Monday, July 27, 2015

HOW TO: Grant non admin users the right to stop and start windows services

Posted By: The Funky Tech Guy - 11:25:00 AM

Share

& Comment

The Problem

So we have this new library system and today I was asked to give some of the staff the ability to stop/start 2 particular windows services.
The first thing that came to mind was Im not giving them admin access. I also did not want them to have the ability to stop and start any windows service but only the ones I give them access to.

I found it wasn't as simple and straight forward as I thought it would be but luckily for me I found a gem of a free tool.

Solutions

I will show you 3 ways of doing this with the 3rd being the easiest and gui based

1. Using security descriptors

You do this by using the SC command via the cmd command prompt

SC sdshow - displays the security descriptors for a specific service



where as
SC sdset - Changes/modifies it

For an easy to follow guide check out http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/


2. Using SubInACL.exe

There is a tool called SubInACL.exe from the Windows Resource Kit. Download the standalone utility here

- First run a command prompt as an Administrator
- Then type in subinacl /service SERVICE_NAME /grant=COMPUTER_NAME\USERNAME=TOP
T = Start service
O = Stop service

P = Pause/continue service

e.g subinacl /service Themes /grant=Workstation003\jblack=TOP

You can also type subinacl /help for proper syntax

3. My way: The easy way: (Recommended)

Ok so as I mentioned before I found a really easy and simple looking tool,which is GUI based.
Head on over to http://www.coretechnologies.com/products/ServiceSecurityEditor to pick up your free copy.
Its so easy and logical I dont think it needs explaining but if you have issues feel free to leave a comment.


Appreciation goes to abitgone from serverfault for this article that helped me with the hard way solution. You can find it here

About The Funky Tech Guy

The Funky Tech Guy is a publication/blog that comprises primarily of articals and how tos relating to Information Technology.I have been in the IT industry since 2001 and can easliy say that IT is my passion. The primary focus of this site is to share some of the knowledge and experiences I've gained.

0 comments :

Copyright © 2013 The Funky Tech Guy ™ is a registered trademark.

Designed by Templateism . Built with Blogger Templates .