How to grant users rights to manage services in Windows Server 2003
This article was previously published under Q325349
For a Microsoft Windows 2000 version of this article, see 288129.
IN THIS TASK
This article describes how to grant users the authority to manage system services in Windows Server 2003.
By default, only members of the Administrators group can start, stop, pause, resume or restart a service. This article describes methods that you can use to grant the appropriate rights to users to manage services.
back to the top
Method 1: Use Group PolicyYou can use Group Policy to change permissions on system services. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
324802 HOW TO: Configure Group Policies to Set Security for System Services in Windows Server 2003back to the top
Method 2: Use Security TemplatesTo use security templates to change permissions on system services, create a security template. To do this, follow these steps:
- Click Start, click Run, type mmc in the Open box, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add, click Security Configuration and Analysis, click Add, click Close, and then click OK.
- In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
- Specify a name and location for the database, and then click Open.
- In the Import Template dialog box that appears, click the security template that you want to import, and then click Open.
- In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
- In the Perform Analysis dialog box that appears, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK.
- After the analysis is complete, configure the service permissions as follows:
- In the console tree, click System Services.
- In the right pane, double-click the service whose permissions you want to change.
- Click to select the Define this policy in the database check box, and then click Edit Security.
- To configure permissions for a new user or group, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then click OK.
- In the Permissions for User or Group list, configure the permissions that you want for the user or group. Note that when you add a new user or group, the Allow check box next to the Start, stop and pause permission is selected by default. This setting permits the user or group to start, stop, and pause the service.
- Click OK two times.
- To apply the new security settings to the local computer, right-click Security Configuration and Analysis, and then click Configure Computer Now.
back to the top
Method 3: Use Subinacl.exeThe final method for assigning rights to manage services involves the use of the Subinacl.exe utility from the Windows 2000 Resource Kit. The syntax for this is as follows:
SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]
- The user who runs this command must have administrator rights for it to complete successfully.
- If MachineName is omitted, the local machine is assumed.
- If DomainName is omitted, the local machine is searched for the account.
- Although the syntax example indicates a user name, this will work for user groups too.
- The values that Access can take are as follows:
F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands
- If Access is omitted, "F (Full Control)" is assumed.
- Subinacl supports similar functionality in relation to files, folders, and registry keys. See the Windows 2000 Resource Kit for more information.
Automating Multiple ChangesWith Subinacl, there is no option that you can specify that will set the required access for all services on a particular computer. However, the following sample script demonstrates one way that Method 3 can be extended to automate the task:
strDomain = Wscript.Arguments.Item(0)'domain where computer account is held strComputer = Wscript.Arguments.Item(1)'computer netbios name strSecPrinc = Wscript.Arguments.Item(2)'user's login name as in: DomainName\UserName strAccess = Wscript.Arguments.Item(3)'access granted, as per the list in the KB 'bind to the specified computer set objTarget = GetObject("WinNT://" & strDomain & "/" & strComputer & ",computer") 'create a shell object. Needed to call subinacl later set objCMD = CreateObject("Wscript.Shell") 'retrieve a list of services objTarget.filter = Array("Service") For each Service in objTarget 'call subinacl to se the permissions command = "subinacl /service " & Service.name & " /grant=" & strSecPrinc & "=" & strAccess objCMD.Run command, 0 'report the services that have been changed Wscript.Echo "User rights changed for " & Service.name & " service" next
- Save the script as a .vbs file, such as "Services.vbs," and call it as follows:
CSRIPT Services.vbs DomainName ComputerName UserName Access
- Comment out or remove the line 'Wscript.Echo ...' if no feedback is required.
- This sample does no error checking; therefore, use it carefully.
- The Windows 2000 Resource Kit documentation mentions another utility (svcacls.exe) that performs the same service management rights manipulation as Subinacl. This is a documentation error.
Article ID: 325349 - Last Review: 04/06/2009 21:32:20 - Revision: 8.1
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, 64-Bit Datacenter Edition, Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Small Business Server 2003 Premium Edition, Microsoft Windows Small Business Server 2003 Standard Edition
- kbmgmtservices kbenv kbhowto kbhowtomaster KB325349