When a user or application tries to enumarate services on a Windows 2003 server, there maybey an error saying : Access Denied.

If you view the security log on your Windows 2003 Server the following message appears:

Event ID: 560
Event Category: Object Access
Description:
Object Open:
  Object Server: SC Manager
  Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,530996958}
  Process ID: 1184
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: MACHINENAME$
  Primary Domain: DOMAIN
  Primary Logon ID: (0×0,0×3E7)
  Client User Name: USERNAME
  Client Domain: DOMAIN
  Client Logon ID: (0×0,0×1FA65EC5)
  Accesses: Connect to service controller
   Enumerate services
  Privileges: -
  Restricted Sid Count: 0
  Access Mask: 0×5
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Situation

I’ve come across this event in the following situation :

  • Hardened Exchange 2003 Environment (E2K3 SP2)
  • Windows 2003 Domain
  • Delegated control to a group named X which had Exchange View Only rights
  • Delegated control to a group named X which had Full Control on User objects in one OU
  • Exchange System Tools on the Windows XP client installed
  • MMC with the Active Directory Users & Computers

When a user in that group tried to edit the SMTP address, the user received the following error :

An Exchange Server could not be found in the domain.
Check if the Microsoft System Attendant service is running on the Exchange Server.
ID no: c10308a2
Microsoft Active Directory – Exchange Extension

Solution

To give authenticated users the correct access, we need to change the SCMANAGER rights. First you can view the current rights. Log on to the server which has the Event ID 560.
On a command prompt type :

sc sdshow SCMANAGER

You should see something similar to this :

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

To change the rights, type the following on a command prompt:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

The security settings are applied instantly, so no reboot is required.

For more information : You receive an “ID no: c10308a2″ error message when you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user in Exchange Server 2003
 - http://support.microsoft.com/?kbid=905809