Contents
Overview
Sometimes you need to grant a non-administrative user or group access to manage the state of a Windows service.
DISCLAIMER
This article uses some advanced administration steps. Any mistakes could put your service or system in an inoperable state.
Sanity check the steps below, I tend to paraphrase so use your best judgment. If you're unsure of what this article is doing, DON'T DO IT!
I AM NOT RESPONSIBLE FOR ANY DAMAGE YOU MAY CAUSE BY FOLLOWING THIS ARTICLE!
Security Templates Snap-In
- Open MMC.exe as administrator
- Add Snap-In 'Security Templates'
- Right click -> 'New Template'
- Expand the tree and click 'System Services'
Find the service(s) you want to modify permissions on edit. Check [X] Define this policy in the template. Then click the 'Edit Security' button. Add permissions to your liking, click ok when finished. Right click the Template and click 'Save'
CAUTION: Make sure your permissions at minimum have one account that has 'Full Control', otherwise you'll make it difficult to regain access to the service.
Security Configuration and Analysis Snap-In
While in the elevated MMC.
- Add Snap-In 'Security Configuration and Analysis'
- Right click -> 'Open Database'
- In the file dialog, navigate to the path you'd like to save your new security database, enter a name in the 'File name:' field and click 'Open'
- You should be prompted to select a Security Template to associate to the new DB, select the .inf file from the previous step.
- Right click -> 'Analyze Computer Now...'
- Expand the tree and click 'System Services', you should see a list of services with a red circle in the icon, this indicates deviations form the security template.
- Right click -> 'Configure Computer Now...'
At this point your service permissions should be set. Have the non-admin user test out their new access. If there are any errors, check the Security Configuration logs (probably saved in a log folder in the parent folder of where you saved the Template)
NOTE: When I checked the 'System Services' I got an error saying something to the effect that it couldn't read the template. Fortunately, I did this on a test server so I ignored the error and the service permissions applied just fine. It also pays to have a current backup/snapshot.
Suggestions
- I highly advise using a group for permissions, especially in this scenario. It may be that you only need to grant one user access to restart a service, but if you have to add another (say because the previous user got hit by a bus), you just need to add the new user to the group rather than jump through all the MMC/Security Template nonsense all over again. Spend the extra 30 seconds and do your future self a huge favor.
- Managing permissions on Windows Services are a major pain. I don't know why MS didn't add a security tab to the Services MMC. That said, you should absolutely take a backup/snapshot of the system before making changes to services. If you lock yourself out of a service, reverting a snapshot is way faster than trying to figure out how to re-apply default permissions to a service.