AD account for monitoring services across servers

Solution 1:

The account will need the following access on scmanager to remotely monitor all of a machines services:

This String that would need to be injected into the current scmanager ACL: (A;;CCLCRPRC;;;<AccountSID>)

A: Allow
CC - SC_MANAGER_CONNECT - remotely connect
LC - SC_MANAGER_ENUMERATE_SERVICE - list all services
RP - SC_MANAGER_QUERY_LOCK_STATUS - interogate the status of each
RC - STANDARD_RIGHTS_READ - read the permissions of scmanager and services

The ACL is stored at HKLM:\SYSTEM\CurrentControlset\Control\ServiceGroupOrder\Security

You will want to determine what the current ACL is on scmanager, and include the above string in the appropriate location -- which is somewhere in the middle, at the end of the Discretionary ACL and before the System ACL, like so:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Depending upon how you deploy it and what your system for automated deployment is, you may find it easier to leverage the sc.exe command. The "service" that you manage with sc.exe isn't really a service, its the service control manager (scmanager):

sc.exe sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx)(A;;CCLCRPRC;;;<SID goes Here>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

This is technically excessive access, as it grants the account the permission to query the status and permissions of any service, not just a handful.