The Problem
So we have this new library system and today I was asked to give some of the staff the ability to stop/start 2 particular windows services.
The first thing that came to mind was Im not giving them admin access. I also did not want them to have the ability to stop and start any windows service but only the ones I give them access to.
I found it wasn't as simple and straight forward as I thought it would be but luckily for me I found a gem of a free tool.
Solutions
I will show you 3 ways of doing this with the 3rd being the easiest and gui based
1. Using security descriptors
You do this by using the SC command via the cmd command prompt
SC sdshow - displays the security descriptors for a specific service
where as
SC sdset - Changes/modifies it
For an easy to follow guide check out http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
2. Using SubInACL.exe
There is a tool called SubInACL.exe from the Windows Resource Kit. Download the standalone utility here
- First run a command prompt as an Administrator
- Then type in subinacl /service SERVICE_NAME /grant=COMPUTER_NAME\USERNAME=TOP
T = Start service
O = Stop service
P = Pause/continue service
e.g subinacl /service Themes /grant=Workstation003\jblack=TOP
You can also type subinacl /help for proper syntax
3. My way: The easy way: (Recommended)
Ok so as I mentioned before I found a really easy and simple looking tool,which is GUI based.
Head on over to http://www.coretechnologies.com/products/ServiceSecurityEditor to pick up your free copy.
Its so easy and logical I dont think it needs explaining but if you have issues feel free to leave a comment.
Appreciation goes to abitgone from serverfault for this article that helped me with the hard way solution. You can find it here
So we have this new library system and today I was asked to give some of the staff the ability to stop/start 2 particular windows services.
The first thing that came to mind was Im not giving them admin access. I also did not want them to have the ability to stop and start any windows service but only the ones I give them access to.
I found it wasn't as simple and straight forward as I thought it would be but luckily for me I found a gem of a free tool.
Solutions
I will show you 3 ways of doing this with the 3rd being the easiest and gui based
1. Using security descriptors
You do this by using the SC command via the cmd command prompt
SC sdshow - displays the security descriptors for a specific service
where as
SC sdset - Changes/modifies it
For an easy to follow guide check out http://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
2. Using SubInACL.exe
There is a tool called SubInACL.exe from the Windows Resource Kit. Download the standalone utility here
- First run a command prompt as an Administrator
- Then type in subinacl /service SERVICE_NAME /grant=COMPUTER_NAME\USERNAME=TOP
T = Start service
O = Stop service
P = Pause/continue service
e.g subinacl /service Themes /grant=Workstation003\jblack=TOP
You can also type subinacl /help for proper syntax
3. My way: The easy way: (Recommended)
Ok so as I mentioned before I found a really easy and simple looking tool,which is GUI based.
Head on over to http://www.coretechnologies.com/products/ServiceSecurityEditor to pick up your free copy.
Its so easy and logical I dont think it needs explaining but if you have issues feel free to leave a comment.
Appreciation goes to abitgone from serverfault for this article that helped me with the hard way solution. You can find it here
Popular
Tags
Videos
