Letting a User Start and Stop Services Without Granting the User Administrator Privileges

Services have ACLs like other objects do, so you can grant services specific start and stop permissions. Unfortunately, the Microsoft Management Console (MMC) Services snap-in doesn't expose service ACLs in the interface, but two other methods for editing service permissions are available.

With the first method, you create a security template via the MMC Security Templates snap-in and navigate to the System Services folder. Open the Service Properties page, select the Define this property check box, and click Edit Security, which opens the ACL for the service. Grant the consultant Start, stop and pause permission. Save the policy, and apply it by using the MMC Configuration and Analysis snap-in.

The other method is more direct but it requires that you use the command line. Using the /service parameter with the Subinacl command lets you grant permissions to a service. For example, to grant Randy in domain Acme Start, stop and pause permission for the Spooler service, open a command line and type

subinacl /service spooler /grant=acme\randy=top

Note that you must specify the service name of the service, not its display name. You can get a list of all services with their display names and actual names by typing the command sc query

You can download Subinacl from http://go.microsoft.com/fwlink/?LinkId=23418. When you execute the subinacl.msi file, it installs the Subinacl command and a Help file in the %programfiles%\Windows Resource Kits\Tools folder.

Comments

Debasish said…
Can u explain me about generations in Garbage Collector.(with real time example)
August 14, 2010 at 5:51 PM
Post a Comment

Popular posts from this blog

Solved Account lockout issue

Today I was working on an issue where an local user account getting locked out with the following event ID: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 5/17/2008 Time: 6:45:00 PM User: NT AUTHORITY\SYSTEM Computer: XXXXXXXXXXXXXXX Description: Logon Failure: Reason: Unknown user name or bad password User Name: XXXXXXX Domain: XXXXXXXXXXXX Logon Type: 4 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: XxXXXXXXXXXXXX Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category identify different reasons for a logon failure. However, just knowing about a successful or failed logon attempt doesn’t fill in the ...
Read more

My Wintel Infrastructure Transitioning Experience

Although I have done many transitions on Intel and Windows Infrastructures in Domestic Market in India, this time I was a part of a very strong transitioning team to transition an International Infrastructure project. I was in AZ, USA in last November and stayed there for about a month for knowledge transfer and documentation of the current state of infrastructure and used a sequential process centric transitioning to enable customers to experience the benefit of off-shoring. The new model is going to be a global infrastructure support model and will have presence in Mexico, Romania, USA and India. That was really a nice experience! Meeting with new people, understanding their views, the different perceptions and ideas on life, profession and technologies was exciting me. Soon I came to know that it is not easy to work with people from different regions of the globe. To understand them, to understand their culture, the behavior, the accent, the professional approach of doing the work c...
Read more

Windows 2008 RDC / RDP: "Because of an error in data encryption, the session will end"

Yesterday I had an issue with a newly built Windows 2008 server. I was not able to RDP this server through my home internet connection. The server was on port redirection and it tries to bring the console but gave the following error: "Because of an error in data encryption, the session will end" After some research and google search I tried the following workaround and it worked!!!!!: I Went to: Show all Network Connections Local Area Connection -> Properties Pressed the Configure button (for the Chip) Advanced; and set the following disabled: Offload TCP LargeSend This was unexpected issue...
Read more