I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.
"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .
Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.
I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.
Disabled simple file sharing.
Temporarily made my service account an administrator.
Used the service account to take ownership of the files.
Remove service account from the administrators group.
Reboot.
During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.
Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.
Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.
Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.
Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.
发布评论
评论(4)
我确实知道该帐户需要具有“作为服务登录”权限。 除此之外,我不确定。 可以在此处找到有关“作为服务登录”的快速参考此处提供了大量有关特定权限的信息。
I do know that the account needs to have "Log on as a Service" privileges. Other than that, I'm not sure. A quick reference to Log on as a Service can be found here, and there is a lot of information of specific privileges here.
“BypassTraverseChecking”意味着您可以直接访问任何深层子目录,即使您不具有其间目录(即其之上的所有目录到根级别)的所有中间访问权限。
"BypassTraverseChecking" means that you can directly access any deep-level subdirectory even if you don't have all the intermediary access privileges to directories in between, i.e. all directories above it towards root level .
感谢您的链接,克里斯。 我经常想知道“BypassTraverseChecking”等权限的具体效果,但从未费心去查找它们。
我在运行服务时遇到了有趣的问题,并发现在管理员完成初始安装后它无法访问其文件。 我认为除了登录服务之外还需要一些东西,直到我发现文件问题。
在取得所有权期间,有必要禁用从父目录继承权限并沿树递归应用权限。
不过,无法找到“授予所有权”选项来避免使服务帐户暂时成为管理员。
不管怎样,我想我会发布这篇文章,以防其他人走上我寻找安全策略问题的同一条道路,而实际上这只是文件系统权限。
Thanks for the links, Chris. I've often wondered about the specific effects of privileges like "BypassTraverseChecking" but never bothered to look them up.
I was having interesting problems getting a service to run and discovered that it didn't have access to it's files after the initial installation had been done by the administrator. I was thinking it needed something in addition to Logon As A Service until I found the file issue.
During Take Ownership, it was necessary to disable inheritance of permissions from the parent directories and apply permissions recursively down the tree.
Wasn't able to find a "give ownership" option to avoid making the service account an administrator temporarily, though.
Anyway, thought I'd post this in case anyone else was going down the same road I was looking for security policy issues when it was really just filesystem rights.
两种方法:
编辑服务的属性并设置登录用户。 将自动分配适当的权限。
手动设置:进入管理工具-> 本地安全策略-> 当地政策 -> 用户权利分配。 编辑“作为服务登录”项并在其中添加您的域用户。
Two ways:
Edit the properties of the service and set the Log On user. The appropriate right will be automatically assigned.
Set it manually: Go to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment. Edit the item "Log on as a service" and add your domain user there.