Recipe 7.13. Granting the Permission to Manage One or More ServicesProblemYou want to grant a user the right to manage (stop and start) a particular service. SolutionUsing a graphical user interface
Using a command-line interface:The following command grants full control of a service for a user: > subinacl /service \\<ServerName>\<ServiceName> /grant=<User> The following example grants full control of the Messenger service on server fs01 to the AMER\rallen user: > subinacl /service \\fs01\Messenger /grant=AMER\rallen Use this command to view the users who have been granted access to manage a particular service: > subinacl /verbose=1 /service \\<ServerName>\<ServiceName> Here is an example: > subinacl /verbose=1 /service \\fs-rtp01\Messenger To revoke access to a service, use this command: > subinacl /service \\<ServerName>\<ServiceName> /revoke=<UserName> This next command grants the AMER\rallen user control over all services on the server fs01 and saves the output to out.txt: > for /f "tokens=2,*" %s in ( '"psservice.exe | findstr SERVICE_NAME"' ) do subinacl /verbose=1 /service \\fs01\%s /grant=AMER\rallen >> out.txt DiscussionThe access control list (ACL) for a service is stored in the Registry, under the service's Security keye.g., HKLM\System\CurrentControlSet\Services\<ServiceName>\Security. If you misconfigure the permissions on a service or just want to start over, delete the service's Security key.
See AlsoFor more on service permissions, visit http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sys_srv_permissions.asp. |