Microsoft tell us,you can limit user rights in WMS by:
By default, Windows Media Services can only be accessed by users in the Administrators group. To limit user rights effectively while still enabling users to administer Windows Media Services, you can remove users from the Administrators group and then add them to Windows Media Services only. To add users directly to Windows Media Services, you must use Component Services to configure access permissions for the Windows Media Services Component Object Model (COM) object.
To provide a user administrative rights to Windows Media Services
On your server, start the DCOM config utility.Locate Windows Media Services in the list, and open its properties.
On the Security tab, edit the access permissions.
The Access Permissions list shows the users and user groups that can administer Windows Media Services.
Add the users or groups that you want to be able to administer Windows Media Services, and then close the dialog boxes.
The new settings will take effect when you restart Windows Media Services.
微软告诉我们,可以限制用户权限,使用非管理员的帐号:
默认情况下,只有 Administrators 组中的用户才可以访问 Windows Media Services。若要有效地限制用户权限,同时仍允许用户管理 Windows Media Services,您可以从 Administrators 组中删除用户,然后将其仅添加到 Windows Media Services。若要将用户直接添加到 Windows Media Services,您必须使用“组件服务”为 Windows Media Services 组件对象模型 (COM) 对象配置访问权限。
为用户提供对 Windows Media Services 的管理权限的步骤
在您的服务器上,启动 DCOM 配置实用工具。在列表中找到 Windows Media Services,并打开其属性。
在“安全”选项卡上,编辑访问权限。
“访问权限”列表显示了可以管理 Windows Media Services 的用户和用户组。
添加希望能够管理 Windows Media Services 的用户或组,然后关闭对话框。
在重新启动 Windows Media Services 后,新的设置将生效。
In fact,when you open DCOMcnfg,you will find that the Security Permission of “Windows Media Services” is grey and disabled.
实际上,当你打开组件管理器,你会发现”Windows Media Services”的权限设置选项是灰色的,无法修改.
This is the new security feather of win2008 R2 x64. Some core system components only grant the local internal account, TrustedInstaller, Full Control permission instead of the local Administrators group.
这个是win2008 R2 x64的安全特性.一些核心系统组件只能允许本地帐号,TrustedInstaller有完全控制权限,而不是本地管理员组.
To be able to modify the settings of “Windows Media Services” on a Windows Server 2008 R2 system, you need to grant the local Administrators group permissions to its registry key as follows:
要在Windows Server 2008 R2 上修改 “Windows Media Services” ,你需要授予本地管理员组有注册表权限:
1. Check the Appid of WMS in “Component Services management console (dcomcnfg.exe)”.On my machine it is {A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF}
2. Run Regedit.exe and browse to “HKEY_CLASSES_ROOT\AppID\{A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF}” key.
3. Secondary-mouse click on the {A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF} key and select Permissions…
4. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply, then OK.
5. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control and click on Apply, then OK.
NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.
1.在组件管理器中查到WMS的appid,在我的机器上,它的ID是{A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF}
2.使用regedit,定位到HKEY_CLASSES_ROOT\AppID\{A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF}”
3.右键点击{A2EFA5CB-3B0E-11D2-9EFD-006097D2D7CF},选权限
4.在权限设置窗口中点高级,选择所有者标签,选中administrators为所有者
5.授予administrators组有读/写等所有权
注意:务必不要修改TrustedInstaller的权限
Now,re-run Component Services management console (dcomcnfg.exe), you can follow the steps of Microsoft to configure access permissions for the Windows Media Services Component Object Model (COM) object.
现在,重新执行组件管理器,你就能根据前文中微软的步骤来配置Windows Media Services的访问权限了.
PS.There is a bug of Windows Media Services in win2003(not in win2008),if you(limit user) exit the wmsadmin and then start it again, you will get error code 0xc00d0006 and the server no longer shows up in the wmsadmin. You have to once again add it using “localhost” every time .
PS. windows 2003 的 Windows Media Services有个bug(win2008没有):每次退出wmsadmin再次开启,受限用户会收到错误0xc00d0006提示说无法与服务器建立连接,并且服务器不再显示在wmsadmin中,你必须再次添加”localhost”进去.
see more about:
http://technet.microsoft.com/en-us/library/cc753241(WS.10).aspx
http://blogs.msdn.com/b/emeadaxsupport/archive/2010/01/26/unable-to-edit-the-dcom-settings-for-iis-wamreg-admin-service-on-a-windows-server-2008-r2-when-trying-to-configure-kerberos-authentication-for-role-centers.aspx