I’m trying to control services on one W2k8 machine from another; no domain just a workgroup. The user account I’m logged in as is an administrator on both machines.
I’ve tried both psservice and sc.exe. These work in a Windows Server 2003 environment but it looks like I need to an extra step or two due to the changed security model in 2008. Any ideas as to how grant permission to the Service Control Manager (psservice) or OpenService (sc)? I tried running the DOS window with “Run As Administrator” and it made no difference.
With psservice I get the following
D:\mydir>psservice \\REMOTESERVER -u "adminid" -p "adminpassword" start "Display Name of Service" PsService v2.22 - Service information and configuration utility Copyright (C) 2001-2008 Mark Russinovich Sysinternals - www.sysinternals.com Unable to access Service Control Manager on \\REMOTESERVER: Access is denied.
In the remote server, I get the following message in the Security Log so I know I connect and login to the remote machine. I assume it then fails on a subsequent authorization step. The logoff message in the security log is just that (“An account was logged off.”), so no extra info there.
Special privileges assigned to new logon. Subject: Security ID: REMOTESERVER\adminid Account Name: adminid Account Domain: REMOTESERVER Logon ID: 0xxxxxxxx Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege
sc.exe is similar. The command syntax and error differs as below but I also see the same login message in the remote server’s security log.
D:\mydir>sc \\REMOTESERVER start "Registry Name of Service" [SC] StartService: OpenService FAILED 5: Access is denied.
Try adding setting [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\system\LocalAccountTokenFilterPolicy] = 1 and rebooting.
This comes from items 30 and 31 in FAQ: Common PSTools Issues and Description of User Account Control and remote restrictions in Windows Vista and helps turn down some of the UAC restrictions related to Administrative access across the network.