Monitor service status on Windows domain controller without being a Domain Admin

There are possibly better and/or nicer ways to do this, but this works for me.

If you write your own server monitoring scripts you may well be running them as an account that’s a member of the local administrators group on all your servers. This allows you to use WMI and any other command line utilities to query all kinds of things about the remote systems. However Domain Controllers don’t have a local Adminstrators group, so are slightly more tricky to work with, despite being some of the most critical servers you own.

WMI won’t allow you to query service status. Where you could use something like this as a member of the local Administrators group:

Set wmiColl = GetObject("WinMgmts:\\" & serverName & "\root\cimv2").ExecQuery("Select * FROM Win32_Service WHERE Name LIKE'" & Trim(serviceName) & "'")

It won’t work on a domain controller unless you’re a Domain Admin.

Likewise, you might want to use the (still very handy) utility XNET.exe that came with older versions of KiXtart:

xnet.exe list \\server\service

it too requires admin rights.

Help is at hand though, the sc command does not require admin rights to query service status:

sc \\server query service

does work.

For any services that it fails on, e.g. NTDS on a Windows Server 2008 R2 domain controller, I used SubInACL to grant the account running the command Read access to the service:

subinacl /service NTDS /grant="domain\account"=R

I would suggest using v5.2 of SubInACL as an older version I tried didn’t affect the service permissions.

This entry was posted in Scripting, Windows. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.