I'm trying to configure my Windows 2008 servers so that my developers can view their status without needing to log on to the box or be an admin. Unfortunately, the permissions set in Windows 2008 for remote non-admin users don't include the ability to enumerate or otherwise query services. This causes anything that contacts the SCM on the far end to fail (Win32_Service, sc.exe, services.msc etc).
How do I set up permissions so that they can at least list the services and see if they are running?
After some googling around today, I found this MSDN article. It seems to work so far, even though the security descriptor is for Windows Server 2003. I've found you can do
sc sdshow SCMANAGERto get the current value so when back in the office tomorrow I'll be comparing an contrasting to make sure I've not locked something out I shouldn't have :-)A quick and dirty solution would be PSList running every minute via scheduled task and dumping to a text file available via IIS.
This might be applicable: How to grant users rights to manage services in Windows 2000.
Read this article about security descriptor definition language (SDDL) in relation to Windows services security. Hope you'll find a combination of access control parameters which satisfy all your needs.
You can enable non administrators to use the SCM or any other MMC snap-in by editing Group Policies. Maybe this Microsoft KB entry will help you.
This won't be possible, because windows uses authorisation on nearly every interface, also connection through an MMC snap-in will require authorisation.