In Windows Server 2003 SP2, I have removed all users (Anonymous Users, Authenticated Users, Everyone etc) under Component Services > Computers > My Computer > Properties > COM Security > Edit Limits.
After that, I couldn't access the server via remote desktop and terminal services also fails. I can still access it via VNC but when I attempt to open Component Services > Computers, the window stops responding.
Is there any way that I can restore COM permissions to their default settings at least? Or is there a way to enable access to the properties window so I can set it myself?
Thank you for your help.
Ianthe
=== Update: DCOMPERM.EXE ===
I found that the dcomperm.exe file that can alter permissions via the command line. It works on my local machine. My problem now is how to copy it over to the Win2k3 server since network services (netlogon etc) fails to start.
The idea I have right now is to access the Win2k3's VM hard disk and copy the file over. I have yet to find a way to do that.
If you guys have a better way, I hope you don't mind helpin.
Thanks again!
I found that the dcomperm.exe that can alter permissions via the command line. It works on my local machine. Please note that netlogon service also fails to start due to the permissions. I wasn't able to transfer the file through shared folder.
A workaround I did, is use subversion to transfer the file. Commit-Checkout/Update...
After I reset the permissions, the Component Services window worked as per normal.
Related
I have installed CouchDB on my Windows machine but while starting the CouchDB service, I am getting a message like:
Windows could not start the Apache CouchDB service on Local Computer. The service did not return an error. This could be an internal Windows error or an internal service error. If the problem persists, please contact your system administrator.
As the service is not running, I am unable to access Fauxton too.
I am using Windows 7. CouchDB is 2.0.0. Port 5984 is not in use.
I don't think your question is a duplicate of https://stackoverflow.com/a/44107335/219187 because you are on Windows 7, and the problem described there is for Windows 10 with the creators update.
But maybe the solution fixes your problem as well? Here is the procedure:
Download the prelease build 2.2.4-101 from https://nssm.cc/download
Stop the CouchDB service through the Windows Services dialog (paused is not enough)
Overwrite nssm.exe in <CouchDbInstallDir>\bin with the one from the downloaded ZIP file (make sure you pick the right version 32 bit / 64 bit)
Start the CouchDB service
Issue it's happening since the last updates released by Microsoft. I'm not completely aware of what's causing it, but I think it's something related to CouchDB service not been able to start using Local Administrator rights.
However I've managed to start the service manually, by doing so:
Open Command Prompt - in the Search from the Start Menu or Task Bar type "cmd"
Run it as an Administrator - right click on the Command Prompt application and choose "Run as administrator" option /this is really IMPORTANT as it will allow the service to have administrator access/
Navigate to the folder where CouchDB is install - default path is "D:/CouchDB", but could be anywhere else; you have to find it
Go to the "bin" folder in there
Type "couchdb" as a command to start the service
You will see a message showing after this - "kernel-poll not supported; "K" parameter ignored"
If it adds some error messages after it or closes the whole terminal, you're making some things bad from this guide, so follow it strictly.
You can now open up the Fauxton application in the browser like normal from here - http://localhost:5984/_utils/
Keep in mind that you have to leave the cmd opened in order the service to be working as expected. As far as I saw no information was lost, so it's all good.
This is a temporary solution though, as we are waiting a relase from either Microsoft or Apache to solve the issue, or at least give us more explanation about it.
i just met the same problem.
the cause is space, you have to install CouchDB in a path without any space, even Program Files folder, because there is a space between Program and Files...
I have created a small application that auto elevates as administrator using the command:
requestedExecutionLevel level="highestAvailable" uiAccess="false"
This works fine if I run the application locally on the computer. However, if the computer tries to run my execuatable across the netork, it simply crashes on startup with a message "Do you want to send more information about the problem?" error. If I right click and run as administrator, my application will work and will prompt for admin credentials.
The folder I am running my application from (across the network) has full read/write permissions for 'everyone'.
My question is: Is there something I've missed? Why can I run my application locally and not get prompted but across the network crashes or requires admin?
Can anyone help explain what might be causing this issue?
