By default, common (non-admin) users cannot manage Windows services. It means that they cannot stop, start or change the settings or permissions for system services. In some cases, it is necessary for a user to have the permissions to restart or manage certain services. In this article we’ll look at several ways to manage the permissions for Windows services. In particular, we’ll show you how to allow a common user (without admin rights) to start and stop a specific Windows service by granting the appropriate permissions.
Suppose, you need to allow the domain account contoso\tuser the permissions to restart Print Spooler service (service name – spooler).
There is no simple and convenient built-in tool to manage services permissions in Windows. We’ll consider some ways to grant the permissions to a user to manage service:
Built-in SC.exe (Service controller) utility
A standard built-in Windows method to manage system service permissions supposes using the sc.exe (Service Controller) utility. The main problem with using this utility is the complex syntax of the format for granting permissions for a service (SDDL format).
You can get the current permissions to the service like this:
sc.exe sdshow Spooler
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
What do all these symbols mean?
D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A) or deny (D).
The next set of symbols is assignable rights.
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are objects (user group or SID) that are granted permissions. There is a list of predefined groups.
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user
Instead of a predefined group, you can explicitly specify a user or group by SID. To get the SID for the current user, you can use the command:
whoami /user
Or you can find the SID for any domain user using the Get-ADUser cmdlet:
Get-ADUser -Identity 'sadams' | select SID
For example, the permissions can be granted to a user with the following command:
sc sdset Spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Setting Service Permissions Using SubInACL Tool
It is easier to use a command line tool SubInACL from the Sysinternals by Mark Russinovich. The syntax of this tool is much easier and more convenient. Here is how you can grant the restart permissions for a service using SubInACL:
- Download subinacl.msi from this webpage (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it in the target system;
- In the elevated command prompt, go to the directory containing the tool:
cd “ C:\Program Files (x86)\Windows Resource Kits\Tools\)"
- Run the command:
subinacl.exe /service Spooler /grant=contoso\tuser=PTO
Note. In this case we have granted a user the permissions to suspend (pause/continue), start and stop a service. The full list of the available permissions:If you need to grant permissions to a service running on a remote machine, the syntax is as follows:F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
subinacl /SERVICE \\lon-prnt1\spooler /grant=contoso\tuser=F
- Now you only have to log on with the user account and try to restart the service with these commands:
net stop spooler
net start spooler
If you did everything right, the service should stop and start again.
Set Windows Service Permission Using Process Explorer
You can change Windows service permissions using one more Sysinternals utility – Process Explorer. Run Process Explorer as administrator and find the process of the service you need. In our example, this is spoolsv.exe (the spooler executable – C:\Windows\System32\spoolsv.exe). Open the process properties and click the Services tab.
Click the Permissions button and add the user or group in the window that opens. After that select the permissions that you want to assign.
Security Template
A visual (but requiring more actions) graphical way to manage service permissions is using Security Templates. Open mmc.exe console and add the Security Templates snap-in.
Create a new template (New Template).
Specify the name for the new template and go to the System Services section. In the list of services select your service Print Spooler and open its properties.
Select the startup mode (Automatic) and click Edit Security.
Using the Add button, add a user account or a group to grant permissions to. In our case, Start, stop and pause permission is enough.
Save this template.
If you open this file, you can see that the information about the permissions is saved in the SDDL format, mentioned earlier. The string obtained in this way can be used as an argument of the sc.exe command.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"Spooler",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-3243688314-1354026805-3292651841-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Now you only have to create a new database (Open Database) using the Security Configuration and Analysis snap-in and import your Security Template from Spooler User Rights.inf.
Apply this template by selecting Configure Computer Now command from the context menu.
Now you check that the user has the rights to manage the Print Spooler service.
Service Permissions Management Using GPO
If you have to grant permissions to users to start/stop a service on a number of computers, it’s easier to use Group Policy (GPO) features:
- Create a new GPO or edit the existing one, link it to the necessary container (OU) with the computers in Active Directory. Go to Computer configuration -> Windows Settings -> Security Settings -> System Services;
- Find the Spooler service and grant permissions to the users like in the method described above. Save the changes;Note. Earlier we showed that using the same GPO you can hide any Windows service from all users.
- Wait until the GPO is applied on client computers and make sure that the service permissions have been assigned.
Using PowerShell to Assign Service Permissions
In TechNet gallery there is a separate unofficial PowerShell module for managing permissions for different Windows objects – PowerShellAccessControl Module (you can download it here). This module also allows to manage the service permissions. Install this module and import it into your session:
Import-Module PowerShellAccessControl
You can obtain effective permissions for a specific service like this:
Get-Service spooler | Get-EffectiveAccess -Principal corp\tuser
To allow non-admin user to start and stop spooler service, run the command:
Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corp\tuser
So, we looked at several ways to manage the Windows services permissions, which allow to grant any permissions for system services to any user. If the user requires remote access to the service, without granting it local logon or RDP access rights, you must allow the user to connect remotely and enumerate services over Service Control Manager.
5 comments
How to Grant non-Administrators Rights like remote desktop users to Install softwares only and allow running softwares which demands admin permission to run the software ?
You can easily grant non-administrators the ability to manage services with System Frontier. The RBAC model is very flexible, but easy to manage through a single web interface.
The SubInACL Tool worked perfectly for my needs. I have one non-admin user who needs to restart a single service occasionally. Problem solved. Thanks!
Many thank, very usefull, I used Security Template procedure to definetly disable the new service (Windows Update Medic Service) in Windows 10 Pro! Finally!
when granting a non-administrator the rights to start/stop/query a service as described above, if they do, does it change the ‘LogOnAs’ attribute for the service? The services I am exposing must also access network resources, to which the non-admin users will NOT have access. Would the above break this use case?