kvz.io
Published on

Allow Windows Users to Restart Service

Authors
  • avatar
    Name
    Kevin van Zonneveld
    Twitter
    @kvz

Let's say you want your local restricted users to be able to restart specific services. On linux you'd probably type visudo. In Windows I found, you have to dig a little deeper into the system and really do your research. I needed several sites, programs and articles. So I thought it might be useful to others if I'd bundle all the required information in one place. Here it is.

Warning

This was tested on a Windows 2003 Server STD. It may not work on other versions. Also, this is serious stuff. You can seriously mess up your system using these pointers. Study before implementing anything. I warned you.

Prerequisite: Resource Kit Tools

In this article we're going to change SDDL properties of certain objects. We can do this with a tool called: sc.exe. It's distributed with the Windows Server 2003 Resource Kit Tools.

So first we need to:

  • Download the Windows Server 2003 Resource Kit Tools
  • Install it
  • Open a command prompt (cmd.exe)
  • Change to installation directory (cd "C:\Program Files\Windows Resource Kits\Tools")

Prerequisite: Access to SC Manager

Your users need to be able to access this service as a prerequisite. If you want your changes to be user specific, you might first want to determine the SID of a user. This might return:

S-1-5-21-151122097-1987018581-353216475-1003

We can optionally use this SID later on.

Lookup Current Scmanager SDDL

The security descriptor definition language (SDDL) defines who is allowed to do what. If we are going to change that (in this case for the scmanager), we first want to see what the original SDDL is. So in the Resource Kit Tools directory execute:

$ sc sdshow scmanager

And that might return:

D:(A;;CC;;;AU)*(A;;CCLCRPRC;;;IU)*(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

(without the linebreaks)

Change Scmanager SDDL

Now based on the original SDDL of scmanager, we're going to create a new one that includes our user (determine the SID of a user) by following these rules:

  • Copy the Interactive User ACE string (A;;CCLCRPRC;;;IU)
  • Change the IU to the SID of the user or group that you wish to grant access (A;;CCLCRPRC;;;*S-1-5-21-151122097-1987018581-353216475-1003*)
  • Insert the new ACE string before the S: like so
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
*(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)*
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

(without the linebreaks)

Set New Scmanager SDDL

In the Resource Kit Tools directory execute:

$ sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)
_(A;;CCLCRPRC;;;S-1-5-21-151122097-1987018581-353216475-1003)_
S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

(without the linebreaks)

Your user now has remote access to the scmanager.

Access to Your Service

Now we must grant users the right to start and stop your service. Let's take Tomcat for example.

Lookup Key Name

First we must lookup the internal service key. This is not always what is displayed in the user interface. To find this key, in the Resource Kit Tools directory execute:

$ sc GetKeyName "Apache Tomcat"

And that might return: Tomcat5

Allow All Authenticated Users to Restart Service

We've already seen how to isolate a specific user. In the next example let's allow all Authenticated Users (a.k.a. everyone / world) to start, stop & query. In the Resource Kit Tools directory execute:

$ sc sdset Tomcat5 "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;LCRPWP;;;AU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

(without the linebreaks)

Voila! Your users have permission to start and stop the service, even though they are just restricted users. Why not test it by logging in as a restricted user and restarting your service?

More Options

If my examples do not cut it for you, then you'll have to familiarize yourself with the Security Descriptor Definition Language (SDDL), here are some useful sources to get you going.

Sources

As always, if I overlooked something, you know better ways or find errors, please let me know!

Discuss on Twitter

Legacy Comments (11)

These comments were imported from the previous blog system (Disqus).

Jason Benway
Jason Benway·

Thanks for this great information, but I need a user to restart the printer spooler on a server. I don\'t want them to terminal into the server, just use the services mmc and connect to the server to restart the service. He gets an access denied trying to connect to the server. Any ideas?
Thanks,jb

Kevin
Kevin·

@ Jason Benway: This was for local use only and I couldn\'t tell you how this would translate through MMC. I lack the experience, time & will for that ;)
Though let me tell you, if I had to make something like that, I would probably either:
1. call a real MS expert
2. fly another route: code something that\'s running on the server and has enough privileges to restart the service. And have it accept commands from your user. Either by custom socket connection (of course this would require developing a GUI as well), web interface, or something like that. Hope it helps :)

Dimm
Dimm·

Biggest thanks Kevin, this is the only one real solution ever!

Milan
Milan·

Kevin,
Thanks for a great tip, it helped us a lot.
Now we would like to allow more than one security group to access scmanager. Can you give us a hint?

Kev van Zonneveld
Kev van Zonneveld·

@ Milan: Not that I\'ve tried it, but wouldn\'t it be possible to lookup all the SIDs and repeat the steps?

go-gulf
go-gulf·

How could you come with a brilliant idea. God must have faith in you and give you special brain then others.
http://www.go-gulf.com

Good Stuff
Good Stuff·

Thanks for the guidance! This was a great help to me. Hard to believe what you have to go through to change service security these days...

Olof Sanner
Olof Sanner·

To Jason:
Try PSService, part of PSTools, make a batchfile to restart the service. U still need the permissions to restart it as stated in the article, but that together would make it work for you.
Even better if you grant acces to SCManager for a securitygroup (domain local) called SCManagerAccessSERVERNAME then you could easy add usergroups or users to that groups later.
You can also make a securitygroup called RestartServiceSERVICENAME-SERVERNAME(domain local) run gpmc from SERVERNAME, change the scope to $Servername and edit the gpo CompConf/WinSet/SecSet/SysServ/SERVICENAME
Add acces read and restart to the securitygroup: RestartServiceSERVICENAME-SERVERNAME
Also remember to add the other securitygroups that should have access to the service (otherwise theservice will stop working).
Then you just add the wanted users to the two groups. This way its lot easier to change users that you want to be able to reastart a service.

Kev van Zonneveld
Kev van Zonneveld·

@ Olof Sanner: Some great ideas, Olof. Thank you for sharing

Matthew JLCIT
Matthew JLCIT·

Hi, old thread but i kinda know how to do this so thought id share. The easy way to restart remote service with admin priviledge ( i will give the steps, google each step for specifics as cant rmember off top of my head) ->
1. Create batch file to restart service on remote machine using sc command
2. Create scheduled task to run the above batch file, which does not run on any schedule. Set task to run as admin and enter credentials.
3. Create shortcut to scheduled task
e.g shortcut
C:\\Windows\\System32\\schtasks.exe /run /tn \"\\MyTaskSchedulerFolder\\Task1\"
4. Place shorcut on desktop

Kev van Zonneveld
Kev van Zonneveld·

@ Matthew JLCIT: Thanks a lot for sharing, I\'m sure it will help others who come by.