windows 2003~2012远程启动服务

Question

我的老板要求我授予对 XXX 百台服务器 (2003~20012) 上约 5 种不同服务的访问权限。

我尝试在每个服务上设置 SDDL（我一直在我的特定帐户上测试 BITS 服务），即使我为我的帐户设置了访问权限：示例命令::

sc sdset BITS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;**[startStopListSettings]**;;;**MY-SID**)S:
(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

即使我创建了这个新条目，我也无法以非管理员用户身份从另一台计算机使用 SC 启动/停止服务。

我还需要做什么才能允许非管理员用户访问以在远程计算机上启动服务？ 有没有人有任何解决方案？ 谢谢

Answer 1

好的，我知道如何编辑服务权限我已经创建了 3 个函数 get/add/remove：

    #Requires -version 3 
    #####################
    # Cod info      :Set Service Rights on remote computer. By this script you can set rights on service on many computers modding SDDL remotely.
    #                You need - service name  - object SID you want to add/remove access and computer name(s)
    # V             :1.3.2.0
    # D             :01-06-2017
    # Author        : stackoverflow.com - gsky
    # INFO          :All credits go to the autor of this script. No changes without confirmation
    # Compatibiliy  :Powershell 3 and up (.net 3.5 and up)
    # Supported     :From Windows 2003 to 2016
    #keywords:      : Windows, Wintel, Service, Remote,Add Rights, Remove Rights
    #####################



    function Get-MGServiceRights 
    {
    <#
        .DESCRIPTION
        Gets Service rights from (remote)Computer(s)

        .PARAMETER computername
        Specifies the computername.

        .PARAMETER ServiceName
        Specifies the Service Name

        .EXAMPLE
        Get-MGServiceRights -computerName  testComputer123 -ServiceName BITS

        .NOTES
        version 1.3.2.0 
        #>
    param
    (
        [parameter(Mandatory = $true,
                   Position = 0)]
        [string[]]$computerName,
        [parameter(Mandatory = $true,
                   Position = 1)]
        [string]$ServiceName
    )
    foreach ($computer in $computerName)
    {
        $msgError = $null
        $Output = [pscustomobject][ordered]@{
            Computer = $computer
            ServiceName = $ServiceName
            Acl = $null
        }
        $SC_CMD = 'sc.exe'
        $arg1 = "\\$computer"
        $arg2 = 'sdshow'
        $arg3 = "$ServiceName"


        [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3

        if ($queryResult[0] -like "*FAILED *")
        {
            for ($i = 0; $i -lt $queryResult.count; $i++)
            {
                $msgError += $queryResult[$i] | ? -filter { $_ -ne '' }
            }
            $Output.acl = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', "GET: "
        }
        else
        {
            $Output.acl = ($queryResult | ? -filt { $_ -ne '' }) -replace ""
        }
        $Output
    }
}


    function Add-MGServiceRights
    {<#
        .DESCRIPTION
        Adds Service rights - on remote Computer(s) 

        .PARAMETER computername
        Specifies the computername.

        .PARAMETER ServiceName
        Specifies the Service Name

        .PARAMETER objectSID
        Specifies the SID of an object you want to add (fe. account's  sid is: S-1-5-00-0000000-000000000-00000000) 

        .PARAMETER ACL
        Specifies the level of rights - you can select one from three options: Control (start/stop/query status of service), List (query status of service), FullControl (full conotrol)


        .EXAMPLE
        Add-MGServiceRights -computerName  testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000 -ACL FullControl

        .NOTES
        version 1.3.2.0 
        #>
    param
    (
        [parameter(Mandatory = $true,
                   Position = 0)]
        [string[]]$computerName,
        [parameter(Mandatory = $true,
                   Position = 1)]
        [string]$ServiceName,
        [parameter(Mandatory = $true,
                   Position = 2)]
        [system.Security.Principal.SecurityIdentifier]$objectSID,
        [parameter(Mandatory = $true,
                   Position = 3)]
        [System.Management.Automation.ValidateSetAttribute("Control", "Read", "FullControl")]
        [string]$ACL = "Control"
    )

    begin
    {

        $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
        $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
        if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }

    }
    process
    {
        switch ($acl)
        {

            Read {
                $permissions = "CCLCSWLOCRRC"
            }
            FullControl {
                $permissions = "CCDCLCSWRPWPDTLOCRSDRCWDWO"
            }
            default
            {
                $permissions = "CCLCSWRPWPDTLOCRRC"
            }
        }


