How to give rights to one user for the restart of a service
Solution 1
You can use the sc command to set permissions on a specific service.
The format is a little difficult to understand, but first you will need to find the user or group's SID to use the command (something like "S-1-5-21-....").
sc myserver sdset spooler D:(A;;RPWP;;;place-sid-here)
A couple notes on that command:
- RP Allows service start
- WP Allows service stop
Replace myserver with your server's name and spooler with the service you want to edit.
More information is available at the following locations:
http://technet.microsoft.com/en-us/library/cc742037(WS.10).aspx
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx
Solution 2
Waiting for my VMs to spin up, but it looks like this should work (from reading this)
- Open group policy to Computer Configuration\Policies\Windows Settings\Security Settings\System Services
- Edit the service in question, enable "define policy setting" and then "edit security"
- Add the user and give them "read" and "start, stop, and pause" rights
I'll swing by after I've tried this out, but good question! I had no idea this had been added.
This might also work: Remotely restarting a service for a non-administrator user
Related videos on Youtube
![Cédric Boivin](https://i.stack.imgur.com/TftPM.jpg?s=256&g=1)
Cédric Boivin
Updated on September 17, 2022Comments
-
Cédric Boivin almost 2 years
It's there a way i can give the rights to a specific user, for restart a specific service on windows server 2008 ?
-
Spence almost 14 yearsPretty much the same thing: serverfault.com/questions/15147/…
-
Vadzim almost 6 yearsPossible duplicate of How do I give a domain user permission to start and stop a Tomcat service?
-
-
Cédric Boivin almost 14 yearsWhen i go Configuration\Policies\Windows Settings\Security Settings there is no System Services :-(
-
Doug Luxem almost 14 yearsHmm...maybe an R2/Win7 feature of Group Policy? Unfortunately, I don't have a way to test downlevel but mine matches @Kara.
-
Kara Marfia almost 14 yearsThat's very odd! You're on the domain controller, and it's 2008 server?
-
Cédric Boivin almost 14 yearsNo i am not on the domain controller, i am on the server directly, because it's a custom service, install only on this machine.
-
Will almost 14 yearsAdditionally you need to prefix the entires with D: as per my answer here. In your example, this would be: sc myserver sdset spooler D:(A;;RPWP;;;place-sid-here)
-
Alexander Gonchiy over 6 yearsDoesn't work on Win2008 R2 - there is no "System Services" item.