ProblemYou want to grant a user the right to manage (stop and start) a particular service. SolutionUsing a command-line interfaceThe following command grants full control of a service to a user: > subinacl /service \\<HostName>\<ServiceName> /grant=<User> The following example grants full control of the Messenger service on system wks01 to the AMER\rallen user: > subinacl /service \\wks01\Messenger /grant=AMER\rallen Use this command to view the users that have been granted access to manage a particular service: > subinacl /verbose=1 /service \\<HostName>\<ServiceName> Here is an example: > subinacl /verbose=1 /service \\wks01\Messenger To revoke access to a service, use this command: > subinacl /service \\<HostName>\<ServiceName> /revoke=<UserName> This next command grants the AMER\rallen user control over all services on the system wks01 and saves the output to out.txt: > for /f "tokens=2,*" %s in ( '"psservice.exe | findstr SERVICE_NAME"' ) do subinacl /verbose=1 /service \\wks01\%s /grant=AMER\rallen >> out.txt
Using Group PolicyYou can use Group Policy to control who can manage a service. You'll find a list of services in the following location within a Group Policy object: \Computer Configuration\Windows Settings\System Services In the right pane of the Group Policy Object Editor, double-click the service you want to configure. Check the box beside Define this policy setting, select the appropriate startup type, and click the Edit Security button. This will launch the ACL Editor from which you can select the users or groups that should have specific permissions on the service. DiscussionThe access control list (ACL) for a service is stored in the Registry under the service's Security key, such as HKLM\System\CurrentControlSet\Services\<ServiceName>\Security. If you misconfigure the permissions on a service or just want to start over, delete the service's Security key. It will get automatically recreated with the default security. See AlsoFor more on service permissions, visit http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sys_srv_permissions.asp. |