        $scRightsForNewObject = ("(A;;$permissions;;;$($objectSID.value))").ToUpper()

        foreach ($computer in $computerName)
        {
            $msgError = $null
            $Output = [pscustomobject][ordered]@{
                Computer = $computer
                Account = $objectSID
                ServiceName = $ServiceName
                CommandResponse = $null
            }
            try
            {
                $ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl


            }
            catch
            {
                Write-Error $error[0].Exception.Message
                break
            }
            if ($ScriptResult -like "*Failed*")
            {
                $Output.CommandResponse = "ADD: $ScriptResult"
            }

            else
            {
                if ($ScriptResult -like "*$scRightsForNewObject*")
                { $Output.CommandResponse = "ADD: Object already exists with same level of rights." }
                else
                {
                    $SDDLtoADD = $ScriptResult -replace "[S]\:", "$scRightsForNewObject`S:"

                    $SC_CMD = 'sc.exe'
                    $arg1 = "\\$computer"
                    $arg2 = 'sdset'
                    $arg3 = $ServiceName
                    $arg4 = $SDDLtoADD

                    [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4

                    $output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
                    $output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "ADD:"

                    if ($queryResult[0] -like "*FAILED *")
                    {
                        for ($i = 0; $i -lt $queryResult.count; $i++)
                        {
                            ($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
                        }
                        $Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'ADD: '
                    }
                }


            }
            $Output
        }
    }
}



    function Remove-MGServiceRights
    {<#
        .DESCRIPTION
        Removes Service rights - on remote Computer(s) 

        .PARAMETER computername
        Specifies the computername.

        .PARAMETER ServiceName
        Specifies the Service Name

        .PARAMETER objectSID
        Specifies the SID of an object you want to add (fe. account's xxxxxx sid is: S-1-5-00-0000000-000000000-00000000) 


        .EXAMPLE
        Remove-MGServiceRights -computerName  testComputer123,testComputer124 -ServiceName BITS -objectSID S-1-5-00-0000000-000000000-00000000

        .NOTES
        version 1.3.2.0 
        #>
    param
    (
        [parameter(Mandatory = $true,
                   Position = 0)]
        [string[]]$computerName,
        [parameter(Mandatory = $true,
                   Position = 1)]
        [string]$ServiceName,
        [parameter(Mandatory = $true,
                   Position = 2)]
        [system.Security.Principal.SecurityIdentifier]$objectSID


    )

    begin
    {

        $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
        $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
        if (!($myWindowsPrincipal.IsInRole($adminRole))) { Write-Error "Script Requires ELEVATION!. Run console as an Administrator"; break }

    }
    process
    {
        foreach ($computer in $computerName)
        {
            $msgError = $null
            $Output = [pscustomobject][ordered]@{
                Computer = $computer
                Account = $objectSID
                ServiceName = $ServiceName
                CommandResponse = $null
            }
            try
            {
                $ScriptResult = (Get-MGServiceRights -computerName $computer -ServiceName $ServiceName).acl

            }
            catch
            {
                Write-Error $error[0].Exception.Message
                break
            }
            if ($ScriptResult -like "*Failed*")
            {
                $Output.CommandResponse = "REMOVE: $ScriptResult"
                $Output
            }

            else
            {
                $found = $false

                $ScriptResult -split "\)" | foreach {

                    if ($_ -notlike "*$objectSID*")
                    {
                        $newAcl_ += $_ + ")"
                    }
                    elseif ($_ -like "*$objectSID*")
                    {
                        $found = $true
                    }
                }


                if ($found)
                {
                    $SDDLtoADD = $newAcl_.Remove($newAcl_.length - 1, 1)

                    $SC_CMD = 'sc.exe'
                    $arg1 = "\\$computer"
                    $arg2 = 'sdset'
                    $arg3 = $ServiceName
                    $arg4 = $SDDLtoADD
                    [string[]]$queryResult = & $SC_CMD $arg1 $arg2 $arg3 $arg4

                    $output.CommandResponse = ($queryResult | ? -filter { $_ -ne '' })
                    $output.CommandResponse = $output.CommandResponse -replace '\[SC\]', "REMOVE:"

                    if ($queryResult[0] -like "*FAILED *")
                    {
                        for ($i = 0; $i -lt $queryResult.count; $i++)
                        {
                            ($msgError += $queryResult[$i] | ? -filter { $_ -ne '' }) | out-null
                        }
                        $Output.CommandResponse = $msgError -replace '\[SC\]\sOpenS.[A-Za-z]*\s', 'REMOVE: '
                    }
                }
                else
                {
                    $Output.CommandResponse = "REMOVE: Object Not Found"
                }


                $Output
            }
        }
    }
}