UPDATE
I have checked my event viewer log and it shows the following:
Application: AutoUpdater.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Net.Sockets.SocketException
Stack:
at System.Net.Sockets.Socket..ctor(System.Net.Sockets.AddressFamily, System.Net.Sockets.SocketType, System.Net.Sockets.ProtocolType)
at System.Net.Sockets.TcpListener..ctor(System.Net.IPAddress, Int32)
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel.SetupChannel()
at System.Runtime.Remoting.Channels.Tcp.TcpServerChannel..ctor(System.Collections.IDictionary, System.Runtime.Remoting.Channels.IServerChannelSinkProvider, System.Runtime.Remoting.Channels.IAuthorizeRemotingConnection)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.RegisterChannel(ChannelType, Boolean)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(System.String[])
at AutoUpdater.My.MyApplication.Main(System.String[])
I don't understand why it is making reference to System.Net.Sockets?? But that is what seems to be crashing my app.
Make sure that the other computers attempting to run your application have the correct .Net framework versions installed. If users are able to open the executable, there shouldn't be any other issues with permission.
If you have verified the framework versions, see if there is anything in the error report that might point to a reason for the crash. A lot of times there may be something in there that can point you in the right direction.
.NET applications don't like to run from the intranet by default.
Try this:
Go to Control Panel -> Administrative Tools -> Microsoft .NET Framework 2.0 Configuration
Click Configure Code Access Security Policy link
Click Adjust Zone Security
Set the My Computer and Local Intranet to Full Trust
If this works, then it is a local security issue. If you need it scripted out, you can use the caspol exe that is in the framework. Sample
C:
cd %windir%\Microsoft.NET\Framework\v2.0.50727
CasPol.exe -pp off -m -ag 1. -URL Z:\folder\EXEName.exe FullTrust -n FriendlyNameOfEXE
I have SBS 2008 and my client PC's are not able to RDP to each other. The settings are grayed out due to being joined to the domain.
No prob, right? go into Group Policy Management, and locate this section to make changes:
Computer Configuration\Policies\Administrative Templates\Windows
Components\Remote Desktop Services\Remote Desktop Session Host
Except, shoot!. Windows Components\ Remote Desktop Services is not even in the list! Why is this happening?
You can get to it using Start > Search "gpedit.msc", then go to
Computer Configuration > Administrative Templates >
Windows Components > Terminal Services > Terminal Server > Connections.
It called different things in different systems.
It may be called as Terminal Services.
Right click on "Administrative Templates", select "Add/Remove Templates ..." and verify that the "system" template is there
Right-click Administrative Templates, select Add/Remove.
Remove an item (I removed inetres) and close.
The templates rearranges and expands. At this point Terminal Services should now be listed.
Right-click Administrative Templates and add back the item you removed.
I came across the same issue, and the solution in articles I found was to use an older machine from which to edit the GPO. You'd have to try from a Windows XP or Windows 2003 machine.
However, I didn't have any of those available on the network anymore.
In the end, I deleted the following folder under the policy I was working with, and those settings no longer appear. (There is an ini file in that folder that defines the 3 settings we want to remove.)
\\domain\sysvol\domain\Policies\GUIDOfPolicy\User\Microsoft\RemoteInstall
To find the GUIDOfPolicy, look in GPMC under Details. You will see it as the Unique ID.
Remember to substitute your domain name as you look for this folder.
I was able to clean this up on a policy of mine.
Reference this article for instructions:
https://support.microsoft.com/en-us/help/2722241/policy-reporting-tools-indicate-empty-internet-explorer-maintenance-policy-as-winning
And then remove these instead of the ones listed there:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
If
Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Terminal Server
does not appear in
gpedit.msc
then go into
%windir%\system32\GroupPolicy
and rename the
Adm
folder to
Adm-renamed.
Run gpedit.msc and the Adm folder should be recreated correctly and the Terminal Server policies should be visible. You can then delete the Adm-renamed folder.
How can I stop and then restart an IIS 7 application pool from an MSBuild script running inside TeamCity. I want to deploy our nightly builds to an IIS server for out testers to view.
I have tried using appcmd like so:
appcmd stop apppool /apppool.name:MYAPP-POOL
... but I have run into elevation issues in Windows 2008 that so far have stopped me from being able to run that command from my TeamCity build process because Windows 2008 requires elevation in order to run appcmd.
