Delegating Minimal Permissions to Access Windows Services 2


You might find this information handy if you work with Windows Services, and wish to grant some basic permissions to user accounts.  In my scenario, I wanted to be able to list the status of several key Windows Services used in my overall architecture (for a diagnostic website/control panel) and to be able to restart the service(s) should they stop for some reason.

This has become increasingly difficult as, over time, Windows Server has become further locked down.  By default, local users and non-administrative accounts do not even possess the rights to even aggregate local services, let alone query their status or restart them.  Luckily, there is a way to remedy this.  Please note that this applies on a per Account basis, I have not found a solution which applies to security groups.

You’ll need a special utility (called Subinacl) to grant permissions, you can download a copy from  Microsoft hereNote that you will require local administrative privileges to perform the following steps.

The first thing you need to do is to [1] determine the SID (security identifier) of the account you wish to grant permissions to.  This can be achieved a number of ways, the easiest being the execution of a little VBS script.  Copy and paste the below VBS into a text file, save it with a .vbs extension,  and double click the file to execute.

strComputer = "."   ‘ — or the full name of the machine
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _ ("Win32_UserAccount.Name=’<USERNAME>‘,Domain=’<DOMAIN OR LOCAL MACHINE NAME>")
Wscript.Echo objAccount.SID

Once you’ve obtained the SID for the account you wish to grant permissions to, read the following blog article – scroll down to the section titled “Grant access to run the Services Control Panel“.  This blog article will take you the rest of the way.  I strongly suggest reading through the linked article.

If, however, you’d prefer a quick summary of the remaining steps, keep reading below.

  1. Open a Command Prompt and execute the following statement:

    sc sdshow scmanager

  2. Copy the output (SDDL) to a text editor, it will look something like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  3. Copy the section of the SDDL that ends in IU (interactive users) to just before the S: in the SDDL line.
  4. Replace ‘IU’ with the SID of the user you looked up previously, it may look like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  5. Run the following command to grant the permission to enumerate local Windows services to the specified User Account/SID:

    sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

You’ll need to know the “short name” of the Windows Service you want to grant permissions on, to do this quickly, type the following command:

sc getkeyname "<Service Name>”

You can also get the name from the Services applet in the Control Panel –> Administrative Tools.

Then, using subinacl (which you previously downloaded and installed, right?) you can grant permissions to your user account like so:

subinacl /verbose /service “<short name of service>” /grant=<DOMAIN or MACHINE>\<user account>=F

Note that the “=F” grants full permissions.

A big thanks to the two blog entries I’ve referenced for steering the way here.  I found the VBS script an easier way to lookup the user SID than the one referenced in the second blog article.

To grant enumeration rights to a security group, you may be able to follow steps outlined in the following blog article, though I have not tested it out myself.

Source Articles:

[1] http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx

[2] http://lanestechblog.blogspot.com/2010/07/how-to-delegate-services-control-in.html
[3] http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20allow%20users%20to%20enumerate%20service%20remotely.aspx


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 18 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.


Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

2 thoughts on “Delegating Minimal Permissions to Access Windows Services

  • Jay Adams

    This does work with groups. Using well known SIDs is the best approach to ensure compatibility across different versions of Windows Server. I’ve done this type of thing for several years in a large enterprise environment and can tell you first hand that it starts out good, but becomes hard to maintain across thousands of services and hundreds of users. I’m building a web based systems management tool to centralize control of who can start and stop services using RBAC. It’s called System Frontier. I’m planning to start beta testing in January 2012 and could used some experienced feedback. Great article and thanks!