Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / Granting Remote Access on SCManager to Non-admin Users

October 21, 2016 Windows Server 2012 R2

Granting Remote Access on SCManager to Non-admin Users

Let’s consider the peculiarities of granting remote access permission to enumerate the list of services running on a remote server to domain users without rights of local administrators. In fact, the task comes down to providing remote connection to the Service Control Manager (SCManager).

Here is what the problem looks like. Suppose, we want a remote user or monitoring system can query the status of services on some server. On obvious reasons, this remote user doesn’t have any administrative rights and a privilege to access the server locally.

When trying to connect and get the list of services on the remote computer using services.msc console, the user sees the following error:

Windows was unable to open service control manager database on computer_name

Error 5: Access is denied.

Windows was unable to open service control manager database on computer_name Error 5: Access is denied

If you try to get the list of services on a remote server using sc.exe, the error is as follows:

C:\Windows\system32>sc \\lonts-01 query

[SC] OpenSCManager FAILED 5:
Access is denied.

OpenSCManager FAILED 5: Access is denied

The access to the list of services is controlled by the security descriptor of Service Control Manager database, for which the remote access of the users from the “Authenticated Users” was restricted in Windows 2003 SP1 already (that is quite logical). Only members of the Local Administrators group have the right to access this service remotely.

Let’s consider how to grant the remote access to Service Control Manager to get the list of services on a server and how common users (without administrative rights) can get statuses of these services in Windows Server 2012 R2.

Current Service Control Manager (SCM) permissions can be obtained using sc.exe by running the following command in the command prompt run with the administrator privileges:

sc sdshow scmanager

The command returns a similar SDDL string:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

sc sdshow scmanager

In this case you can see that by default the Authenticated Users (AU) group is allowed only to connect using SCM, but not to poll (LC) the services. Copy this string to any text editor.

The next step is to get an SID of a user or group we want to grant the right on the remote access to SCM to (How to get a user SID by username). For example, let’s get an SID of the AD group lon-hd:

Get-ADgroup -Identity lon-hd | select SID
SID
---
S-1-5-21-2470146451-39123456388-2999995117-23338978

Copy the block (A;;CCLCRPRC;;;IU) – (IU means Interactive Users) from the SDDL string in your text editor, replace IU in the copied block with the SID of a user/group and paste the string you get before S:

In our case we have got the following string:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;S-1-5-21-2470146451-39123456388-2999995117-23338978)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Now let’s change the parameters of Service Control Manager security descriptor:

sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;S-1-5-21-2470146451-39123456388-2999995117-23338978)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)“

sc sdset scmanager

The string [SC] SetServiceObjectSecurity SUCCESS tells that the new security parameters have been successfully applied, and the user has got the privileges similar to those of locally authenticated users: SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS and STANDARD_RIGHTS_READ.

Make sure that a remote user can get the list of services and their status from services.msc console using sc \\srv-name1 query

sc query on remote computer

Naturally, you don’t have any privileges to manage the services, since the access to each service is controlled by an individual ACL. To grant the privileges to start/stop server services to a user, follow the instructions in the article How to Grant Permissions to Manage (Start, Stop or Restart) Windows Services to a User.

Tip. If you assign any SCManager rights different from typical ones, they are saved in HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security branch of the registry. Anf if you have made a mistake when preparing an SDDL string, you can delete this branch and restart your computer to reset the current permissions to the default ones.HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\Security

17 comments
0
Facebook Twitter Google + Pinterest
previous post
Unable to Install Print Driver after KB3170455
next post
How to Run SysPrep on Upgraded Windows

Related Reading

How to Install .NET Framework 3.5 on Windows...

December 12, 2022

Migrating RDS Roles (Connection Broker, Web Access) to...

September 9, 2022

PowerShell Install-Module Error: Unable to Download from URI

April 21, 2022

Configuring Always-On High Availability Groups on SQL Server

December 2, 2021

Fix: Windows Stuck at “Preparing to Configure Windows”

August 23, 2021

17 comments

Jay Adams November 4, 2016 - 1:29 pm

If you’d like to grant permissions to manage services without dealing with SDDL strings or changing the registry on every machine, take a look at System Frontier.
You can centrally delegate rights through a web interface and even use wildcards to give access to specific services by name. It’s a paid product, but still free up to 5 nodes.

Reply
Antonio August 8, 2019 - 11:26 am

Hi, I ran your guide.
Remotely I can see the services with the tool service.msc but I can not manage them. I must say that the services I have to manage are not system services.
I already gave the grants to the group following your guide https://woshub.com/set-permissions-on-windows-service/ with powershell.
If instead I add the AD group to the RDP access and open the local services tool I can use them.
Can you support me?
Thank you.

Reply
admin August 9, 2019 - 6:17 am

Hi
Please, check that you can start/stop services remotely via sc: sc \\lnd-prnt1 start servicename

Reply
Antonio August 9, 2019 - 8:30 am

I am returned this error:

[SC] StartService: OpenService OPERAZIONI NON RIUSCITE 1060:

Il servizio specificato non esiste come servizio installato.

