I need to grant a specific account SERVICE_START permissions for a given Windows service.
There seems to be some methods for doing so here, but would prefer a method that's native to PowerShell and doesn't require external tools, for ex. by using Get/Set-ACL cmdlets, or calling some .NET API.
Does someone know how to do it in that fashion? T开发者_C百科hanks in advance.
I think for this you should look into using subinacl.exe
which you can download here. From the download it site it is described as:
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.
Using it from PowerShell appears to be pretty easy:
SUBINACL /verbose=1 /service Spooler /grant=PC\Joe=LQSTOP
Check out this article on using subinacl that Mark Minasi wrote..
Cold question deserves a partial answer.
Check out http://get-carbon.org/
If you don't want to install carbon on a production server then look a the source (Apache 2.0 Licence) and see if you can utilise the .NET code for your own devices. If I had time I would expand this answer to include example code but for now see these two parts of the repository.
Powershell CmdLet https://bitbucket.org/splatteredbits/carbon/src/29f5983094d048030d6143923f4a6925d1a1a195/Carbon/Service/Grant-ServicePermission.ps1?at=default
Uses a .Net object (using system) https://bitbucket.org/splatteredbits/carbon/src/29f5983094d048030d6143923f4a6925d1a1a195/Source/Security/ServiceAccessRights.cs?at=default
From that it should be a hop skip and a jump to write your own Powershell v3+ native call.
精彩评论