HPE Community
Windows Server 2003
1822441 Members
2554 Online
109642 Solutions
New Discussion юеВ

Permission to start/stop service

 
cool...
Frequent Advisor

тАО11-15-2010 06:49 AM

тАО11-15-2010 06:49 AM

Permission to start/stop service

I need to give permission for a normal local user for starting /stopping a particular service without giving him admin access or adding him to power user group .Is that possible ? Please guide me .

Note that server is in domain .
0 Kudos
8 REPLIES 8
Edgar Zapata
Esteemed Contributor

тАО11-15-2010 07:31 AM

тАО11-15-2010 07:31 AM

Re: Permission to start/stop service

Hello,

You can do that through GPO.
Computer Configuration - Windows Settings - Security Settings - System services -
once there, select the service you want to set permissions on. Add the AD account/group and set up which actions the given user is allowed to perform.

Hope this helps.


0 Kudos
cool...
Frequent Advisor

тАО11-15-2010 07:44 AM

тАО11-15-2010 07:44 AM

Re: Permission to start/stop service

I could not find system services option under security settings .And also not that here I have to give permission for local user not domain user /groups. Please help .
0 Kudos
Edgar Zapata
Esteemed Contributor

тАО11-15-2010 08:01 AM

тАО11-15-2010 08:01 AM

Re: Permission to start/stop service

Hi Suresh,

You are running gpedit.msc from the server?
That won't work.
You'll have to run gpmc.msc from either a Domain Controller or a server that has the snap-in installed.
Try running mmc and add the snap-in from the menu.

You can establish these kind of permissions for domain accounts or groups.
You can also add a domain account as member of a local group but not the other way around.

You can't add a local account as member of an either Domain Local or Global Active Directory Groups.

It just has to be a domain account that you will be adding to a Domain Group.
You can't add a local account from one computer as member of a local group from another computer.

This is only FYI:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/01085d64-64e3-48ac-b5e2-b5ec861a2e4e

http://technet.microsoft.com/en-us/library/dd277461.aspx

- Members of domain local groups can include only accounts (both user and computer accounts) and groups from the domain in which they are defined.

- Members of global groups can include only accounts and groups from the domain in which they are defined.
See below:
http://technet.microsoft.com/en-us/library/bb726978.aspx

Hope it helps.
0 Kudos
degruytere kris
New Member

тАО11-16-2010 01:09 AM

тАО11-16-2010 01:09 AM

Re: Permission to start/stop service

i would use setacl here

for instance

setacl -ot srv -on "$myservice" -actn ace -ace "n:Power Users;p:full" -silent

will give the local Power Users group (xp ) full control rights on the $service.

they can then stop and start this service in the services control panel

K
0 Kudos
cool...
Frequent Advisor

тАО11-16-2010 01:47 AM

тАО11-16-2010 01:47 AM

Re: Permission to start/stop service

Thanks Kris ,

I have some questions on this

Will it work on windows 2003 server ?

By default setacl command is not recognized as internal /external command ,so do we need to install any utility to use this command ?
0 Kudos
degruytere kris
New Member

тАО11-16-2010 03:49 AM

тАО11-16-2010 03:49 AM

Re: Permission to start/stop service

Hi

setacl can be found for instance here
http://sourceforge.net/projects/setacl/files/

it will work on any windows platform, you'll have to be local admin though, it changes access in the registry keys to allow people to stop and start services etc..
0 Kudos
Edgar Zapata
Esteemed Contributor

тАО11-16-2010 06:33 AM

тАО11-16-2010 06:33 AM

Re: Permission to start/stop service

Hi,

I followed Kris suggestion on the Themes sevice for testing:

F:\>setacl -on \\.\themes -ot srv
-actn ace -ace "n:ES318L-5641\root_usr;p:full"
INFO: Processing ACL of: <\\.\themes>

SetACL finished successfully.


I have been looking at some examples here:

http://forums13.itrc.hp.com/service/forums/postanswer.do?forumId=1&closedFlag=0&threadid=1456394

(I still can't figure out how come it works.
But I just found I still can stop/start services at one given computer regardless of whether or not I have granted permissions to the account with setacl).

Regards.
0 Kudos
cool...
Frequent Advisor

тАО11-26-2010 03:54 AM

тАО11-26-2010 03:54 AM

Re: Permission to start/stop service

Thanks for your information guys ,finally I added the user in power users group,as I am not suppost to install that acl utility .But I came to know many new things from your points .Thanks a lot
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.