OK. So we used a GPO to set the service to manual, and deliver a a scheduled task, using System context to run the process. No account required to give access to the DC.
Hope this helps someone else!
Thanks
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Due to a successful breach during a pen test by using the print spooler service on a domain controller, we are being challenged to stop/disable the print spooler service on all of our domain controllers. With the pruning responsibility of the print spooler on a domain controller for domain published printers, we would like to schedule a start and stop of the print spooler service on a DC using a scheduled task. We attempted to use the Local Service account to run the task, but it fails to start the service with no errors or warning in the logs. We need to complete this task as a non domain administrator. Any suggestions?
OK. So we used a GPO to set the service to manual, and deliver a a scheduled task, using System context to run the process. No account required to give access to the DC.
Hope this helps someone else!
Thanks
Hi,
Have you tried giving Windows service permissions to a domain account by using the SC.exe (Service controller) tool?
How to Allow Non-Admin Users to Start/Stop Windows Service?
http://woshub.com/set-permissions-on-windows-service/
Best regards,
Leon
We have thought about this option. But don't know if changing the permissions for a service on a DC can cause issues since the service is used to interact with the domain. Or am I over thinking it?