Permissions for single remote service restart

Sponsored Links

Is there any way I can give permissions to a single user to be able to
remote restart a service ? Or all services if a single one isn't possible. I
don't really want to make the user a local admin, since he only need to
restart that one service.

Is it safe to assume that the server operating system in question is Windows
2003 with SP1/2?

And to answer the question, yes it is for the Windows 2003 operating system.
It would require granting additional rights on SCMANAGER plus the service in
question. http://support.microsoft.com/kb/905809/en-us kinda gives you an
idea when it comes to Windows 2003/Exchange 2003 but can be adapted for any
service in question.

/neo

PS - Step 5/Method 1 is the area to clue in on.

[jambazz]

I'm sorry to revive an old thread, but I cannot get this to work with the given recipe. I want to give a domain user or a domain group access to remote start/stop a service, without having elevated rights on the server.
The recipe here wants you to use PSGETSID to get the SID of the user/group in question, and then use SC SDSET SCMANAGER to edit the permission of SCMANAGER service and then again on the service in question.

But SC SDSET takes an SDDL string, not an SID.

Maybe someone can help me make this work, or provide a better solution?

[Solomon]

Hi jambazz,

What happens if you first establish a network session with the remote server (using net use \\... /user:....) and after that, try to stop/start a service remotely using the services applet? Note that you should delete the network session before you try again usin LogonUser/Impersonate, else you will use the established session to access the remote resource instead of the access token obtained (or not) by LogonUser.

[jambazz]

Hi Solomon, then I can start the service remotely successfully. But this requires the use of a password, which I prefer to avoid :o)

[Steve_j]

there's really 2 steps. this article covers the first.
http://support.microsoft.com/kb/907460
really what needs to be done here is this:
---------------------------------------------
To resolve this issue, use version 5.2.3790.1830 of the Sc.exe tool. This tool is located in the %windir%\System32 folder. To do this, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command at the command prompt, and then press ENTER:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
---------------------------------------------
this sets the scmanager to allow access for non administrators. even though the article says W2k3 you need to do this for 2008 as well.

next step is granting access to the service itself using suninacl.exe (in the resource kit I think)

subinacl.exe /verbose /service "service name you want to grant" /grant="domain\groupname"=LQSTOP


the subinacl really makes it much easier than using the sc.exe commands and using the SDDL stirngs & sid's.