We have a suite of Windows Services running on our servers which perform a bunch of automated tasks independently of one another, with the exception of one service which looks after the other services.
In the event that one of the services should fail to respond or hang, this service attempts to restart the service and, if an exception is thrown during the attempt, emails the support team instead, so that they can restart the service themselves.
Having done a little research, I've come across a few 'solutions' which range from the workaround mentioned in KB907460 to giving the account under which the service is running administrator rights.
I'm not comfortable with either of these methods - I don't understand the consequences of the first method as outlined in Microsoft's knowledge base article, but I definitely don't want to give administrator access to the account under which the service is running.
I've taken a quick look through the Local Security Policy and other than the policy which defines whether or not an account can log on as a service, I can't see anything else which looks like it refers to services.
We're running this on Server 2003 and Server 2008, so any ideas or pointers would be graciously received!
Clarification: I don't want to grant the ability to start/stop/restart ALL services to a given user or group - I want to be able to grant the permission to do so on specific services only, to a given user or group.
Further Clarification: The servers I need to grant these permissions on do not belong to a domain - they are two internet-facing servers which receive files, process them and send them on to third parties, as well as serving a couple of websites, so Active Directory Group Policy isn't possible. Sorry that I didn't make this clearer.
There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.
I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.
To append to the service's existing security descriptor, use
sc sdshow "Service Name"to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:We needed to grant permissions
RP(to start the service),WP(to stop the service),DT(to pause/continue the service) andLO(to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.Using
runasto open a command prompt under the service account, I ranwhoami /allwhich gave me the SID of the service account, and then constructed the additional SDDL below:This then gets added to the D: section of the SDDL string above:
This is then applied to the service using the
sc sdsetcommand (before theS:text):If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.
I just had the same problem.
You could use SubInACL.exe from the Resource Kit. Download the standalone utility here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510
Use
msiexec /a PathToMSIFile /qb TARGETDIR=DirectoryToExtractToto extract the files if you don't want to install the .msisubinacl /service SERVICE_NAME /grant=COMPUTER_NAME\USERNAME=TOPT = Start service
O = Stop service
P = Pause/continue service
Full reference: How to grant users rights to manage services in Windows 2000
or type
subinacl /helpNote: don't try
subinacl /service SERVICE_NAME /permas it could get you into trouble (lesson learned :P). The name could be misleading (perm != permission), as it deletes all permissions to all users (even Admin!).You're looking for Computer Configuration - Policies - Windows Settings - Security Settings - System Services
There you can not only define the service start type, but you can configure the security ACLs for each service as well. By default, the interface will only list the services that are installed on the machine you're running the GP Editor on.
To add services that only exist on another machine:
I used SubinAcl (as suggested by patrx) to be able to start MySQL as a regular domain user (not admin) and it works perfectly! (the command needs however to be executed as a -local at least- Admin)
The command is:
Just note that I entered the user without prefixing it with the domain ... otherwise command fails on parsing command!
I'd like to recommend 3 options as solutions.
I know this is an old question, but the challenge posed in the question remains (even on later versions of Windows). And some of the answers offered are old and some no longer work (or tools offered no longer exist).
First, MikeKullis above commented above about "the CoreTech gui", but I don't see any other answer or comment that elaborates on what he meant by that. It's called Security Service Editor, and it's free. The company (CoreTech) makes several tools to help with Windows admin tasks.
I realize some folks will be leery of or balk at installing any tool, but really for the specific task of easily indicating that a given user should have permission to start/stop a specific service, it is the easiest solution. In just a couple of clicks one is presented a UI that looks like the traditional Windows file permissions editor, but it's for controlling service permissions (for a specific service, for a specific user--and offering the same UI to "add" a user, use the "find" feature to see a list of users on the machine, etc.)
Second, as for a more "built-in" solutions instead, one can add "Security Templates" to mmc, and do the same. It's a bit more fiddly, but not nearly as some other cli solutions. See a discussion of using it (and many other options, including some also mentioned on answers and comments here) in various posts such as this.
Third and finally, if someone might prefer at least to use an "MS" tool, note how that blog post (and others) discuss using the Sysinternals tool Process Explorer, which can also offer that easy permissions UI to control start/stop permissions for a given service by a given user. One modest negative is that the service has to be running (as you then use ProcExp to find the process for that service, and use a properties feature to get to a "services" tab it then offers). For some, that may beat either of the two options above.
But like Mike above, I favor the CoreTech SSE tool. It's free, simple, and has proven safe and effective in my using it on several dozen workstations and servers.
Hope the above may help others who find this question.