Win2008: SC SDSET - how to grant a specific local user rights to stop and start a specific local service?

Question

Where is a useful reference for the sdset command?

I can read and read, and I have yet to find a straightforward list of steps to say:

Service: App
User: Joe

Grant Joe start/stop/restart to App

(Why can't it be that easy? )

Note: Getting sdset wrong can cause a service to disappear from Service Manager, and only be visible to root/system (invisible to administrators!). Getting this right is important.

score 1 · Answer 1 · answered Dec 14 '11 at 16:41

1

Someone has explained it in all of its glory here:

http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

Essentially you can get the SID of the security principal using something like Sysinternals PSGETSID, and piece together the SDDL string that is to be used with sc sdset.

If you're concerned about it going sideways, you should export a backup copy of the registry key:

HKLM\SYSTEM\CurrentControlSet\services\<service>

answered Dec 14 '11 at 16:41

Greg Askew

35,880
5
54
82

Thanks! What a complete mess! Are there any tools or approaches that are 8 steps or less, and less likely to blow up? – Jonesome Reinstate Monica Dec 14 '11 at 21:10
Also: http://kevin.vanzonneveld.net/techblog/article/allow_windows_users_to_restart_service/ , however none of these tools meet my needs because they are too hard to use and too dangerous (too easy to create a big problem) – Jonesome Reinstate Monica Dec 14 '11 at 23:25
1

Yes, the perfect blend of obtuse utilities and SDDL syntax. I'm surprised this hasn't been asked more often. It would actually be quite easy to create a .NET console application to do this. Something like SetServiceSecurity.exe -l to list the permissions in friendly format (domainOrMachine\securityprincipal), and SetServiceSecurity.exe -a (domainOrMachine\securityprincipal) to *add* an ACE to an existing ACL, and SetServiceSecurity.exe -r to remove an ACE. If you think this would be of some general value, let me know. It would require .NET 2.0 installed to run though. – Greg Askew Dec 15 '11 at 00:53
Greg Askew: If you would work on this, and make it avail with source code, I would pay some modest number toward the effort. .NET will always be present, as I would be using this on Win2008 servers... – Jonesome Reinstate Monica Dec 15 '11 at 03:34
1

I think this should do it: http://setservicesecurity.codeplex.com . It does not provide for audit rules or deny rules, but that would not be difficult to add. – Greg Askew Dec 16 '11 at 00:48
Greg, Cool! It will be a week or so before I get to this (crazy holiday season), but you rock! – Jonesome Reinstate Monica Dec 16 '11 at 22:55

score 1 · Answer 2 · edited Dec 02 '14 at 20:25

Not sure if you're still looking for help here. I haven't done this for a while. We got out of the practice of delegating service control and just make a few of our app owners local admins now.

You can use Subinacl to modify the service permissions:

subinacl /service SERVICE_NAME /grant=DOMAIN\GROUP=F

Use the true service name (usually no spaces), not the display name (usually has spaces)

The SC command only works for remote service control if it has FULL control of the service. All permissions the can be delegated are listed below.

  F : Full Control
  R : Generic Read
  W : Generic Write
  X : Generic eXecute
  L : Read controL
  Q : Query Service Configuration
  S : Query Service Status
  E : Enumerate Dependent Services
  C : Service Change Configuration
  T : Start Service
  O : Stop Service
  P : Pause/Continue Service
  I : Interrogate Service
  U : Service User-Defined Control Commands

There is also a one time step to allow services to be controlled remotely if the server is 2003 SP1 or later: SP1 changed the default ACL on the service control manager. Remote use of services.msc does not work with the SP1 version of ACL. Change the ACL back to allow remote service start stop with the following command. It is wrapped here but should be entered as a single command: sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

More info about 2003 SP1 ACL change and where that SDDL came from http://support.microsoft.com/?id=907460

Hotfix if subinacl produces Error 1783 http://support.microsoft.com/kb/827209

You will probably need a different SCMANAGER SDDL for 2008 R1/R2 servers.

subinacl is a clean and straightforward way to do this - definitely a "no mess" solution. Thanks! — BrianCooksey, Dec 02 '14 at 18:50

Win2008: SC SDSET - how to grant a specific local user rights to stop and start a specific local service?

2 Answers2

Linked