Neophyte
AdvisorIf you install other things after you've run the least priv script, you'll have to re-run the script to set the right permissions on the new services.
LM appear to have released an update for it recently (you'll find it in the LM install folder on your collectors). The change is to the Security Descriptors that are used to set the permissions on SC Manager and Windows Services. Before that change, we weren't getting full info on service (like PathName - crucial for identifying SQL instances).
We typically have the script pushed out via Group Policy so it re-runs regularly. The script doesn't check that the correct permissions are already in place for SCManager and the Windows Services, so it applies duplicate permissions each time it runs. We've had to write some code to this before the script makes any changes, so we don't end up with a lot of duplicates. We've found it can get to the point where you can no longer make any further changes to SCManager/Service permissions as it hits a maximum security descriptor length.
In coding this check, I found that the SDDL that the script is using seems to be translated into something else by Windows when applied. So, even when we put in a check to prevent it duplicating permissions, it still configured duplicates. I found that we had to use different SSDLs for SCManager and for Windows Servers, so have had to modify the script a little to use different descriptors:
SSDL for SC Manager = CCLCRPRC
SSDL for Windows Services = CCLCRPLORC
What error are you getting when you try to use SDSet? I've found it's usually due to trying to push a malformed security descriptor or, because of the duplicates created if re-running the script, because it can't accept any further updates.
what do you get if you run sc.exe sdshow SCMANAGER ?
If it's more than a couple of lines then you might have issues with duplicates as we did.
Agree with this not really being scalable for an MSP environment. We've made quite a few modifications so that it can be reliably run (and re-run) via Group Policy without causing problems. I think I'd probably get shot if I shared it, but happy to answer any questions if I can help.
