Win2008: SC SDSET - how to grant a specific local user rights to stop and start a specific local service?
Where is a useful reference for the sdset command?
I can read and read, and I have yet to find a straightforward list of steps to say:
Service: App
User: Joe
Grant Joe start/stop/restart to App
(Why can't it be that easy? )
Note: Getting sdset wrong can cause a service to disappear from Service Manager, and only be visible to root/system (invisible to administrators!). Getting this right is important.
Someone has explained it in all of its glory here:
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx
Essentially you can get the SID of the security principal using something like Sysinternals PSGETSID, and piece together the SDDL string that is to be used with sc sdset.
If you're concerned about it going sideways, you should export a backup copy of the registry key:
HKLM\SYSTEM\CurrentControlSet\services\<service>
Not sure if you're still looking for help here. I haven't done this for a while. We got out of the practice of delegating service control and just make a few of our app owners local admins now.
You can use Subinacl to modify the service permissions:
subinacl /service SERVICE_NAME /grant=DOMAIN\GROUP=F
Use the true service name (usually no spaces), not the display name (usually has spaces)
The SC command only works for remote service control if it has FULL control of the service. All permissions the can be delegated are listed below.
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
There is also a one time step to allow services to be controlled remotely if the server is 2003 SP1 or later: SP1 changed the default ACL on the service control manager. Remote use of services.msc does not work with the SP1 version of ACL. Change the ACL back to allow remote service start stop with the following command. It is wrapped here but should be entered as a single command: sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
More info about 2003 SP1 ACL change and where that SDDL came from http://support.microsoft.com/?id=907460
Hotfix if subinacl produces Error 1783 http://support.microsoft.com/kb/827209
You will probably need a different SCMANAGER SDDL for 2008 R1/R2 servers.