Share via

Non-Administrative user need access on Service control manager-SCM

Ajay Kumar 1 Reputation point
2022-01-11T10:11:26.38+00:00

While running this command I am getting Access denied error. I need to run this command for a particular user without any admin privileges. Without providing admin access, is there any alternative solution to get the data through this command.

Invoke-Command -ComputerName "-------------" -ScriptBlock{Get-Service} -Credential "Domain\User"

By giving this command I am able to pull the data for the above command (Get-Services), however by running this below command every user gets access to all Services.

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

My requirement is to provide access only for a single particular ID and get all the services data. Please help me with the solution.

ThankYou.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,282 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 32,246 Reputation points
    2022-01-11T21:48:21.643+00:00

    I love a challenge. This appears to be working for me.

    I figured out how to set the permissions to allow a group to have access. Just add whatever user accounts need access to the group. For testing I just used the Remote Management Users group. It appears that the user will need to be in that group in order to have Invoke-Command access anyway. You can create your own group if you want. 

    # Name: LetUsersGetService.ps1
# Desc: Grant read access to some group to allow read access via Invoke-Command  
# Author: Dave (MotoX80)

# Grant access to this group 
$Account = "Remote Management Users"              # Grant access to this group 

# get current acl
$MySDDL = (sc.exe sdshow scmanager)

# Here is original acl from my Win10 machine. 
# Uncomment the next statement to reset access 
#$MySDDL =  "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"


$NewAcl = New-Object System.Security.AccessControl.DirectorySecurity
$NewAcl.SetSecurityDescriptorSddlForm($MySDDL)

$Rule = new-object System.Security.AccessControl.FileSystemAccessRule ($account,"ReadData, AppendData, ReadPermissions",”None”,”None”,”Allow”)
$NewAcl.SetAccessRule($Rule)
""
"Access will be set to this..."
$NewAcl.Access                                 # show who has access
""
"Original SDDL"
$MySDDL
""
"Updated SDDL"
$NewAcl.Sddl                                   # and in SDDL form 
""
"Updating access"
sc.exe sdset SCMANAGER $NewAcl.Sddl
""
"SDDL from sc.exe"
sc.exe sdshow scmanager
    0 comments