If I do not stop the application pool before I copy my files to the web server my MSBuild script is unable to copy the files to the server.
Has anybody else seen and solved this issue when deploying web sites to IIS from TeamCity?
This article describes using an htm file named App_offline.htm to take a site offline. Once the IIS detectes this file in the root of a web application directory,
ASP.NET 2.0 will shut-down the application, unload the application
domain from the server, and stop processing any new incoming requests
for that application.
In App_offline-htm, you can put a user-friendly message indicating that the site is currently under maintainance.
Jason Lee shows the MSDeploy calls you need to use (plus much more about integrating these steps in your build scripts!).
MSDeploy
-verb:sync
-source:contentPath="[absolute_path]App_offline-Template.htm"
-dest:contentPath="name_of_site/App_offline.htm",computerName="copmuter_name",
username=user_with_administrative priviliges,password=passwort
After deployment you can remove the App_offline.htm file using the following call:
MSDeploy
-verb:delete
-dest:contentPath="name_of_site/App_offline.htm",computerName="computer_name",
username=user_with_administrative_priviliges,password=passwort
The msbuild community tasks includes an AppPoolController that appears to do what you want (though as noted it is dated and at present only supports IIS6.) An example:
<AppPoolController ApplicationPoolName="MyAppPool" Action="Restart" />
Note that you can also provide a username and password if necessary.
Edit: Just noticed that the MSBuild Extension Pack has an Iis7AppPool task that is probably more appropriate.
this is the fairly hackey workaround I ended up using:
1) Set up a limited-access account for your service to run as. Since I'm running a CruiseControl.NET service, I'll call my user 'ccnet'. He does NOT have admin rights.
2) Make a new local user account, and assign to the Administrators group (I'll call him 'iis_helper' for this example). Give him some password, and set it to never expire.
3) Change iis_helper's access permissions to NOT allow local login or remote desktop login, and anything else you might want to do to lock down this account.
4) Log in (either locally or through remote desktop) as your non-admin user, 'ccnet' in this example.
5) Open a command terminal, and use the 'runas' command to execute whatever it is that needs to be run escalated. Use the /savecred option. Specify your new administrative user.
runas /savecred /user:MYMACHINE\iis_helper "C:\Windows\System32\inetsrv\appcmd.exe"
The first time it will prompt you for 'iis_helper's password. After that, it will be stored thanks to the /savecred option (this is why we're running it once from a real command prompt, so we can enter the password once).
6) Assuming that command executed OK, you can now log out. I then logged back in as a local admin and turned off the 'ccnet' user for local interactive login, and remote desktop. The account is only used to run a service, but no real logins. This isnt a mandatory step.
7) Set up your service to run as your user account ('ccnet').
8) Configure whatever service is running (CruiseControl.NET in my case) to execute the 'runas' command instead of 'appcmd.exe' directly, the same as before:
replace:
"C:\Windows\System32\inetsrv\appcmd.exe" start site "My Super Site"
with:
runas /savecred /user:MYMACHINE\iis_helper "\"C:\Windows\System32\inetsrv\appcmd.exe\" start site \"My Super Site\""
The thing to note there is that the command should be in one set of quotes, with all the inner quotes escaped (slash-quote).
9) Test, call it a day, hit the local pub.
Edit: I apparently did #9 in the wrong order and had a few too many before testing...
This method also doesn't completely work. It does attempt to run as the administrative account, however it still runs as a non-escalated process under the administrative user, so still no admin permissions. I didn't initially catch the failure because the 'runas' command spawns a separate cmd window then closes right away, so I wasn't seeing the failure output.
Its starting to seem like the only real possibility might be writing a windows service that will run as admin, and its only purpose is to run appcmd.exe, then somehow call that service to start/stop IIS.
Isn't it great how UAC is there to secure things, but in actuality just unsecures more servers, because anything you want to do you have to do as admin, so its easier to just always run everything as admin and forget it?
You can try changing the Build Agent Service settings to log-on as a normal user account instead of SYSTEM (the default), this can be done from the services control panel (Start | Run | services.msc).
