How to grant users rights to manage services in Windows 2000 (288129)

SUMMARY

This article describes several methods for granting users the rights to manage services in Windows 2000. By default in Windows 2000, only Administrators and Power Users can start, stop, or pause services. This article describes techniques for granting these rights to other users and groups.

back to the top

Method 1: Grant rights using Group Policy

It is possible to give these rights to users by applying Group Policy. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base: The article gives detailed step-by step instructions. However, the article does not explicitly state that there are no corresponding settings in Local Group Policy.

back to the top

Method 2: Grant rights using Security templates

This method is very similar to Method 1, but it uses Security templates to change the permissions on system services. To do this, follow these steps:

1. Click Start, click Run, and then type MMC.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. Select the Security Configuration and Analysis snap-in, and then click Add.
5. Click Close, and then click OK.
6. In the MMC, right-click the Security Configuration and Analysis item, and then click Open Database.
7. Give a name for the database, and then browse to where you would like to store it.
8. When prompted, select a Security Template to import. For example, the "basicwk.inf" contains values for the standard settings found on a Windows 2000 Professional computer.
9. In the MMC, right-click the Security Configuration and Analysis item, and then click the Analyze Computer now option. Choose a location for the log file, when prompted.
10. After analysis is complete, configure the service permissions as follows:
    1. Double-click the System Services branch in the MMC.
    2. Right-click the service that you want to change, and then click Security.
    3. Click Edit Security.
    4. Add user accounts as required, and configure the permissions for each account. By default, the user will be granted "Start, stop and pause" permissions.
11. To apply the new settings to the local computer, simply right-click the Security Configuration and Analysis item, and then click the Configure Computer Now option.

It is also possible to export your modified settings from the MMC and apply these to multiple machines using the SECEDIT command-line tool that ships with Windows 2000. For more information on using SECEDIT type the following at the command prompt:
NOTE: Applying the settings in this way will re-apply all of the settings in the template and so may override other file, registry, or service permissions set by other means.

back to the top

Method 3: Grant rights using Subinacl.exe

The final method for assigning rights to manage services is to use the Subinacl.exe utility from the Windows 2000 Resource Kit. The syntax for this is:

Notes

• The user executing this command must have administrator rights in order for it to complete successfully.
• If "MachineName" is omitted, the local machine is assumed.
• If "DomainName" is omitted, the local machine is searched for the account.
• Although the syntax example indicates a user name, this will work for user groups as well.
• The values that 'Access' can take are:

     F : Full Control
     R : Generic Read
     W : Generic Write
     X : Generic eXecute
     L : Read controL
     Q : Query Service Configuration
     S : Query Service Status
     E : Enumerate Dependent Services
     C : Service Change Configuration
     T : Start Service
     O : Stop Service
     P : Pause/Continue Service
     I : Interrogate Service 
     U : Service User-Defined Control Commands
  					

• If 'Access' is omitted then 'F (Full Control)' is assumed.
• Subinacl supports similar functionality in relation to files, folders, and registry keys. Refer to the Windows 2000 Resource Kit for more information.
• The service name should be the "short name," as used for the service-specific key in the registry:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<ServiceName>

  If the service name contains spaces, the whole parameter should be enclosed in quotation marks. For example:

  "\\MachineName\Service Name With Spaces"

Automating Multiple Changes

With Subinacl there is no option you can specify that will set the required access for all services on a given computer. However, the following sample script demonstrates one way the above method could be extended to automate the task:

   strDomain   = Wscript.Arguments.Item(0)'domain where computer account is held
   strComputer = Wscript.Arguments.Item(1)'computer netbios name
   strSecPrinc = Wscript.Arguments.Item(2)'user's login name as in: DomainName\UserName
   strAccess   = Wscript.Arguments.Item(3)'access granted, as per the list in the KB
 
   'bind to the specified computer
   set objTarget = GetObject("WinNT://" & strDomain & "/" & strComputer & ",computer")

   'create a shell object.  Needed to call subinacl later
   set objCMD = CreateObject("Wscript.Shell")

   'retrieve a list of services
   objTarget.filter = Array("Service")

   For each Service in objTarget
 
   'call subinacl to se the permissions
   command = "subinacl /service " & Service.name & " /grant=" & strSecPrinc & "=" & strAccess
   objCMD.Run command, 0

   'report the services that have been changed
   Wscript.Echo "User rights changed for " & Service.name & " service"
   next
				

Notes

• The script should be saved as a .vbs file, such as "Services.vbs," and called like this:

     CSCRIPT Services.vbs DomainName ComputerName UserName Access
  					

• Comment out or remove the line 'Wscript.Echo ...' if no feedback is required.
• This sample does no error checking so should be used carefully.
• The Windows 2000 Resource Kit documentation mentions another utility (svcacls.exe) that performs the same service management rights manipulation as Subinacl. This is a documentation error.

back to the top