We have a business requirement where we don't want even Admins to be able to stop a service of a specific application running on windows machines. Reason being the application plays an important role in the security and the only barrier for security is the running state of a service. We want a specific group of people only to manage the service.. Is there a way to achieve this?
Asked
Active
Viewed 32 times
0
-
3Each service has an Access Control List, add the new group to it and remove the Administrators group from it. Can be done on the command-line, or easier using tools like SystemInformer. Test before using in production. – Peter Hahndorf Jul 08 '23 at 08:43
1 Answers
0
Just edit the ACL of the service. This can be done locally or through GPO; which should be edited on a machine using ("seeing") that service. Usually you would use GPO, but GPOs can be changed by admins, so consider that carefully.
How?
In your GPO expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services. In the right pane, double-click the service to which you want to change permissions and the security policy setting for that specific service will be displayed. Click to select the "Define this policy" setting check box and edit the ACL.
More on this here: How to Assign System Service Permissions
bjoster
- 4,805
- 5
- 25
- 33