How to Grant non-Administrators Rights to Manage Services

By default, common users with no system administrator privileges cannot manage Windows services. It means that they cannot stop, start or change the settings or permissions for such services. In some cases, it is necessary that a user had the permissions to restart or manage certain services. In this article, we’ll consider some ways to manage permissions for Windows services. In particular, we’ll show how to grant a standard user without administrative rights the permissions to start and stop a specific service.

Suppose, we have to grant the domain account contoso\tuser the permissions to restart Print Spooler service (system name spooler).

There is no simple and convenient integrated tool to manage services permissions in Windows. We’ll consider some ways to grant a user permissions to manage service:

• A Standard Utility SC.exe (Service controller)
• SubInACL Tool
• Security Template
• Service Permissions Management Using GPO

A Standard Utility SC.exe (Service controller)

A standard built-in Windows method to manage system service permissions supposes using the sc.exe (Service Controller) utility.

The main problem is the complex syntax of the format to grant permissions for a service (SDDL format). For example, the permissions can be granted to a user with the following command:

sc sdset Spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

We won’t deal with this method of granting permissions for the services in detail (if you need it, you’ll find how to do it yourself). The only thing to be noted is that the command sc sdshow allows to display the current permissions for the service, and sc sdset helps to change the service security descriptor.

SubInACL Tool

It is easier to use a command line tool SubInACL by Mark Russinovich (the rights to which now belonging to Microsoft, together with the author). The syntax of this tool is easier and more convenient. Here is how you grant the restart permissions for a service using SubInACL:

1. Download subinacl.msi from this webpage (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it in the target system.
2. In the command prompt with administrator privileges, go to the directory containing the tool: cd “ C:\Program Files (x86)\Windows Resource Kits\Tools\)"
3. Run the command: subinacl.exe /service Spooler /grant=contoso\tuser=PTO
   

   Note. In this case we have granted a user the permissions to pause/continue, start or stop a service. The full list of the available permissions:

   F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

   If you need to grant permissions on a remote machine, the syntax is as follows:
   subinacl /SERVICE \\lon-prnt1\spooler /grant=contoso\tuser=F

4. Now you only have to log on with the user account and try to restart the service with these commands:
   net stop spooler
net start spooler

If you did everything right, the service would be stopped and started again.

Security Template

A visual (but requiring more actions) graphical way to manage service permissions is using Security Templates. To do it, open mmc.exe console and add the Security Templates snap-in.

Create a new template (New Template).

Specify the name for the new template and go to the System Services section. In the list of services, select your service Print Spooler and open its properties.

Select the startup mode (Automatic) and click Edit Security.

Using the Add button, add a user account or a group to grant permissions to. In our case, Start, stop and pause permission is enough.

Save this template (Save).

If you open this file, you can see that the information about the permissions is saved in the SDDL format, mentioned earlier. The string obtained in this way can be used as an argument of the sc.exe command.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"Spooler",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-3243688314-1354026805-3292651841-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Now you only have to create a new database (Open Database) using the Security Configuration and Analysis snap-in and import our Security Template from Spooler User Rights.inf.

Apply this template by invoking Configure Computer Now command from the context menu.

Check that the user has the rights to manage the Spooler service

Service Permissions Management Using GPO

If you have to grant permissions to users to start/stop a service on a number of computers, it’s easier to use GPO features.

1. Create a new GPO or edit the existing one, assign it to the necessary container with the computers in Active Directory. Go to Computer configuration -> Windows Settings -> Security Settings -> System Services.
2. Find the Spooler service and grant permissions to the users like in the method described above. Save the changes.

   Note. Earlier we showed that using the same GPO you can hide any Windows service from all users.

3. Wait till the GPO is applied on client computers and make sure if the service permissions have been applied.

So, we have considered some ways to manage Windows service permissions, which allow to grant any permissions for system services to any user.