How do I grant users the ability to install windows services?

I think the bigger problem is letting the dev team access a server they don't administer. Rather than trying to grant the rights to the users (SC_MANAGER_CREATE_SERVICE) think really hard about giving them their own box- even just a VM to test on, once they say it's ready an actual admin should install the services into the production system.

Delegated permission to install services is going to be a little bit tough. There is a "SC_MANAGER_CREATE_SERVICE" right that can be granted to users on the service control manager (SCM) object in the global object manager.

In Windows versions up to Windows Server 2003, the rights could not be changed on the SCM. Starting in W2K3 SP1, you could change the rights on the SCM.

The API to change the security is SetServiceObjectSecurity, and more information is available here: http://msdn.microsoft.com/en-us/library/aa379589(VS.85).aspx

Some more reference re: the rights that can be granted to the SCM and the default DACL set on the SCM is available here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx

In short, there's no way to do this w/o writing code. There's no magic registry setting, etc. If you can get somebody to write the code for you, though, it's totally feasible.

http://support.microsoft.com/?kbid=288129 has some info on managing services, but I don't think this can be extended to include creating arbitrary services without some major security changes on your server.

If you create a service or services then grant access as described in the knowledge base, your developers can stop the service and copy in new binaries, so they can develop/debug services even if you have to create them in the first place.

Personally I restrict our developers to a test server and grant them administrator access. The little darlings don't get access to my live servers without first convincing me their stuff is working!

JR