Need Help with net start and Windows 7 UAC

[z666zz666z]

Thanks for all info and tutorial.

I have one big problem:

• UAC must be ON since a normal user can use the PC but i do not want such normal user can run anything thet requieres admin (except net start ServiceName)
• ServiceName is just one service, not any service on the PC, justo only one specific service... same for net stop ServiceName
• I have a Batch Script i need to run without elevating permissions
• Inside it i need to run certain commands, like net start, thet need elevating permissions
• The script must be able to be run by a normal user, but without user interaction

In other words, i a batch file having something like:

@ECHO OFF
REM Bla bla bla, some sentences i do not want to be run with admin privileges
net start ServiceName
REM Bla bla bla, some sentences i do not want to be run with admin privileges
REM etc etc

I need that script to be run without user interaction (for example when Remote Controling the PC or by remote running from another PC)
I also need that script can be run by a normal user

I have the problem just on the net start sentence (the only one that needs to be run as admin, elevated permissions, etc).

If a UAC message brings up, remote control gets frozen and i must go where the PC is physical to be able to still remote control it, so the solution requiers no UAC message bring up.

If i turn off UAC, then the "normal" user can run whatever wants as admin (with some hack tools run from pendrive, i had tested by my own and it is simple incredible what you can do on Windows with a "normal" account when UAC is off... i can also delete the full Windows folder and cause a BSOD with just UAC off and a normal account... so UAC must be on, not off

Obviously i do not want to give de admin password to the user... again the same problem... i do not want the user to be able to run anything (except net start ServiceName and net stop ServiceName) that requieres admin.

Any help?

Thanks in advance.

 

[logicearth]

Task Scheduler

 

[z666zz666z]

Task manager is not a solution!!!

The script must be run by a normal user when he/she wants!!!

Imagine a personal Oracle Server services:
-User need to start and stop them
-I also need to be able to do it remotly

Imagine the database must not allways be stated.

Same for any other service... but i need to let that normal user to start/stop just one service, not all!!!

Task scheduler is not an option, sorry!!!

 

[FliGi7]

If I understand this correctly, you need the user to be able to execute a program with User (standard) privileges that performs both User-level and Admin-level privileged operations?

If so, you'll have to use the "runas" command in the script to run the certain operations with admin privileges which will require a password authentication. This will need to be provided in the command line (of which the user will be able to see if they open or edit the script) or at run time, which you say you are trying to avoid.

I don't believe there is any other way around this. You either have to invoke the script with admin privileges (which will require password authentication when run from a standard user account) or you have to include the admin password in the script for running those particular admin-privilege commands.

Task Scheduler was provided as an option in that it can run commands with admin/system level privileges while a standard user account is logged in, thus not requiring admin authentication at runtime. However, it can't be done on a ad-hoc basis by the standard user.

 

[z666zz666z]

You understand it perfectly, that is the problem i am having.

The user must be able to run a script (such normal user can edit such script).

And i do not want the normal user to be able to run anything (except what i want) that need admin privileges.

I had read (but not understand) there is a way to configure services privileges... etc... in other words something about configuring thet one service can be started/stoped by one normal account without password, etc...

What i had undestand is thet is similar to giving file permissions, etc... but on services.

Well since i do not understand such thing... and it may be just the perfect solution to this specific problem... i wish to know more...

I have read a command line that may do something like that, it is:

setacl.exe -on spooler -ot srv -actn ace -ace “n:domainuser1;p:start_stop”

I do not understad it perfectly... but it seems to grant such user to start and stop a service called spooler (if i did not understand it badly.

Can someone explain such command and how it works!

I mean: it must be run on admin account or a user with admin privileges... or in the user account? and what is for each argument.

i will try to find more info on such setacl.es (i never use such command and it looks like it is for configuring privileges from command line, something that would make me more easy to do some tasks i do with GUI).

I known this is only for services (and file and folder privileges i supose), but not for running any exe... since actually i only need to let user start and stop such service it may be just what i need now... or not?

Thanks in advance!!!

P.D.: I will investigate more about such "setacl.exe"... is it present on all Windows? also on Home versions?