h1 Monitor service status on Windows domain controller without being a Domain Admin

Posted by Unknown on Sunday, January 16, 2011

If you write your own server monitoring scripts you may well be running them as an account that’s a member of the local administrators group on all your servers. This allows you to use WMI and any other command line utilities to query all kinds of things about the remote systems. However Domain Controllers don’t have a local Adminstrators group, so are slightly more tricky to work with, despite being some of the most critical servers you own.
WMI won’t allow you to query service status. Where you could use something like this as a member of the local Administrators group:
Set wmiColl = GetObject("WinMgmts:\\" & serverName & "\root\cimv2").ExecQuery("Select * FROM Win32_Service WHERE Name LIKE'" & Trim(serviceName) & "'")

It won’t work on a domain controller unless you’re a Domain Admin.
Likewise, you might want to use the (still very handy) utility XNET.exe that came with older versions of KiXtart:
xnet.exe list \\server\service

it too requires admin rights.
Help is at hand though, the sc command does not require admin rights to query service status:
sc \\server query service

does work.
For any services that it fails on, e.g. NTDS on a Windows Server 2008 R2 domain controller, I used SubInACL to grant the account running the command Read access to the service:
subinacl /service NTDS /grant="domain\account"=R

More Here


{ 0 comments... read them below or add one }

Post a Comment