Monitor Windows XP services

[Martin Zugec]

But I still think it is best for you to use subinacl command to deny access for your users - they wont be able to switch it back, because there is no gui for this (except using policy scanning, which is quite hard for common user)

[D8TA]

But I still think it is best for you to use subinacl command to deny access for your users - they wont be able to switch it back, because there is no gui for this (except using policy scanning, which is quite hard for common user)

<{POST_SNAPBACK}>

I don't mean to sound stupid but how would I go about doing that? Use subinacl command to deny access to the service.

[D8TA]

You can use the local policy editor to prevent users from even viewing the services by using:

start -> run -> gpedit.msc [enter]

then browse to:

Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins

And then disable the 'services' snap-in.

Though I read your users are logged in as administrator, that's not really a good idea IMHO. They can disable the policy again, but it's worth to try.

Or make them power users or something.

[edit] ugh I only read just now there are 4500+ pc's, so going over each pc setting the policy isn't really an option lol. Guess it'd be easier if you had a domain with AD.

<{POST_SNAPBACK}>

Tried this and it doesn't appear to work like you described. Power Users are still able to view and stop services. I don't know how you would make the services list show nothing or omit the services that I want constantly running?

I am still working on the wmic stuff but would like to know how you are removing services from the services list, the above doesn't work.

[Yzöwl]

Thats easy fixed,

Being given 'Power User' or any other non 'user' account type is a privilege, anyone found to have stopped a service without express permission from myself will face misconduct charges, which may result in job loss!

[Marsden]

4500 PCs and not on a Domain??? That should priority one. Then take advantage of Group Policy. No need for scripts...

[D8TA]

We are slowly working towards AD, hopefully sooner than later but that is a different group, Server Management.

Being given 'Power User' or any other non 'user' account type is a privilege, anyone found to have stopped a service without express permission from myself will face misconduct charges, which may result in job loss! This wouldn't fly in our organization and that is part of the problem I have. Most of the users who are disabling these services are the associates in the IT/Support area who are afraid of Big Brother watching. Although these services don't monitor anything the user does just where the asset is located.

Someday for me this job will be easy once the domain is in place, but until then I still have to construct these means to obtain a solution. I appreciate all the help I am receiving here and this board is awesome!!

I am looking at editting permissions with Subinacl. I am hoping soulin will let me know the syntax I would need to deny these services for certain users.

I am still not sure what happens if the user Disables the service, but hopefully I can find a way to both re-enable the service and restart the service if it was in the stopped and disabled state then change the permission for the user-deny to ensure it from not happening again. Who knows.....I know I have my work cut out for me. Thanks again.

[D8TA]

I got the subinacl to work and I believe it will do the trick. I am going to try some other settings within the security template but appreciate everyone's comments and tips/tricks. Thanks again!!