If it doesn't help, you can also try configuring the appcmd to always run elevated, refer to this document for details.
In case such option is not available for appcmd or it still doesn't work, you can disable UAC completely for this user.
Here you go. You can use this from CC.NET with NAnt or just with NAnt:
http://nantcontrib.sourceforge.net/release/latest/help/tasks/iisapppool.html
Is there a way in SQL Server Management Studio 2005 (or later) to change the Windows Authentication user (as you could in SQL Server 2000 and older)?
This is the general connection properties dialog(note the greyed out UID/PWD when selecting Windows Auth):
FYI - One workaround is to use runas but I'm looking for a solution that will allow me to work with multiple Windows accounts across multiple servers (and across multiple domains).
While there's no way to connect to multiple servers as different users in a single instance of SSMS, what you're looking for is the following RUNAS syntax:
runas /netonly /user:domain\username program.exe
When you use the "/netonly" switch, you can log in using remote credentials on a domain that you're not currently a member of, even if there's no trust set up. It just tells runas that the credentials will be used for accessing remote resources - the application interacts with the local computer as the currently logged-in user, and interacts with remote computers as the user whose credentials you've given.
You'd still have to run multiple instances of SSMS, but at least you could connect as different windows users in each one.
For example: runas /netonly /user:domain\username ssms.exe
Hold shift and right click on SQL Server Mangement studion icon. You can Run as other windows account user.
One other way that I discovered is to go to "Start" > "Control Panel" > "Stored Usernames and passwords" (Administrative Tools > Credential Manager in Windows 7) and add the domain account that you would use with the "runas" command.
Then, in SQL Management Studio 2005, just select the "Windows Authentication" and input the server you wanna connect to (even though the user that you can see greyed out is still the local user)... and it works!
Don't ask me why ! :)
Edit:
Make sure to include ":1433" after the server name in Credential Manager or it may not connect due to not trusting the domain.
None of these answers did what I needed:
Login to a remote server using a different domain account than I was logged into on my local machine, and it's a client's domain across a vpn. I don't want to be on their domain!
Instead, on the connect to server dialog, select "Windows Authentication", click the Options button, and then on the Additional Connection Parameters tab, enter
user id=domain\user;password=password
SSMS won't remember, but it will connect with that account.
The runas /netonly /user:domain\username program.exe command only worked for me on Windows 10
saving it as a batch file
running it as an administrator,
when running the command batch as regular user I got the wrong password issue mentioned by some users on previous comments.
For Windows 10:
Go to the Sql Management Studio Icon, or Short Cut in the menu:
Right Click > Select Open File Location
Hold Shift and right Click the shortcut, or ssms.exe file that is in the folder. Holding shift will give you an extra option "Run as different user":
This will pop up a login box and you can type the credentials you would like your session to run under.
A bit of powershell magic will do the trick:
cmdkey /add:"SERVER:1433" /user:"DOMAIN\USERNAME" /pass:"PASSWORD"
Then just select windows authentication
There are many places where someone might want to deploy this kind of scenario, but due to the way integrated authentication works, it is not possible.
As gbn mentioned, integrated authentication uses a special token that corresponds to your Windows identity. There are coding practices called "impersonation" (probably used by the Run As... command) that allow you to effectively perform an activity as another Windows user, but there is not really a way to arbitrarily act as a different user (à la Linux) in Windows applications aside from that.
If you really need to administer multiple servers across several domains, you might consider one of the following:
Set up Domain Trust between your domains so that your account can access computers in the trusting domain
Configure a SQL user (using mixed authentication) across all the servers you need to administer so that you can log in that way; obviously, this might introduce some security issues and create a maintenance nightmare if you have to change all the passwords at some point.
Hopefully this helps!
Did anybody tried "plain" runas without parameters? Those /netonly /savcecred all of them sound ambiguous and to me utter nonsense.
C:\Windows\System32\runas.exe /user:DOMAINX\OtherUser02 "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\ssms.exe"
This works just fine. No matter what, runas WILL ask you for the user password. Just type it and be security audit compliant.
The only way to achieve what you want is opening several instances of SSMS by right clicking on shortcut and using the 'Run-as' feature.