How to grant users rights to manage services in Windows 2000

Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article has been archived. It is offered "as is" and will no longer be updated.
Summary
This article describes several methods for granting users the rights to manage services in Windows 2000.By default in Windows 2000, only Administrators and Power Users can start, stop, or pause services. This article describes techniques for granting these rights to other users and groups.

back to the top

Method 1: Grant rights using Group Policy

It is possible to give these rights to users by applying Group Policy. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
256345 Configuring Group Policies to set security for system services
The article gives detailed step-by step instructions. However, the article does not explicitly state that there are no corresponding settings in Local Group Policy.

back to the top

Method 2: Grant rights using Security templates

This method is very similar to Method 1, but it uses Security templates to change the permissions on system services. To do this, follow these steps:
  1. Click Start, click Run, and then type MMC.
  2. On the Console menu, click Add/Remove Snap-in.
  3. Click Add.
  4. Select the Security Configuration and Analysis snap-in, and then click Add.
  5. Click Close, and then click OK.
  6. In the MMC, right-click the Security Configuration and Analysis item, and then click Open Database.
  7. Give a name for the database, and then browse to where you would like to store it.
  8. When prompted, select a Security Template to import. For example, the "basicwk.inf" contains values for the standard settings found on a Windows 2000 Professional computer.
  9. In the MMC, right-click the Security Configuration and Analysis item, and then click the Analyze Computer now option. Choose a location for the log file, when prompted.
  10. After analysis is complete, configure the service permissions as follows:
    1. Double-click the System Services branch in the MMC.
    2. Right-click the service that you want to change, and then click Security.
    3. Click Edit Security.
    4. Add user accounts as required, and configure the permissions for each account. By default, the user will be granted "Start, stop and pause" permissions.
  11. To apply the new settings to the local computer, simply right-click the Security Configuration and Analysis item, and then click the Configure Computer Now option.

It is also possible to export your modified settings from the MMC and apply these to multiple machines using the SECEDIT command-line tool that ships with Windows 2000. For more information on using SECEDIT type the following at the command prompt:
secedit /?
NOTE: Applying the settings in this way will re-apply all of the settings in the template and so may override other file, registry, or service permissions set by other means.

back to the top

Method 3: Grant rights using Subinacl.exe

The final method for assigning rights to manage services is to use the Subinacl.exe utility from the Windows 2000 Resource Kit. The syntax for this is:
SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

Notes

  • The user executing this command must have administrator rights in order for it to complete successfully.
  • If "MachineName" is omitted, the local machine is assumed.
  • If "DomainName" is omitted, the local machine is searched for the account.
  • Although the syntax example indicates a user name, this will work for user groups as well.
  • The values that 'Access' can take are:
       F : Full Control   R : Generic Read   W : Generic Write   X : Generic eXecute   L : Read controL   Q : Query Service Configuration   S : Query Service Status   E : Enumerate Dependent Services   C : Service Change Configuration   T : Start Service   O : Stop Service   P : Pause/Continue Service   I : Interrogate Service    U : Service User-Defined Control Commands					
  • If 'Access' is omitted then 'F (Full Control)' is assumed.
  • Subinacl supports similar functionality in relation to files, folders, and registry keys. Refer to the Windows 2000 Resource Kit for more information.
  • The service name should be the "short name," as used for the service-specific key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<ServiceName>
    If the service name contains spaces, the whole parameter should be enclosed in quotation marks. For example:
    "\\MachineName\Service Name With Spaces"

Automating Multiple Changes

With Subinacl there is no option you can specify that will set the required access for all services on a given computer. However, the following sample script demonstrates one way the above method could be extended to automate the task:
   strDomain   = Wscript.Arguments.Item(0)'domain where computer account is held   strComputer = Wscript.Arguments.Item(1)'computer netbios name   strSecPrinc = Wscript.Arguments.Item(2)'user's login name as in: DomainName\UserName   strAccess   = Wscript.Arguments.Item(3)'access granted, as per the list in the KB    'bind to the specified computer   set objTarget = GetObject("WinNT://" & strDomain & "/" & strComputer & ",computer")   'create a shell object.  Needed to call subinacl later   set objCMD = CreateObject("Wscript.Shell")   'retrieve a list of services   objTarget.filter = Array("Service")   For each Service in objTarget    'call subinacl to se the permissions   command = "subinacl /service " & Service.name & " /grant=" & strSecPrinc & "=" & strAccess   objCMD.Run command, 0   'report the services that have been changed   Wscript.Echo "User rights changed for " & Service.name & " service"   next				

Notes

  • The script should be saved as a .vbs file, such as "Services.vbs," and called like this:
       CSCRIPT Services.vbs DomainName ComputerName UserName Access					
  • Comment out or remove the line 'Wscript.Echo ...' if no feedback is required.
  • This sample does no error checking so should be used carefully.
  • The Windows 2000 Resource Kit documentation mentions another utility (svcacls.exe) that performs the same service management rights manipulation as Subinacl. This is a documentation error.
back to the top
References
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
269875 SVCACLS.EXE is not included with the Windows 2000 resource kits
back to the top
Properties

Article ID: 288129 - Last Review: 12/06/2015 00:24:31 - Revision: 5.0

  • kbnosurvey kbarchive kbenv kbhowtomaster KB288129
Feedback