Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2016 / How to Allow Non-Admin Users to Start/Stop Windows Service?

July 24, 2020 Windows 10Windows Server 2012 R2Windows Server 2016

How to Allow Non-Admin Users to Start/Stop Windows Service?

By default, common (non-admin) users cannot manage Windows services. This means that users cannot stop, start, restart, or change the settings/permissions of Windows services. In some cases, it is necessary for a user to have the permissions to restart or manage certain services. In this article we’ll look at several ways to manage the permissions for Windows services. In particular, we’ll show you how to allow a non-admin user to start, stop and restart a specific Windows service by granting the appropriate permissions.

Suppose, you need to grant the domain account contoso\tuser the permissions to restart the Print Spooler service (service name – spooler). When the non-admin tries to restart the service, an error appears:

System error 5 has occurred. Access is denied.

net stop/ start service - system error 5 access is denied

There is no simple and convenient built-in tool to manage services permissions in Windows. We’ll consider some ways to grant the permissions to a user to manage service:

Contents:
  • Setting Windows Service Permissions Using the SC.exe (Service controller) Tool
  • Using the SubInACL to Allow a User to Start/Stop/Restart Service
  • How to Change Windows Service Permission Using Process Explorer?
  • Setting Windows Service Permissions Using PowerShell
  • Using Security Templates to Manage Service Permissions
  • How to Grant Users Rights to Manage a Service using GPO?

Setting Windows Service Permissions Using the SC.exe (Service controller) Tool

A standard built-in Windows method to manage system service permissions supposes using the sc.exe (Service Controller) tool. The main problem with using this utility is the complex syntax of the service permissions format (the SDDL format — Security Description Definition Language).

You can get the current permissions for a Windows service as an SDDL string like this:

sc.exe sdshow Spooler

sc.exe sdshow Spooler - show service permissions

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

What do all these symbols mean?

S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)

The first letter after brackets means: allow (A) or deny (D).

The next set of symbols is assignable permissions.

CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE

The last 2 characters are the objects (user, group or SID) that are granted permissions. There is a list of predefined groups.

AU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user

Instead of a predefined group, you can explicitly specify a user or group by SID. To get the SID for the current user, you can use the command:

whoami /user

Or you can find the SID for any domain user using the Get-ADUser cmdlet:

Get-ADUser -Identity 'sadams' | select SID

You can get the SID of the AD security group using the Get-ADGroup cmdlet:

Get-ADGroup -Filter {Name -eq "ny-ithelpdesk"} | Select SID

In order to assign the SDDL permissions string for a specific service, you can use the sc sdset command. For example, the permissions can be granted to a user with the following command:

sc sdset Spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Using the SubInACL to Allow a User to Start/Stop/Restart Service

It is easier to use a command line tool SubInACL from the Sysinternals (by Mark Russinovich) to manage the service permissions. The syntax of this tool is much easier and more convenient. Here is how you can grant the restart permissions for a service using the SubInACL:

  1. Download subinacl.msi from this webpage (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it on the target system;SubInACL tools
  2. In the elevated command prompt, go to the directory containing the tool: cd “C:\Program Files (x86)\Windows Resource Kits\Tools\"
  3. Run the command: subinacl.exe /service Spooler /grant=contoso\tuser=PTO
    subinacl - grant user permission to start/stop service
    Note. In this case we have granted a user the permissions to suspend (pause/continue), start and stop (restart) a service. The full list of the available service permissions:

    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service
    U : Service User-Defined Control Commands

    If you need to grant permissions to a service running on a remote computer, use the following syntax of the subinacl command:
    subinacl /SERVICE \\lon-prnt1\spooler /grant=contoso\tuser=F
  4. Now you only have to logon the computer under a user account and try to restart the service with the commands:
    net stop spooler
    net start spooler
    or
    sc stop spooler && sc start spooler
    sc restart windows service one-liner

If you did everything right, the service should restart.

To revoke the assigned service permissions, use the /revokeoption of the subinacl.exe tool. For example:

subinacl.exe /service Spooler /revoke=contoso\tuser

How to Change Windows Service Permission Using Process Explorer?

You can change Windows service permissions using one more Sysinternals utility – Process Explorer. Run the Process Explorer as administrator and find the process of the service you need. In our example, this is spoolsv.exe (the spooler executable – C:\Windows\System32\spoolsv.exe). Open the process properties and click the Services tab.

process explorer service permissions

Click the Permissions button and add the user or group in the window that opens. After that select the permissions that you want to assign (Full Control/Write/Read).

allow manage windows service using procexp

Setting Windows Service Permissions Using PowerShell

In TechNet gallery there is a separate unofficial PowerShell module for managing permissions for different Windows objects – PowerShellAccessControl Module (you can download it here). This module also allows you to manage the service permissions. Install this module and import it into your PS session:

Import-Module PowerShellAccessControl

You can get the effective permissions for a specific Windows service from PowerShell like this:

Get-Service spooler | Get-EffectiveAccess -Principal corp\tuser

To allow non-admin user to start and stop spooler service, run the command:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corp\tuser

Using Security Templates to Manage Service Permissions

A visual (but requiring more actions) graphical way to manage service permissions is using Security Templates. Open mmc.exe console and add the Security Templates snap-in.

Security Templates snap-in

Create a new security template (New Template).

new template

Specify the name for the new template and go to the System Services section. In the list of services select the service Print Spooler and open its properties.

Select the startup mode (Automatic) and click Edit Security.

service edit security

Using the Add button, add a user account or a group to grant permissions to. In our case, Start, stop and pause permission is enough.

service security settings

Save this template.

Note. The content of the Security Template is saved as the INF file in the C:\Users\%username%\Documents\Security\Templates folder.

If you open this file, you can see that the information about the permissions is saved in the SDDL format, mentioned earlier. The string obtained in this way can be used as an argument of the sc.exe command.

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"Spooler",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-3243688314-1354026805-3292651841-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

service_user_rights.inf
Now you only have to create a new database (Open Database) using the Security Configuration and Analysis snap-in and import your Security Template from the file Spooler User Rights.inf.

import security template

Apply this template by selecting Configure Computer Now option from the context menu.

Configure Computer Now

Now you check that the user can allow manage the Print Spooler service under non-admin account.

How to Grant Users Rights to Manage a Service using GPO?

If you have to grant permissions to users to start/stop a service multiple servers or domain computer, it’s easier to use Group Policy (GPO) features:

  1. Create a new GPO or edit the existing one, link it to the necessary Active Directory container (OU) with the computer objects . Go to the policy section Computer configuration -> Windows Settings -> Security Settings -> System Services;System Service GPO
  2. Find the Spooler service and grant permissions to the users like in the method described above. Save the changes;
    Note. Earlier we showed that using the same GPO you can hide any Windows service from all users.
  3. Wait until the GPO is applied on client computers and make sure that the new service permissions have been assigned.
Where are the Windows service security permissions stored?

The security settings for all services for which you changed the default permissions are stored in their own registry key HKLM\System\CurrentControlSet\Services\<servicename>\Security in the Security parameter of the REG_BINARY type.

This means that one of the ways to set service permissions on other computers is to export/import this registry parameter (including through a GPO).windows service permissions in registry

So, we looked at several ways to manage the Windows service permissions, which allow you to grant any permissions for system services to non-admin user. If the user requires remote access to the service, without granting it local logon or RDP access permissions, you must allow the user to connect remotely and enumerate services via Service Control Manager.

 

12 comments
7
Facebook Twitter Google + Pinterest
previous post
Adding VLAN Interface in CentOS/Fedora/RHEL
next post
Configuring Network Adapter Settings with PowerShell: IP Address, DNS, Default Gateway, Static Routes

Related Reading

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

How to Stop Automatic Upgrade to Windows 11?

January 18, 2023

How to Enable TLS 1.2 on Windows?

January 18, 2023

12 comments

Aran April 28, 2016 - 2:35 am

How to Grant non-Administrators Rights like remote desktop users to Install softwares only and allow running softwares which demands admin permission to run the software ?

Reply
Jay Adams November 4, 2016 - 1:32 pm

You can easily grant non-administrators the ability to manage services with System Frontier. The RBAC model is very flexible, but easy to manage through a single web interface.

Reply
Chris Carpenter April 27, 2018 - 10:41 pm

The SubInACL Tool worked perfectly for my needs. I have one non-admin user who needs to restart a single service occasionally. Problem solved. Thanks!

Reply
Alex July 15, 2018 - 10:20 am

Many thank, very usefull, I used Security Template procedure to definetly disable the new service (Windows Update Medic Service) in Windows 10 Pro! Finally!

Reply
Rich August 1, 2019 - 9:07 pm

when granting a non-administrator the rights to start/stop/query a service as described above, if they do, does it change the ‘LogOnAs’ attribute for the service? The services I am exposing must also access network resources, to which the non-admin users will NOT have access. Would the above break this use case?

Reply
Allow Access to Sound Settings trouble Shooter in Group Policy November 30, 2020 - 11:16 am

[…] Possibly this How to Allow Non-Admin Users to Start/Stop Windows Service? | Windows OS Hub […]

Reply
Paul March 26, 2021 - 1:07 pm

Just used the first method at the top adding (A;;RPWPCR;;;RD) for remote access users to restart a service. Thanks for the help!

Reply
Windows: Einem Benutzer das Recht zum Starten und Stoppen für einen bestimmten Dienst geben – Andy's Blog May 6, 2021 - 12:54 pm

[…] WindowsOSHub – How to Allow Non-Admin Users to Start/Stop Windows Service? […]

Reply
Umesh May 14, 2021 - 6:34 pm

The only method that worked in our environment was using process explorer.
In my opinion, it’s also the easiest.
Thank you!

Reply
serg April 18, 2022 - 6:56 am

How to grant users rights to manage services:
_https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services

Reply
happyuser May 4, 2022 - 7:42 am

Thank you!

Reply
binbbong July 5, 2022 - 12:40 pm

subinacl doesn’t officially exist anymore. I wonder when will Microsoft deprecate commands like “dir”…

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023
  • Fix: The Requested Certificate Template is Not Supported by This CA

    January 9, 2023
  • How to Remove Hidden/Ghost Network Adapters in Windows?

    December 29, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Run Program without Admin Privileges and to Bypass UAC Prompt?
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
  • How to Disable UAC Prompt for Specific Applications in Windows 10?
  • How to Download APPX File from Microsoft Store for Offline Installation?
  • Fix: Windows Cannot Connect to the Shared Printer
  • Installing RSAT Administration Tools on Windows 10 and 11
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top