many rules who control behavior of different services inside this object. It's not just one rule for one service in one GPO object.
  - here is copy/paste error text which I see in EventViewer at client computer: "The computer 'SAVService' preference item in the 'Servisi_Sophos {67E91736-5DD7-404F-953C-CEB2808C36D0}' Group Policy object did not apply because it failed with error
  code '0x80070005 Dostop je zavrnjen.' This error was suppressed."
  - Frank, I ran the command gpresult. In the report, my GPO object is listed in the "Denied GPOs/Computers" section. The reason is probably I'm using only Group Policy Preferences and none Group Policy setting?
  - when I run Group Policy Result through my GMPC, my GPO object is listed in "Applied GPOs/Computers" section.
  - I still can't upload the images or links. How long does it take to verify my account?
  I believe it's only about the correct credentials which need to be entered in the GPP window.
  Thanks for help!
  Edit: There is part of error message in my language: "Dostop je zavrnjen" This means "Access denied" in English :)

• Handling error on service side

  We have WCF service implemented in our project and it contains very complicated error handling. Pretty much all methods start with Try\catch block which are catching generic exception. Mean catch all. We would like to rework this service and I was trying
  to find some information's about error handling for WCF services. However information's which I found are very confusing. Let's say that we have following OperationContract implementation :
  public IEnumerable<string> GetInstanceUids(string seriesInstanceUid)
  if (string.IsNullOrEmpty(seriesInstanceUid))
  throw new ArgumentException("Given serieInstanceUid can't be null or empty string;");
  return myIsaDataProvider.QueryDicomInstances(seriesInstanceUid).ToList();
  Now what I found on internet is following statement (or similar). In instances where an unhandled non-FaultException is thrown, one of the following may happen based on the instance management settings of your service. For sessionful services: The session
  is terminated, the service instance is disposed and the channel will be in the faulted state, thus the proxy cannot be reused.
  This doesn't make much sense to me as base on the MSDN all such exception are automatically converted to FaultException. So in which case code call cal lead to non-FaultException exception type ? Also from my synthetic test (debug environment) I can call
  that method many times with null argument and service is still in operational state (it will not refuse to make additional calls). On client side I'm just handling FaultException which will log message.
  So main question is. Are code as in our contract going to fault service as such so no further calls will be possible in service instance ? Which mean that all our service methods need to be wrapped in try\catch blocks and swallow all exceptions. Which is
  not optimal from performance reasons.

  thnx for your response, but I don't see how your reply can be marked as answer if it's not answering original question ! Question was if service will be in faulty state.
  It wouldn't be in a faulted state if you had learned how to develop a WCF service properly, which would have involved request/response objects and catching the exception properly and returned the response object.  Something is causing the service
  to crash, and you don't know what it is.
  https://msdn.microsoft.com/en-us/library/ff699490.aspx
  If you have ever seen or used the Web Service factory that builds the WCF Web service and uses Request/Response objects, you would appreciate the Request/Response objects in play. And there wouldn't have been some kind of generic exceptions where WCF
  swallowed the real exception on tossed you back the catch 22 exceptions.   It should have never made it to a fault exception.

• Including service-side file

  Hi,
  According to the lessons in my book, I inserted a service-side file in
  my HTML-code.
  It seems to work fine in the Design Mode and in the Live-View.
  But when starting a browser, no matter which one, the service side
  file is not visible.
  What can be the problem?
  Thanks in advance.
  PR.

  Sorry, you're right, I'm talking about server-side. And I think I found the answer as well, in my book ("classroom in a book").
  At the end of the chapter it says: "You won't be able to see the SSI in a browser without a testing server as long as it's stored
  only on your local hard drive."
  And I'm not using a test-server yet.
  Thanks for your attention anyway!

• My iPhone 5 quit ringing. I checked settings and the side switch. What now?

  My iphone5 quit ringing. I've checked settings and the side switch. What now?

  When you go to Settings > Sounds > Ringtones and tap on a ringtone, does it emit a sound then?  If so, Go to Settings > Do Not Disturb and make sure it is OFF.
  Next steps would be to back up your iPhone, then go to Settings > General > Reset > Reset All Settings.
  If the issue continues still, restore the iOS.  Last step would be to take it in for service.
  Locate a Service location (choose your country in the top right)

• Sites and services

  guys,
  i would like to create 3 dc servers with different ip´s. My domainname will be mytestingsite.com and the 3 dc's will all be residing on a differten site. 1 will be in my datacenter(in city 1), 2 others will be in city2 and city3.
  How should i configure my sites and services and my dns.
  many thanks.
  johan

  Simply proceed like the following:
  Create three AD sites: City1, City2 and City3
  Move Domain Controllers computer accounts to their correct sites
  Create all the subnets you use and link to their correct sites
  This will minimize the amount of AD replication traffic and will make your Windows clients access the closest DC when an authentication is required or when they need to get applied GPOs/scripts.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Service sids

  Hi,
  What are Service SIDs? Why do we need or what is the use of  Service SIDs? Are they replacement for domain groups or service accounts?
  How does SQL Server make use these SIDS? What kind of benefits do we get if we choose service sids?
  Thanks in advance.

