How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?

windows permissions group-policy security windows-service
183,795

Solution 1

There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.

I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.

To append to the service's existing security descriptor, use sc sdshow "Service Name" to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We needed to grant permissions RP (to start the service), WP (to stop the service), DT (to pause/continue the service) and LO (to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.

Using runas to open a command prompt under the service account, I ran whoami /all which gave me the SID of the service account, and then constructed the additional SDDL below:

(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)

This then gets added to the D: section of the SDDL string above:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)

This is then applied to the service using the sc sdset command (before the S: text):

sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)

If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.

Solution 2

I just had the same problem.
You could use SubInACL.exe from the Resource Kit. Download the standalone utility here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510

Use msiexec /a PathToMSIFile /qb TARGETDIR=DirectoryToExtractTo to extract the files if you don't want to install the .msi

  1. Open a command prompt as Administrator
  2. Go to the directory where you placed the .exe
  3. Run subinacl /service SERVICE_NAME /grant=COMPUTER_NAME\USERNAME=TOP

T = Start service
O = Stop service
P = Pause/continue service

Full reference: How to grant users rights to manage services in Windows 2000
or type subinacl /help

Note: don't try subinacl /service SERVICE_NAME /perm as it could get you into trouble (lesson learned :P). The name could be misleading (perm != permission), as it deletes all permissions to all users (even Admin!).

Solution 3

You're looking for Computer Configuration - Policies - Windows Settings - Security Settings - System Services

There you can not only define the service start type, but you can configure the security ACLs for each service as well. By default, the interface will only list the services that are installed on the machine you're running the GP Editor on.

To add services that only exist on another machine:

  • export the service's reg key from the other machine
  • import on the gpedit machine
  • apply the policy
  • delete the imported key

Solution 4

I used SubinAcl (as suggested by patrx) to be able to start MySQL as a regular domain user (not admin) and it works perfectly! (the command needs however to be executed as a -local at least- Admin)

The command is:

[PATH_TO_SUBACL]\subinacl.exe /service MySQL /grant=[Domain User - Without domain]=TOP

Just note that I entered the user without prefixing it with the domain ... otherwise command fails on parsing command!

Share:
183,795

Related videos on Youtube

abitgone
Author by

abitgone

Geek. Dad. Coder.

Updated on September 17, 2022

Comments

  • abitgone
    abitgone almost 2 years

    We have a suite of Windows Services running on our servers which perform a bunch of automated tasks independently of one another, with the exception of one service which looks after the other services.

    In the event that one of the services should fail to respond or hang, this service attempts to restart the service and, if an exception is thrown during the attempt, emails the support team instead, so that they can restart the service themselves.

    Having done a little research, I've come across a few 'solutions' which range from the workaround mentioned in KB907460 to giving the account under which the service is running administrator rights.

    I'm not comfortable with either of these methods - I don't understand the consequences of the first method as outlined in Microsoft's knowledge base article, but I definitely don't want to give administrator access to the account under which the service is running.

    I've taken a quick look through the Local Security Policy and other than the policy which defines whether or not an account can log on as a service, I can't see anything else which looks like it refers to services.

    We're running this on Server 2003 and Server 2008, so any ideas or pointers would be graciously received!

    Clarification: I don't want to grant the ability to start/stop/restart ALL services to a given user or group - I want to be able to grant the permission to do so on specific services only, to a given user or group.

    Further Clarification: The servers I need to grant these permissions on do not belong to a domain - they are two internet-facing servers which receive files, process them and send them on to third parties, as well as serving a couple of websites, so Active Directory Group Policy isn't possible. Sorry that I didn't make this clearer.

    • Admin
      Admin over 13 years
      you might also take a look at this article from ms, which also points to GP modifications: support.microsoft.com/kb/256345
    • Tim Long
      Tim Long about 11 years
      I know this is a very old question, but did you consider using the 'recovery' options in the Windows service manager?
  • abitgone
    abitgone over 13 years
    I trust you mean to do this through gpedit.msc, as the "Manage Server" window doesn't list a policies node. If so, I can't see an item underneath the Security Settings node which references "System Services" as you suggest above, on either Server 2008 or Server 2003.
  • Ryan Bolger
    Ryan Bolger over 13 years
    Ah yes. I assumed you were planning on making these changes via group policy.
  • abitgone
    abitgone over 13 years
    Indeed - these are not member servers. Is there a way of targeting this using local policy, or some other method?
  • Mason G. Zhwiti
    Mason G. Zhwiti almost 13 years
    For an easier way of doing the same thing, you should look at using SetACL.exe. Here is an example of how to use it to set permissions on a service: SetACL.exe -on "\\server1\W32Time" -ot srv -actn ace -ace "n:domain1\group1;p:start_stop"
  • Chopper3
    Chopper3 almost 13 years
    Can't merge SO and SF accounts sorry Pat.
  • patrx
    patrx almost 13 years
    @Chopper3 Thanks for your response. In fact I have 2 SO accounts: one is registered and associated with this SF account; the other one is an unregistered SO account I had before registering (used the same email address). I was hoping the two could be merged so I can track the post I've done before. As mentioned here I tried to flag a post but couldn't do it on SO (1 reputation). This is why I flagged this post. I also tried to email [email protected] more than two weeks ago but didn't get any response. Could you direct me to the right place/person please?
  • Marc Climent
    Marc Climent about 12 years
    Checkout the details of this procedure at MSDN: support.microsoft.com/?kbid=288129
  • ygoe
    ygoe about 11 years
    You could use Process Hacker (processhacker.sourceforge.net) for a GUI to configure all services. It includes hidden services and allows you to configure more settings of a service like the binary path - and the permissions.
  • MikeKulls
    MikeKulls over 8 years
    The CoreTech gui worked for me. Hard to believe that GUI doesn't exist in windows already. Reading the answers here how can it possibly be this hard? Big failing on Microsoft's behalf.
  • Baodad
    Baodad almost 6 years
    I like to add CCLCSW to the SDDL permissions (in addition to RPWPDTLO) so I can also see the service listed when I run Get-Service (which first requires modifying the SDDL for the scmanager service control manager service to be able to list accessible services). I also needed SW to be able to restart certain services.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to have downloads be automatically unblocked?
Adding ALL RESTRICTED APPLICATION PACKAGES to folder permissions
Can't edit Local Security Policy
NTFS: prevent/deny directory delete in a otherwise "personal" folder
Is there anyway to remove denied permissions from a group for a folder if I dont have access?
Allow one Windows user to only execute 2 applications
Group Policy Editor restricting my administrator account?
How to access files over a network using local accounts?
Windows Services - Common Ports to Open in Firewall
What are the minimal permissions for WMI access to processes CommandLine?