Reply
Antonio September 2, 2019 - 7:40 am

Hi,
Do you have any suggestions, please?
Thanks

Reply
Jay Adams September 2, 2019 - 1:20 pm

You might want to take a look at this: https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces

Since you are getting a 1060 error, that means you can’t see the service so you may be missing one of the permissions that let’s you interrogate or query the service.

Reply
Antonio September 6, 2019 - 2:08 pm

Hi Jay Adams,
Thank you for your help.
I used this string of permission : (A;;CCLCRPRC;;;).
Do I need to add more permissions?
Thanks.

Reply
Antonio September 6, 2019 - 2:54 pm

Sorry, the string is (A;;CCLCRPRC;;;SID)

Reply
Antonio September 17, 2019 - 12:26 pm

Hi,
Do you have any suggestions, please?
Thanks

Reply
Jay Adams September 17, 2019 - 6:28 pm

Antonio, sorry for the late response. Your SDDL string is correct for giving an account access to start a service, but start/stop operations must be granted on a per service basis. They won’t work for all services when run against scmanager. So, you’ll want to run a sc sdshow first, then add in your new SDDL permission to grant it along with the existing permissions with sdset.

Reply
Antonio September 18, 2019 - 3:28 am

Thanks for the answer.
This is the string returned by the command “sc sdshow scmanager”:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;CCLCRPRC;;;S-1-5-21-4012381749-574827434-714808905-1185)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
What should I add?

Reply
Antonio September 18, 2019 - 3:53 am

I apologize for the mistake reported earlier.
The error returned by the command “sc \lnd-prnt1 start servicename” is:
[SC] StartService: OpenService OPERAZIONI NON RIUSCITE 5:

Accesso negato.

Reply
Jay Adams September 18, 2019 - 11:41 am

Your going to need to run: sc sdshow
Then add in your new start permission to the existing permissions set for that particular service by running sdset.

For example, if I want to give SID 123 StartService permission to the WpnService, I would do the following:
1 – sc.exe sdshow WpnService
Result: (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
2 – Add the new permissions in with the existing ones: sc.exe sdset WpnService “(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCRPRC;;;)”

You would need to do something similar to that for every single service on every machine that you want to grant start or stop permissions to for another group or user. This is so much easier in System Frontier. You add users or AD groups to roles and choose which services they can start or stop and on which machines or groups of machines – all done via a simple web GUI. There’s no chance of corrupting ACLs because nothing physically changes on the target systems. Use the contact form and I’d be happy to show you first hand.

Reply
Evan October 3, 2020 - 4:56 am

I have been trying to grant start/stop permissions on a few services located on a remote server to our Developers, and have been unsuccessful. I know I have done this successfully in the past, but it is not working now, for some reason. Are you aware of anything that might have changed? This is for Windows Server 2019 Core Edition. They are able to access scmanager, and once I add full permissions for them, they are able to see the custom services that they need access to, as well. However, regardless of what I do, they are still unable to actually modify anything. They cannot start/stop/restart/pause, they cannot change the startup type, they cannot change the account the service runs underneath…. I even opened a Premier Support ticket with MS earlier this week, but so far they have no idea why this is not working.

Please let me know if you have any suggestions.

Reply
Evan October 3, 2020 - 5:24 am

I just discovered that adding permissions to services seems to only be not working on Windows Server 2019 Servers. It works just fine on Windows Server 2012 R2 Servers. I am not sure whether or not Windows 2016 Servers are affected.

If anyone has any information on how to add permissions for non-admins to remotely start/stop services on a Windows 2019 Server, please let me know.

Reply
Steve November 25, 2020 - 12:18 am

Solution for Server 2019 specific problem with assigning access to SCManager

reg add HKLM\SYSTEM\CurrentControlSet\Control /v RemoteAccessExemption /t REG_DWORD /d 1 /f

Credit to tadmaz-quad for posting the question and the answer – Thanks !!

https://social.technet.microsoft.com/Forums/en-US/a9b38117-1e98-4a9e-a4d8-7bbbc3ace2f2/remotely-stopstart-services-not-working-for-nonadmins?forum=ws2019
https://support.microsoft.com/en-us/help/4457739/blocking-remote-callers-from-starting-or-stopping-services-when-they-a

Reply
Jason January 28, 2021 - 2:38 pm

Have you guys noticed that it only running the ‘sc.exe sdset scmanager ‘ Only allows WMI to list about 1/4 or less of the services? If I run the Powershell command ‘Get-WmiObject Win32_Service -ComputerName -Credential (Get-Credential)’ with the credentials of the user added in the SDDL with the (A;;CCLCRPRC;;;,) string I only get a list of about 52 services. If I run that command as a user in the local Administrators group I get 190+ services. We noticed this while working with SolarWinds and wanting to poll Up/Down of specific services and realized that none of the 3rd party services show up in Solar Winds Service Control Manager. If we set sdset to specific services it works. Also, these services were already installed before running scmanager, so they aren’t new installs after running the script.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Install TFTP Server on Windows Server 2012 R2
  • Windows 10: WSUS Error 0x8024401c
  • Configuring Kerberos Authentication on IIS Website
  • The Requested Resource Is in Use: Cluster Disk Error in Windows Server 2012 R2
  • How to Clear Windows Event Logs Using PowerShell or Wevtutil
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top