These are chat archives for splatteredbits/Carbon

25th
May 2016
Thomas Noth
@thomasnoth_twitter
May 25 2016 06:43

@splatteredbits

  • I have a server "X" and a Scriptinghost "Y".
  • I run a powershell-script on the Scriptinghost "Y" which should change the logonuser in SERVICE "Z" on Server "X" with a special priviledged Service-Account which has been granted FULL-Rights on Service "Z" on "Server "X" via carbon's grant-servicepermission...
  • If I run the script with a user which is local admin on "Server X" everythings fine - only the special priviledged Service-Account cant change the logon-user -> I get Access denied

:-)

Aaron Jensen
@splatteredbits
May 25 2016 06:56
@thomasnoth_twitter What do you mean by scripting host? Is it a different server?
Thomas Noth
@thomasnoth_twitter
May 25 2016 06:56
yes
remoting is configured
Aaron Jensen
@splatteredbits
May 25 2016 06:58
So service account uses PowerShell remoting from server Y to connect to server X and tried to change the service's logon?
Thomas Noth
@thomasnoth_twitter
May 25 2016 06:59
yes... and the service account does have FULLControl to the specified service
Aaron Jensen
@splatteredbits
May 25 2016 07:01
Is service account a domain account? What happens if you log into server X via Remote Desktop and try to change the service's credentials?
Thomas Noth
@thomasnoth_twitter
May 25 2016 07:03
yes the service is a domain-account...and if I do it manually it is also working... it must be a permission-issue because if I run the script with a user which is local admin on target-server it works...
is grant-servicepermission the right method to grant rights to change the logon-user?
Aaron Jensen
@splatteredbits
May 25 2016 07:03
How are you updating the service's credentials? Sc.exe? Carbon's Install-Service function?
what if you run the script with service account on target server? Sometimes funny things happen over PS remoting.
Thomas Noth
@thomasnoth_twitter
May 25 2016 07:05
I'll clarify that...
Aaron Jensen
@splatteredbits
May 25 2016 07:06
Grant-ServicePermission is used to
give an identity permission to manage a service, which, according to Microsoft documentation, should include changing its configuration, including logon info.
Thomas Noth
@thomasnoth_twitter
May 25 2016 07:09
what happens if we use install-service but the service already exists?
oh I see in the documentation
Aaron Jensen
@splatteredbits
May 25 2016 07:11
Install-Service only updates a service if parameters differ from current service properties.
Thomas Noth
@thomasnoth_twitter
May 25 2016 07:20
If I just want to change the "logon-user" for a existing-service and I just run install-service name "SERVICEXY" -credential Domain\Serviceaccount it will reset all other parameters like path to executable etc? Right?
Aaron Jensen
@splatteredbits
May 25 2016 07:24
Yes. (Path is required so
it will get set to whatever you pass.)
so domain\serviceaccount is being used to configure the service and as the service's credentials?
In interested in seeing the code that connects to the server and tries to set the service's credentials.
Thomas Noth
@thomasnoth_twitter
May 25 2016 07:27
no... domain\serviceaccount is used to run the script which sets the logon user of that service to domain\anotherserviceaccount
I'll see if I can get the code...wait...was not written by me

$cred = get-credential -Message "Text"

$Server = "SERVERNAME"
$Service = "NAME OF SERVICE"

$wmiservice = gwmi win32_service -computer $Server -filter $("name="+'"'+$Service+'"') # -Credential $CredSVC
$wmiservice.change($null,$null,$null,$null,$null,$null,$Cred.Username,$Cred.Password)
$return = $wmiservice.StopService()
$Zähler = 0
while ($(get-Service -ComputerName $Server -Name $Service).Status -notmatch "stopped") {
$Wartezeit = 500 # ms
Start-Sleep -milliseconds $Wartezeit
$Zähler += $Wartezeit
if ($Zähler -ge 10000) {
Invoke-Command -ComputerName $Server -ScriptBlock {Stop-Process -Id $using:wmiservice.ProcessId -Force}
$wmiservice.ProcessID
}
}
$return = $wmiservice.StartService()

Aaron Jensen
@splatteredbits
May 25 2016 16:45
@thomasnoth_twitter I have a sneaky suspicion that the WMI command that gets run when you call the Change method doesn't run as $CredSVC on the server.
Aaron Jensen
@splatteredbits
May 25 2016 17:08

I'm wrong. Looks like the WMI commands do run as $CredSVC. At least Win32_Process does. I created a batch file on the server that outputs who the user is to a file [1]. Then I ran that batch file using Win32_Process. The outputed username is the credential I passed to Get-WmiObject [2].

[1]
whoami /all > D:\stdout.txt 2> D:\stderr.txt

[2]
$p = gwmi -list win32_process -ComputerName $ComputerName -Credential $credential
$p.Create("cmd.exe /s /c C:\whoami.bat")

So, the next thing I would try is to log into $Server as $CredSVC and see if you can modify the service's credentials. If you can, then you know something strange is happening over WMI. If you can't, then you know something about the service permissions isn't working.
Aaron Jensen
@splatteredbits
May 25 2016 17:22
In my own testing, I granted an unprivileged user full control permissions on a service, and that user was able to change the service's credentials. I did everything locally, on my development desktop.