Microsoft KB Archive/926639

= How to reset an empty DACL in a service security descriptor on a Windows Server 2003-based computer =

Article ID: 926639

Article Last Modified on 11/27/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



INTRODUCTION
This article describes how to reset an empty discretionary access control list (DACL) in a service security descriptor on a Microsoft Windows Server 2003-based computer.



MORE INFORMATION
By default, the security descriptor that is set on a service assigns administrator rights and permissions to the members of the Administrators group. The members of the Administrators group cannot manage a service until the computer is restarted if one of the following conditions is true:
 * A service is created by using a security descriptor that contains an empty DACL.
 * The security of an existing service is modified by using a security descriptor that contains an empty DACL.

The members of the Administrators group receive an &quot;access denied&quot; error message when they try to do the following tasks:
 * Start the service security descriptor.
 * Stop the service security descriptor.
 * Pause the service security descriptor.
 * Change the service security descriptor.

To set a security descriptor that contains an empty DACL on a service, run the following command at a command prompt:

sc sdset  D:S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Note In this command,  is a placeholder for the name of the service.

When you restart the computer, the service control manager detects that the service has an empty DACL. Additionally, the service control manager implicitly applies a default DACL. The default DACL assigns full access to the members of the Administrators group. To verify that the default DACL is applied after you restart the computer, run the following command at a command prompt:

sc sdshow 

The command must return the following result:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Note The implicit DACL does not appear in the Security registry value for the service or in the permissions that the Security Configuration and Analysis utility shows.

The Local System account has an implicit right to every service. This right allows the Local System account to reset the service DACL.

To manage a service, use one of the following methods.

Method 1: Reset the service to the default permission
 Restart the computer. Log on by using an account that has administrative credentials. Reset the service to the default permission.

For example, run the following command at a command prompt to reset the service to the default permission:

sc sdset  D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD)



If you cannot restart the computer quickly, use method 2.

Method 2: Assign the default rights to the service
 Schedule a command prompt to run under the Local System account. To do this, run the following command at a command prompt:

at  /interactive cmd

Note In this command,  is a placeholder for one minute added to the current time on the computer. For example, if 6:30 is the current time on the computer, type at 6:31 /interactive cmd, and then press ENTER. When the new command prompt appears, run the following command to assign the default rights to the service:

sc sdset  D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;WD)



Keywords: kbexpertiseadvanced kbhowto KB926639

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.