  Hi Samantha v,
  About the first question: What are Service SIDs? Why do we need or what is the use of Service SIDs? Are they replacement for domain groups or service accounts?
  Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008. Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service
  host process.
  The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.
  A Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal.
  About the second question: How does SQL Server make use these SIDs? What kind of benefits do we get if we choose service SIDs?
  SQL Server uses a service SID to provide service isolation. Service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains
  a service SID, a SQL Server service can restrict access to its resources. For information about how SQL Server uses a service SID to provide service isolation, please refer to the following article:
  https://support2.microsoft.com/kb/2620201?wa=wsignin1.0
  If you have any question, please feel free to let me know.
  Regards,
  Donghui Li

• GPO on Client side VPN

  Hi,<o:p></o:p>
  I am facing problem while updating Group policy to client side VPN user system, I have opened default ports related to GPO, Still GPO is not getting updated. Microsoft article advised that dynamic
  ports range 49152 - 65535 need to open. Due to security concern we unable to open these huge range of ports. Finally GP update command is working by opening these two ports 49159 and 49157. but GP update /force command is still not working. <o:p></o:p>
  Kindly advice which ports need to be opened for GP update /force.<o:p></o:p>
  Secondly I need to get VPN connected before user logged in. otherwise i hope GP update command will not serve the purpose. Software need to be assigned to the user by using GP update from the
  update server/domain controller.<o:p></o:p>
  Please advise if there is any solution for this case.<o:p></o:p>
  Regards,<o:p></o:p>
  Raj. <o:p></o:p>

  Hi JeraldRaj,
  If all your intranet computer get GPO properly, it may your VPN computer using the Slow Link GPO , When your client is applying its Group Policies and it detects that the
  available bandwidth between it and the Domain Controller is less than 500 kb (default value), it will only download and apply those settings within the GPO that are considered mandatory.
  The settings that are not downloaded when a slow link is detected include the following:
  •Disk Quota
  •Scripts
  •Folder Redirection
  •Software Installation
  •Wireless Network (IEEE 802.11) Policies
  •Wired Network (IEEE 802.3) Policies
  •Internet Explorer Maintenance Extension
  The related aritlce:
  GPOs and Slow Link Detection
  http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/27/gpos-and-slow-link-detection.aspx
  “Configure slow-link mode” policy on Vista for Offline Files
  http://blogs.technet.com/b/askds/archive/2009/02/11/configure-slow-link-mode-policy-on-vista-for-offline-files.aspx
  The related KB:
  Specifying Group Policy for Slow Link Detection
  http://technet.microsoft.com/en-us/library/cc781031(v=ws.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SQL Server 2008 Service SIDs

  Hello,
  I've recently installed SQL Server 2008 and when I look at the groups created, the Windows Domain accounts I specified for each service do not appear. Instead the service SID has been placed into that group, however when I run cmd>>sc showsid [servicename]
  the SIDs do not match.
  How can I confirm the SID of the SQL services?
  Thanks in advance.

  Hi Vijay, thank you for your response,
  The server build is Windows 2008 R2 with SQL Server 2008 installed.
  I can see that in the groups (under computer management) created by SQL Server the service for the database engine is NT SERVICE\MSSQLSERVER with a SID. What I am trying to work out is, compared to SQL Server 2005, where the account for the service was dropped
  into the corresponding group,  a service SID is now in the group.
  However when I use the cmd>>sc showsid [MSSQLSERVER] the SID displayed does not match the SID assigned to the NT SERVICE\MSSQLSERVER account in the group.
  I'm pretty sure I am missing something, I would just like to understand how the correct permissions are assigned to the SQL Server services,
  Regards,
  Andrew

• Sony Ericsson Phone and Service are pathetic

  All,
  I know some one else would have gone through this pain...
  Last October 2010, I ordered SE Xperia Mini Pro from a website. I was still exploring the features I found that one side of my ear phone does not work. I tried several other ear phones but still couldn't hear. So I opened a ticket. The agent confirmed that my handset is under warranty and SE will repair it.
  Here is the history of the tickets I had to open with SE.
  Sony Repair Centre
  PTS Electronics
  Attention : Sony Ericsson consumer Repair
  1000 South Liberty Drive
  Bloomington Indiana 47403
  Date : 1/11/11
  RMA# 11111271725
  Tracking# 1z1028170312320482
  Phone sent without any repair
  Date : 2/10/11
  RMA# 21011273214
  Tracking# 1z1028170312320802
  Phone sent without any repair
  Date : 4/18/11
  RMA# 41511275383
  Tracking# 1z1028170312321605
  Phone replaced
  Finally after a month and big arguement they sent me a new phone - X10.
  I used it for few days and update the software. After few days, the display died. Gues what I had to return it back.
  RMA# 80811279570
  Date : 8/8/2011
  Tracking# 1z1028170312323247
  Phone sent without any repair
  This time it wasn't fixed at all. Same story. Same explanation. I sent it back.
  RMA# 92211280945
  Date : 9/22/2011
  Tracking# 1z1028170312323649
  Waiting...
  And I am still waiting for my phone.
  I am at total lost. This handset comes with 1yr warranty and this whole year around I have been sending and receiving the phone from the repair centre. Now its close to its warranty expiration and I am not sure what to do. I wasted my money on SE. I have not thought of SE service being such pathetic.
  Not sure who will answer me. Not sure if my phone will ever work. Not sure what the warranty will be on it. Not sure when SE will realize that their customers are suffering due to their bad phones and services.
  -Deepak

  I can understand the frustration related to this situation, however I can only suggest that you contact Sony Ericsson within your region for more support regarding this. Please use the link below to find your regions contact details for Sony Ericsson and raise any concerns you may have with them.
  http://www.sonyericsson.com/cws/corporate/common/contact/phonelist
   - Official Sony Xperia Support Staff
  If you're new to our forums make sure that you have read our Discussion guidelines.
  If you want to get in touch with the local support team for your country please visit our contact page.