CCS RMS error: Unable to open Service Control Manager database Error 5 Access is denied.
Prior to Windows 2003 SP1 “Authenticated Users” had the ability to enumerate services remotely. In Windows 2003 SP1 this permission was removed.
The ability to enumerate services is controlled by the “service control manager database” in Windows 2003.
To allow “Authenticated Users” to the ability to remotely enumerate services on run the following commands on the Windows 2003 server.
1. Run the SC command to get the current security on the “service control manager database”
- Sc sdshow scmanager
2. Record the SDDL string
3. Copy the SDDL to notepad and replace (A;;CC;;;AU) with (A;;CCLCRPRC;;;AU)
- This will allow “Authenticated User” the following additional rights
- List Contents
- Read All Properties
- Read Permissions
4. Run the following command to set the new security on the “service control manager database”
- Sc sdset scmanager <SDDL String>
- Where <SDDL String> is the modified string from step 3.
- Windows 2003 SP1 example:
SC sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU) (A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
More Information:
This is the default Windows 2003 SP1 SDDL string:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)
(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the original Windows 2003 SDDL string:
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)
(AU;OIIOFA;GA;;;WD)