Start Stop a Windows Service from a non-Administrator user account

Question

I have a WindowsService named  say  BST  And I need to give a non-Administrator user  UserA  the permissions to Start Stop this particular service  My service runs on a variety of Windows OS  starting from Windows Server 2003 to Windows 7   How can I do this   I Googled and found some stuff about giving permissions using the command  sc sdset   but I am not exactly sure about the parameters  I do not want to set the permissions for a group  but ONLY to a particular user  UserA in this case

User · Answer

I use the SubInACL utility for this  For example  if I wanted to give the user job on the computer VMX001 the ability to start and stop the World Wide Web Publishing Service  also know as w3svc   I would issue the following command as an Administrator   subinacl exe  service w3svc  grant VMX001 job PTO  The permissions you can grant are defined as follows  list taken from here    F   Full Control R   Generic Read W   Generic Write X   Generic eXecute L   Read controL Q   Query Service Configuration S   Query Service Status E   Enumerate Dependent Services C   Service Change Configuration T   Start Service O   Stop Service P   Pause Continue Service I   Interrogate Service  U   Service User-Defined Control Commands   So  by specifying PTO  I am entitling the job user to Pause Continue  Start  and Stop the w3svc service

User · Answer

Windows Service runs using a local system account It can start automatically as the user logs into the system or it can be started manually However  a windows service say BST can be run using a particular user account on the machine This can be done as follows start services msc and go to the properties of your windows service BST From there you can give the login parameters of the required user Service then runs with that user account and no other user can run that service

User · Answer

There is a free GUI Tool ServiceSecurityEditor  Which allows you to edit Windows Service permissions  I have successfully used it to give a non-Administrator user the rights to start and stop a service   I had used  sc sdset  before I knew about this tool    ServiceSecurityEditor feels like cheating  it s that easy

User · Answer

subinacl exe command-line tool is probably the only viable and very easy to use from anything in this post  You cant use a GPO with non-system services and the other option is just way way way too complicated

User · Answer

Login as an administrator  Download subinacl exe from Microsoft  http   www microsoft com en-us download details aspx id 23510 Grant permissions to the regular user account to manage the BST services   subinacl exe is in C  Program Files  x86  Windows Resource Kits Tools    cd C  Program Files  x86  Windows Resource Kits Tools  subinacl  SERVICE   MachineName bst  GRANT domainname com username F or subinacl  SERVICE   MachineName bst  GRANT username F Logout and log back in as the user  They should now be able to launch the BST service

