Win2008: SC SDSET - how to grant a specific local user rights to stop and start a specific local service?

windows-server-2008 windows-service user-permissions

Where is a useful reference for the sdset command?

I can read and read, and I have yet to find a straightforward list of steps to say:

Service: App
User: Joe

Grant Joe start/stop/restart to App

(Why can't it be that easy? )

Note: Getting sdset wrong can cause a service to disappear from Service Manager, and only be visible to root/system (invisible to administrators!). Getting this right is important.


Someone has explained it in all of its glory here:

http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

Essentially you can get the SID of the security principal using something like Sysinternals PSGETSID, and piece together the SDDL string that is to be used with sc sdset.

If you're concerned about it going sideways, you should export a backup copy of the registry key: 

HKLM\SYSTEM\CurrentControlSet\services\<service>

Not sure if you're still looking for help here. I haven't done this for a while. We got out of the practice of delegating service control and just make a few of our app owners local admins now.

You can use Subinacl to modify the service permissions:

subinacl /service SERVICE_NAME /grant=DOMAIN\GROUP=F

Use the true service name (usually no spaces), not the display name (usually has spaces)

The SC command only works for remote service control if it has FULL control of the service. All permissions the can be delegated are listed below.

  F : Full Control
  R : Generic Read
  W : Generic Write
  X : Generic eXecute
  L : Read controL
  Q : Query Service Configuration
  S : Query Service Status
  E : Enumerate Dependent Services
  C : Service Change Configuration
  T : Start Service
  O : Stop Service
  P : Pause/Continue Service
  I : Interrogate Service
  U : Service User-Defined Control Commands

There is also a one time step to allow services to be controlled remotely if the server is 2003 SP1 or later: SP1 changed the default ACL on the service control manager. Remote use of services.msc does not work with the SP1 version of ACL. Change the ACL back to allow remote service start stop with the following command. It is wrapped here but should be entered as a single command: sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

More info about 2003 SP1 ACL change and where that SDDL came from http://support.microsoft.com/?id=907460

Hotfix if subinacl produces Error 1783 http://support.microsoft.com/kb/827209

You will probably need a different SCMANAGER SDDL for 2008 R1/R2 servers.

Related

Automatically reconfigure WinRM HTTPS listener with new certificate?
Why is this tee losing stdout?
What's the default hash format / algorithm of Active Directory?
Hardware vendors to avoid
How do I add permissions to group to match user permissions?
Are 6Gb/s SAS drives compatible with 3Gb/s SAS interfaces?
How can I password prompt certain IPs and allow all others free access using Apache?
How to migrate Samba User Accounts to a new linux server?
hashicorp vault - load pre-existing CA certificate into PKI engine
How can I check if IP is a Tor exit node?
Automatic subdomain wildcard for DHCP-DDNS additions?
Is an MX-record required on a domain to send emails only?