Let's say you want your local restricted users to be able to restart specific services. On linux you'd probably type visudo. In Windows I found, you have to dig a little deeper into the system and really do your research. I needed several sites, programs and articles. So I thought it might be useful to others if I'd bundle all the required information in one place. Here it is.


This was tested on a Windows 2003 Server STD. It may not work on other versions. Also, this is serious stuff. You can seriously mess up your system using these pointers. Study before implementing anything. I warned you.

Prerequisite: Resource Kit Tools

In this article we're going to change SDDL properties of certain objects. We can do this with a tool called: sc.exe. It's distributed with the Windows Server 2003 Resource Kit Tools.

So first we need to:

  • Download the Windows Server 2003 Resource Kit Tools
  • Install it
  • Open a command prompt (cmd.exe)
  • Change to installation directory (cd "C:\Program Files\Windows Resource Kits\Tools")

Prerequisite: Access to SC Manager

Your users need to be able to access this service as a prerequisite. If you want your changes to be user specific, you might first want to determine the SID of a user. This might return:


We can optionally use this SID later on.

Lookup Current Scmanager SDDL

The security descriptor definition language (SDDL) defines who is allowed to do what. If we are going to change that (in this case for the scmanager), we first want to see what the original SDDL is. So in the Resource Kit Tools directory execute:

$ sc sdshow scmanager

And that might return:


(without the linebreaks)

Change Scmanager SDDL

Now based on the original SDDL of scmanager, we're going to create a new one that includes our user (determine the SID of a user) by following these rules:

  • Copy the Interactive User ACE string (A;;CCLCRPRC;;;IU)
  • Change the IU to the SID of the user or group that you wish to grant access (A;;CCLCRPRC;;;*S-1-5-21-151122097-1987018581-353216475-1003*)
  • Insert the new ACE string before the S: like so

(without the linebreaks)

Set New Scmanager SDDL

In the Resource Kit Tools directory execute:

$ sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)

(without the linebreaks)

Your user now has remote access to the scmanager.

Access to Your Service

Now we must grant users the right to start and stop your service. Let's take Tomcat for example.

Lookup Key Name

First we must lookup the internal service key. This is not always what is displayed in the user interface. To find this key, in the Resource Kit Tools directory execute:

$ sc GetKeyName "Apache Tomcat"

And that might return: Tomcat5

Allow All Authenticated Users to Restart Service

We've already seen how to isolate a specific user. In the next example let's allow all Authenticated Users (a.k.a. everyone / world) to start, stop & query. In the Resource Kit Tools directory execute:


(without the linebreaks)

Voila! Your users have permission to start and stop the service, even though they are just restricted users. Why not test it by logging in as a restricted user and restarting your service?

More Options

If my examples do not cut it for you, then you'll have to familiarize yourself with the Security Descriptor Definition Language (SDDL), here are some useful sources to get you going.


As always, if I overlooked something, you know better ways or find errors, please let me know!