Recipe 10.24. Granting Permissions to Manage One or More Services


Problem

You want to grant a user the right to manage (stop and start) a particular service.

Solution

Using a command-line interface

The following command grants full control of a service to a user:

> subinacl /service \\<HostName>\<ServiceName> /grant=<User>

The following example grants full control of the Messenger service on system wks01 to the AMER\rallen user:

> subinacl /service \\wks01\Messenger /grant=AMER\rallen

Use this command to view the users that have been granted access to manage a particular service:

> subinacl /verbose=1 /service \\<HostName>\<ServiceName>

Here is an example:

> subinacl /verbose=1 /service \\wks01\Messenger

To revoke access to a service, use this command:

> subinacl /service \\<HostName>\<ServiceName> /revoke=<UserName>

This next command grants the AMER\rallen user control over all services on the system wks01 and saves the output to out.txt:

> for /f "tokens=2,*" %s in ( '"psservice.exe | findstr SERVICE_NAME"' ) do  subinacl /verbose=1 /service \\wks01\%s /grant=AMER\rallen >> out.txt

Be sure to download the latest version of subinacl from http://download.microsoft.com. Older versions work in unexpected ways. Another alternative you can also use is the setacl command, which is similar in functionality to subinacl but has even more options. setacl is available under the GNU Public License from the following web site: http://setacl.sourceforge.net.


Using Group Policy

You can use Group Policy to control who can manage a service. You'll find a list of services in the following location within a Group Policy object:

\Computer Configuration\Windows Settings\System Services

In the right pane of the Group Policy Object Editor, double-click the service you want to configure. Check the box beside Define this policy setting, select the appropriate startup type, and click the Edit Security button. This will launch the ACL Editor from which you can select the users or groups that should have specific permissions on the service.

Discussion

The access control list (ACL) for a service is stored in the Registry under the service's Security key, such as HKLM\System\CurrentControlSet\Services\<ServiceName>\Security. If you misconfigure the permissions on a service or just want to start over, delete the service's Security key. It will get automatically recreated with the default security.

See Also

For more on service permissions, visit http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sys_srv_permissions.asp.



Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net