Paul Sobey wrote: > Jim Hill wrote: > > > Instead of running all day with a cmd shell with system account > > privileges, I think it would be safer if only the scripts which > > need such privileges are able to obtain them at runtime > > Have you considered psexec (http://www.sysinternals.com) - that will > fire off a single command as the system account for you on Win2K.
Good suggestion, thanks. I'll try that. > Better to fix the Mailtraq COM implementation, but this would > be a good alternative. I'm not sure that it is fixable. The documentation in the win2k resource kit for srvany, see below, seems to suggest that services must run in the system account to allow users to interact with them so that privilege level will also apply to any embedded services they contain such as com controls. | Installing SrvAny | | In the Log On tab, set the account the service will use when | running. Choose either the System account or enter another valid | account. The type of log on needed is determined by the | application. | | If you need access to the screen and keyboard, you must choose | System Account and check the "Allow Service to Interact with | Desktop" box. Note that System Account is local and doesn't have | network access. Otherwise, enter any valid account name and | specify the correct logon password. An added complication is that Mailtraq is an mta (amongst other things) which, self-evidently, requires network access. That, I think, is why its mailtraqserver service is run from a separate executable, mtqsvc.exe, instead of mailtraq.exe. mailtraq.exe itself runs in the administrators account, though I don't think it needs to except during installation. I can get it running normally under a power user account by giving that user full control over mailtraq.exe using regedt32. Unfortunately, that doesn't seem to influence its com behaviour. An entry for "Mailtraq Control Interface" is present in win2k's dcom utility, dcomcnfg.exe, which seems promising but I've tried playing with the permissions without any joy. To be honest, I don't understand the implications of all the available options and the only thing which I've found easy to achieve is to prevent an application from running. -- _______________________________________________ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
