Recipe7.13.Granting the Permission to Manage One or More Services

Previous page
Table of content
Next page

Recipe 7.13. Granting the Permission to Manage One or More Services

Problem

You want to grant a user the right to manage (stop and start) a particular service.

Solution

Using a graphical user interface

  1. Open the Group Policy Object Editor.

  2. Edit the Group Policy object that applies to the computer running the service you want to set security on.

  3. In the right pane, expand Computer Configuration Windows Settings

    In the left pane, double-click the service you want to configure.

  4. Check the box beside Define this policy setting.

  5. Select the service startup type.

  6. Click the Edit Security button.

  7. Use the ACL Editor to choose the target security principal and select the permission to apply.

  8. Click OK to close the ACL Editor.

  9. Click OK to close the setting properties page.

Using a command-line interface:

The following command grants full control of a service for a user:

> subinacl /service \\<ServerName>\<ServiceName> /grant=<User>

The following example grants full control of the Messenger service on server fs01 to the AMER\rallen user:

> subinacl /service \\fs01\Messenger /grant=AMER\rallen

Use this command to view the users who have been granted access to manage a particular service:

> subinacl /verbose=1 /service \\<ServerName>\<ServiceName>

Here is an example:

> subinacl /verbose=1 /service \\fs-rtp01\Messenger

To revoke access to a service, use this command:

> subinacl /service \\<ServerName>\<ServiceName> /revoke=<UserName>

This next command grants the AMER\rallen user control over all services on the server fs01 and saves the output to out.txt:

> for /f "tokens=2,*" %s in ( '"psservice.exe | findstr SERVICE_NAME"' ) do subinacl /verbose=1 /service \\fs01\%s /grant=AMER\rallen >> out.txt

Discussion

The access control list (ACL) for a service is stored in the Registry, under the service's Security keye.g., HKLM\System\CurrentControlSet\Services\<ServiceName>\Security. If you misconfigure the permissions on a service or just want to start over, delete the service's Security key.

Be sure to download the latest version of subinacl from http://download.microsoft.com/. Older versions work in unexpected ways. Another alternative you can also use is the setacl command, which is very similar in functionality to subinacl. setacl is available under the GNU Public License from the following web site: http://setacl.sourceforge.net/.


See Also

For more on service permissions, visit http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sys_srv_permissions.asp.


Previous page
Table of content
Next page
Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Image Processing with LabVIEW and IMAQ Vision
The CISSP and CAP Prep Guide: Platinum Edition
Network Security Architectures
DNS & BIND Cookbook
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy