Persistent way to allow a user to restart a service

Question

There is a windows service that gets reinstalled sometimes.

I need a user to be able to start/stop/restart this service. This user is not an administrator and shouldn't be.

If I use setacl.exe than it works, or even I can use sc sdset, but after the service gets reinstalled setacl needs to be called again, but the process that reinstalls the service has no rights to run setacl.

Is there a way to grant a specific user the right to restart a service with a specific name, or even all services, that persists through a service reinstall?

If I'm able to give a user some general permissions to "manage services" that would also be fine, but I'm unable to pinpoint the exact rights needed for this (if I add the user to the admin group, he can start/stop services, but can -obviously- do a lot more than that).

abstrask · Accepted Answer · 2014-03-17T16:14:10.320

Since you've already know about SetACL, and how to use it to allow a user to control a service, you could simply use Scheduled Tasks to regularly run SetACL.

Configure the task to repeat in an interval as small, as the longest acceptable time the user cannot control the service, after a re-installation.

Edit

As you say, it is kind of hacky ;).

Another option, as Adam mentions, is to use GPO's to enforce your ACL.

For a non-standard Windows services, you will have to install and run the Group Management Console, on the computer where the service is installed. Then do the following:

Launch GPMC.msc on the computer
Edit an existing GPO, or create a new, that applies to the computer in question
Expand Policies, Windows Settings, Security Settings, System Services
Open the properties of the service in question
Define startup mode and edit permission as desired

Although this seems very hacky I like it. – vinczemarton Mar 17 '14 at 15:45 — vinczemarton, Mar 17 '14 at 15:45

score 1 · Answer 2 · edited Jun 11 '18 at 04:00

1

Permissions for restarting a service are fairly straightforward, and you can use Subinacl.exe /service to assign permissions, eg:

subinacl /service MyServiceName /GRANT=NTDOMAIN\BOB=STOPI

STOPI = query status
STOPI = start
STOPI = stop
STOPI = pause/continue
STOPI = interrogate.

Full list at support.microsoft.com.

The problem you're getting, I think, is that when MyServiceName is deleted, the ACLs are deleted along with it. You can get around this by using Group Policy, or Security Templates, to assign permissions on services which may or may not exist.

edited Jun 11 '18 at 04:00

jdgregson

109

answered Mar 17 '14 at 15:56

Adam Thompson

587

Thanks for the reference to SUBINACL. Didn't know about that command :) – abstrask Mar 18 '14 at 09:45
This did the trick for me on Windows 10. I was able to download subinacl.exe from Microsoft here. – jdgregson Jun 11 '18 at 00:14

Persistent way to allow a user to restart a service

2 Answers2

Edit