Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What access is needed to restart a service? 1

Status
Not open for further replies.

addus5

Technical User
Jun 20, 2003
112
US
What type of access is needed to stop/start/restart a service on Windows 2000 Server? Do you need administrative access? What executable performs the actual stop/start/restart?
 
Usually either and administrative, system account or an account that has the logon as service right can restart a service as far as I know. Hope this helps.
 
The reason I ask is that there are application support personel within my organization that need access to restart services but administrative access is too much. Also there is a need to grant service accounts access to do the same through some scripts but there are several people that need to know the password to the account making it a security problem to grant administrative access to the account.

Is there another group besides administrators that allows you to do this?

Can anyone else confirm if the logon as a service right allows you to start/stop/restart services? I will try and test this.
 
I tested adding a user to logon as a service right but this did not grant the access. Does anyone know of a way to grant this access without giving administrative access?
 
Also grant this user account "Act as part of the operating system" log him off and back on again and try again. Hope this helps.
 
Nope adding the user to the "Act as part of the operating system" didnt work either.....

Anyone else have any ideas?

I would like to try and keep it simple. Someone ive talked to suggested editing permissions on the specific services. That seems granular and could turn into an administrative nightmare. Has anyone else done this?

Permissions on a service:

SC is a resource kit utility for Windows 2000, and is included in Windows 2003. sdshow shows the permissions, and sdset sets permissions. I did not look at how, or whether is was even possible, to make changes to individual ACEs.

sc \\. sdshow wmi

D:(A;OICI;CCLCSWLORC;;;WD)(A;OICI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;OICI;CCDCLCSWLORC;;;PU)(A;OICI;CCLCSWRPLO;;;IU)(A;OICI;CCLCSWRPLO;;;BU)
 
As far as I remember write_dac permission is required to change discretionary access control lists. I guess subinacl can do something if you as administrator would grant someone the rights to use it. And surely 3rd-party tools like Security Explorer from Scriptlogic allow to change service and service account permissions. The last tool would be the shortest way to change these permissions I guess. Especially if you want to permit others who confuse to use command line tools and scripting manage service permissions.
 
You can give permissions to start/stop/pause a service to users (non administrators) using SECURITY TEMPLATES.

You have to do one of the following:

1. If the computer belongs to a domain, you can draft a group policy for that computer(s) with the required settings. The settings can be found under:

Computer Configuration > Windows Settings > Security Settings > System Services

(or)

2. If the computer belongs to a WORKGROUP, you can create and apply a security template, with the required permissions. Here are the links:

Create a new security template:

Apply the created security template:

(or)

3. If the computer belongs to a domain, you can create security template as mentioned in step 2, import the template to a group policy and finally apply the group policy to the computer:


I suggest you test this before you implement.

Hope this will be helpful.

-Keshav
 
Keshav,

Thanks! That looks like a good solution. I gave you a star for that one.

Is it effective to use this solution for applying granular permisions. Say creating multiple security templates just for the purpose of granting service access for users. It looks like this is the only good way to do it. Is it a bad thing to have a different security template for every server? I would like to do this at the domain level. Isnt there a group policy tool that makes it easier to modify GP?

-addus
 
I am not sure whether I have understood your query completely. But I try to answer.

If you have your computers/servers in a domain, I suggest you use group policy to give access to users. There are lot ways you can design this. An example is,

1. Put all your computers/servers in an OU.
2. Create a group policy with the required settings, which will apply to that OU only.

You can use GPMC tool to edit/apply group policy. More details available at:


But be sure to check the system requirements to run GPMC. It won't run on Windows 2000 boxes. It requires Windows Server 2003 or Windows XP, but Windows 2000 domain is enough.

Other way of applying a Group Policy to a specific set of users/computers in the domain (if you don't want to create OUs) will be by using "Security Filtering":


This way you can create the Group Policies at domain level but they will apply on specific computers/users only.

Hope this will be useful.

-Keshav
 
you can delegate authority to a power user and they should be able to access the mmc
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top