I realize this is almost identical to this question but the big difference is that the methods described in the MSKB article DO NOT WORK for installed Tomcat services. They work for simple Windows services but not for the Tomcat services we need to control.
Any further ideas?
If I have 100 Tomcat container services, do I have to grant this permission explicitly on the group for each service? Is there a way to get a DOMAIN group set up to have permission to stop/start 100 different Tomcat services across 15 machines?
Edit (more info):
We are using Ant sshexec (jsch) and get Access Denied errorlevel 5 when calling net stop service_name.
I’m not sure what you’ve tried to do before, but here’s what I just did and had success:
1) Downloaded the Tomcat 5.5.27 Windows Service installer and installed it.
2) Dumped the TomCat5 service security descriptor using “sc sdshow tomcat5″, which showed me:
This is a pretty common security descriptor for services. I’ve seen it verbatim on some Microsoft services. The SYSTEM and built-in Administrators have “full control”, “Power Users” can stop, start, and pause the service, and “Authenticated Users” can query properties of the service (I’m glossing over a bit here).
3) I created a limited user called “bob” on my box, opened a “RUNAS” command-prompt as him, and got his SID from “WHOAMI /ALL” (a command that’s on Windows Server 2003 but not on XP… don’t know about Vista and Windows 7 off the top of my head). I verified that Bob could not stop / start the Tomcat service (using “NET STOP tomcat5″). I received the same error you report in your post.
4) From my regular administrator command-prompt, ran the following:
sc sdset tomcat5 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDT;;;S-1-5-21-1409082233-484763869-854245398-1009)
This SDDL string gives Bob’s SID (S-1-5-21-1409082233-484763869-854245398-1009) rights to stop, start, and pause the service (RP, WP, and DT, respectively).
5) I flipped back to my “Bob” command prompt and verified that I could now stop and start the service using NET STOP and NET START.
I’d recommend creating a group to delegte this right to, putting a user in that group, getting the group’s SID (using WHOAMI or any other tool) and modifying the security descriptor this way.
I would think that using Group Policy to modify the security descriptor would work fine. I have seen cases where some services don’t like the default permission that a group policy-based modification puts on a service (look at this posting about the Windows Search service if you want to see what I’m talking about: http://peeved.org/blog/2007/12/07), but that has been uncommon in my experience.
If you want more background on security descriptors for services, have a look at http://msmvps.com/blogs/alunj/archive/2006/02/13/83472.aspx and http://support.microsoft.com/kb/914392.
- How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?
- Restart a Windows service remotely (stop/start only if already started)
- Best ‘failover service’ for windows which can monitor/start/stop services on 2 machines?
- Tomcat 6.0 service does not start: java/lang/NoClassDefFoundError
- Can’t Start SQL Server 2005 Agent – Start/Stop Are Not Enabled