Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
On occasion, you might need to change the account under which a given service runs. For example, you might run a service under an administrative account. Because this can create a security vulnerability, you might switch the service to an account with fewer privileges. Alternatively, you might have services running under an account that is about to be deleted, or you might want to ensure that, on all your servers, certain services run under certain accounts.
You can use the Win32_Service Change method to configure services to run under a specified user account. When selecting an account, keep in mind the following:
LocalSystem is required because only one window station (WinSta0) can be visible and interactive at a time. If a service runs under an account other than LocalSystem, it runs in the Service-0x03e7$\Default window station, which is an invisible window. Services running in this window station cannot receive input or display output.
Win32_Service properties and methods related to service accounts are shown in Figure 15.4.
Figure 15.4 Win32_Service Account Properties and Methods
Win32_Service Account Properties and Methods
Listing 15.20 contains a script that changes the service account for services from running under a specified user account to LocalSystem. To carry out this task, the script must perform the following steps:
To limit data retrieval to a specific set of services, a Where clause is included that restricts the collection to those services with a ServiceName of .\Netsvc.
The period and backslash (.\) preceding the account name indicate that the account is a local user account (a second backslash is required whenever a single backslash is used in a query). If the service is running under a domain account, the period is replaced by the domain name (for example, fabrikam\\Netsvc).
Because StartName must be the seventh parameter passed to the Change method, the new account name is preceded by six empty arguments (represented by the six commas). Following StartName, an empty string ("") is used to indicate that the LocalSystem account does not use a password. If LocalSystem did use a password, the password for the account would be listed following StartName.
Listing 15.20 Switching Service Accounts to LocalSystem
|
|
Send us your feedback | « Previous | Next » |