Professor
AdvisorFor the access denied error, I think it’s because the admin account doesn’t have right to modify permission for this service. Let’s take WdNisSvc as example. Except (A;;CCLCSWLOCRRC;;;AU) we added, original permission of this service on your machine should be like below:
D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
As we can see, neither built-in administrators (BA) nor local system account (SY) has privilege to modify service permissions, so we’ll get access denied error when trying to change its permission even in elevated cmd. I also tested with system account in lab and got the same error.
I suppose S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 should have permission, but I haven’t managed to launch cmd using this account successfully in lab. Based on my test, seems TrustedInstaller also has permission to make this change. So if we do need change permission for this service, we can try launch cmd as TrustedInstller to run the “sc sdset” command, which we may need resort to some third party apps. Below I’ll share one of the possible approaches that I tested in my lab:
1. Open PowerShell as administrator and run below commands to import Ntprocess module:
PackageManagement\Get-PackageProvider -Name NuGet -Force
Install-Module -Name NtObjectManager -Confirm:$False -Force
Please note: I got below error when trying to import the module, and work around it by turn off Real-time protection from Windows Security > Virus & threat protection settings.
2. Then run below commands to start PowerShell with TrustedInstller privilege:
Start-Service TrustedInstaller
$p = Get-NtProcess -Name TrustedInstaller.exe
New-Win32Process powershell.exe -CreationFlags NewConsole -ParentProcess $p
In short, different services may have different permission settings. In order to change permission for a specific service, we need run command with an account that has permission to make this change.