User · Answer

Below I have put together everything I learned about Starting Stopping a Windows Service from a non-Admin user account  if anyone needs to know   Primarily  there are two ways in which to Start   Stop a Windows Service      1  Directly accessing the service through logon Windows user account      2  Accessing the service through IIS using Network Service account   Command line command to start   stop services   C   gt  net start  lt SERVICE NAME gt  C   gt  net stop  lt SERVICE NAME gt    C  Code to start   stop services   ServiceController service   new ServiceController SERVICE NAME      Start the service if  service Status    ServiceControllerStatus Stopped          service Start          service WaitForStatus ServiceControllerStatus Running  TimeSpan FromSeconds 10 0         Stop the service if  service Status    ServiceControllerStatus Running          service Stop          service WaitForStatus ServiceControllerStatus Stopped  TimeSpan FromSeconds 10 0        Note 1  When accessing the service through IIS  create a Visual Studio C  ASP NET Web Application and put the code in there  Deploy the WebService to IIS Root Folder  C  inetpub wwwroot   and you re good to go  Access it by the url http       1  Direct Access Method  If the Windows User Account from which either you give the command or run the code is a non-Admin account  then you need to set the privileges to that particular user account so it has the ability to start and stop Windows Services  This is how you do it  Login to an Administrator account on the computer which has the non-Admin account from which you want to Start Stop the service  Open up the command prompt and give the following command   C   gt sc sdshow  lt SERVICE NAME gt    Output of this will be something like this   D  A  CCLCSWRPWPDTLOCRRC   SY  A  CCDCLCSWRPWPDTLOCRSDRCWDWO   BA  A  CCLCSWLOCRRC   IU  A  CCLCSWLOCRRC   SU S  AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO   WD    It lists all the permissions each User   Group on this computer has with regards to     A description of one part of above command is as follows       D  A  CCLCSWRPWPDTLOCRRC   SY   It has the default owner  default group  and it has the Security descriptor control flags  A  CCLCSWRPWPDTLOCRRC   SY    ace type -  A   ACCESS ALLOWED ACE TYPE  ace flags - n a  rights - CCLCSWRPWPDTLOCRRC   please refer to the Access Rights and Access Masks and Directory Services Access Rights CC  ADS RIGHT DS CREATE CHILD - Create a child DS object  LC  ADS RIGHT ACTRL DS LIST - Enumerate a DS object  SW  ADS RIGHT DS SELF - Access allowed only after validated rights checks supported by the object are performed  This flag can be used alone to perform all validated rights checks of the object or it can be combined with an identifier of a specific validated right to perform only that check  RP  ADS RIGHT DS READ PROP - Read the properties of a DS object  WP  ADS RIGHT DS WRITE PROP - Write properties for a DS object  DT  ADS RIGHT DS DELETE TREE - Delete a tree of DS objects  LO  ADS RIGHT DS LIST OBJECT - List a tree of DS objects  CR  ADS RIGHT DS CONTROL ACCESS - Access allowed only after extended rights checks supported by the object are performed  This flag can be used alone to perform all extended rights checks on the object or it can be combined with an identifier of a specific extended right to perform only that check  RC  READ CONTROL - The right to read the information in the object s security descriptor  not including the information in the system access control list  SACL    This is a Standard Access Right  please read more http   msdn microsoft com en-us library aa379607 VS 85  aspx  object guid - n a  inherit object guid - n a  account sid -  SY   Local system  The corresponding RID is SECURITY LOCAL SYSTEM RID    Now what we need to do is to set the appropriate permissions to Start Stop Windows Services to the groups or users we want  In this case we need the current non-Admin user be able to Start Stop the service so we are going to set the permissions to that user  To do that  we need the SID of that particular Windows User Account  To obtain it  open up the Registry  Start   regedit  and locate the following registry key   LOCAL MACHINE SOFTWARE Microsoft Windows NT CurrentVersion ProfileList   Under that there is a seperate Key for each an every user account in this computer  and the key name is the SID of each account  SID are usually of the format S-1-5-21-2103278432-2794320136-1883075150-1000  Click on each Key  and you will see on the pane to the right a list of values for each Key  Locate  ProfileImagePath   and by it s value you can find the User Name that SID belongs to  For instance  if the user name of the account is SACH  then the value of  ProfileImagePath  will be something like  C  Users Sach   So note down the SID of the user account you want to set the permissions to   Note2   Here a simple C  code sample which can be used to obtain a list of said Keys and it s values     LOCAL MACHINE SOFTWARE Microsoft Windows NT CurrentVersion ProfileList RegistryKey RegistryKey profileList   Registry LocalMachine OpenSubKey keyName      Get a list of SID corresponding to each account on the computer string   sidList   profileList GetSubKeyNames     foreach  string sid in sidList          Based on above names  get  Registry Keys  corresponding to each SID     RegistryKey profile   Registry LocalMachine OpenSubKey Path Combine keyName  sid           SID     string strSID   sid        UserName which is represented by above SID         string strUserName    string profile GetValue  ProfileImagePath        Now that we have the SID of the user account we want to set the permissions to  let s get down to it  Let s assume the SID of the user account is S-1-5-21-2103278432-2794320136-1883075150-1000  Copy the output of the  sc sdshow   command to a text editor  It will look like this   D  A  CCLCSWRPWPDTLOCRRC   SY  A  CCDCLCSWRPWPDTLOCRSDRCWDWO   BA  A  CCLCSWLOCRRC   IU  A  CCLCSWLOCRRC   SU S  AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO   WD    Now  copy the  A  CCLCSWRPWPDTLOCRRC   SY  part of the above text  and paste it just before the S  AU     part of the text  Then change that part to look like this   A  RPWPCR   S-1-5-21-2103278432-2794320136-1883075150-1000   Then add sc sdset  at the front  and enclose the above part with quotes  Your final command should look something like the following   sc sdset  lt SERVICE NAME gt   D  A  CCLCSWRPWPDTLOCRRC   SY  A  CCDCLCSWRPWPDTLOCRSDRCWDWO   BA  A  CCLCSWLOCRRC   IU  A  CCLCSWLOCRRC   SU  A  RPWPCR   S-1-5-21-2103278432-2794320136-1883075150-1000 S  AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO   WD     Now execute this in your command prompt  and it should give the output as follows if successful    SC  SetServiceObjectSecurity SUCCESS   Now we re good to go  Your non-Admin user account has been granted permissions to Start Stop your service  Try loggin in to the user account and Start Stop the service and it should let you do that   2  Access through IIS Method  In this case  we need to grant the permission to the IIS user  Network Services  instead of the logon Windows user account  The procedure is the same  only the parameters of the command will be changed  Since we set the permission to  Network Services   replace SID with the string  NS  in the final sdset command we used previously  The final command should look something like this   sc sdset  lt SERVICE NAME gt   D  A  CCLCSWRPWPDTLOCRRC   SY  A  CCDCLCSWRPWPDTLOCRSDRCWDWO   BA  A  CCLCSWLOCRRC   IU  A  CCLCSWLOCRRC   SU  A  RPWPCR   NS S  AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO   WD     Execute it in the command prompt from an Admin user account  and voila  You have the permission to Start   Stop the service from any user account  irrespective of whether it ia an Admin account or not  using a WebMethod  Refer to Note1 to find out how to do so

User · Answer

It s significantly easier to grant management permissions to a service using one of these tools    Group Policy Security Template subinacl exe command-line tool    Here s the MSKB article with instructions for Windows Server 2008   Windows 7  but the instructions are the same for 2000 and 2003

[windows-services] Start / Stop a Windows Service from a non-Administrator user account

Examples related to windows-services

Examples related to user-accounts

Examples related to administrator