Cool update to the previous post on the Windows Server 2003 SP1 SCM ACL Issue.
Microsoft actually does have some functionality in SC to handle viewing/manipulating the SCM ACL. Cheer!!!
It isn’t something that you can see in the help from SC, but Steve Patrick under his tech4steve@comcast.net address posted a link to a blog entry on Activedir.org that describes how to do this. Basically you take advantage of the new SDSHOW and SDSET parameters in SC. You specify SCManager for the service name. Unfortunately for some you have to work with the SDDL format of the ACL which doesn’t appeal to everyone, but some of us like it just fine. Here are the main details
====
In Sp1 SC.EXE we updated the util so you can change ACLS on the SCM.
C:\>sc sdshow scmanager
This is SP1 info
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the RTM info:
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
You can now set security via “SC.EXE sdset scmanager
====
Very cool. Thanks for the pointer Steve.
joe
I was sent this KB article from MS. I will be testing this later today.
http://support.microsoft.com/?id=889248