Forum Discussion
I have not needed to apply custom ACLs to services personally, so I have only done it a little bit with a test setup. For common situations like Domain Controllers where you can't just create local users, I've offered to install the Collector directly on the domain controller using Local System and only have it monitor itself.
In my testing for this post I used the built-in SC.exe command via CLI but there are several ways to do, like how described at https://www.winhelponline.com/blog/view-edit-service-permissions-windows/. Reviewing my notes here are some websites that was useful for understanding the SDDL syntax but you might want to use one of the GUI tools unless you want to script/automate it:
- University of Washington IT: Understanding SDDL Syntax
- MSMVP: SDDL – easier to read, except when it’s not (good details on Windows Service specific SDDL)
If you do figure out a good process for customizing SACLs for monitoring, I would be interested in it! Thanks.
Related Content
- 8 years ago
- 11 months ago
- 8 months ago
- 2 years ago