Stopping and starting services remotely - without local admin righ

Discussion in 'Windows Server' started by dinny, Oct 31, 2005.

  1. dinny

    dinny Guest

    Hiya,

    I have a large number of windows servers running services (such as print
    spoolers) that I wish non-admin staff - such as the helpdesk to be able to
    stop and start remotely (without having to add them to the local admin group)

    I have used the following solution successfully on w2k sp4 and w2k3

    Apply permissions to the service in question to the group in question by
    using subinacl

    eg subinacl /service spooler /grant=domain\HelpdeskAdmins=STO

    I then use a script to call SC

    eg sc \\servername start "Spooler"

    This no longer seems to work on w2k3 sp1.

    I appreciate that this could be classed as a security enhancement - but
    forcing people to be added to local admin when all they need to do is control
    a single service seems like a backwards step?

    Does anyone have a solution to administer services remotely on w2k3 sp1 that
    does not require local admin rights?

    Cheers

    Dinny
     
    dinny, Oct 31, 2005
    #1
    1. Advertisements

  2. Have you thought about adding them to the Print Operators or Server Operators
    groups? These groups specifically have the ability to stop and start some
    services (but not all) as well as manage the system to an extent. They do
    not have any group or account management capabilities.

    The Server operators does have the ability to shut down the system, create
    shared resources and such. You can likely use a group policy or ACL to
    prevent some things like the ability to log on locally to a Domain
    Controller.
     
    Paul Hinsberg, Nov 1, 2005
    #2
    1. Advertisements

  3. To be safe, try:
    subinacl /service spooler /grant=domain\HelpdeskAdmins=STROP

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    http://www.jsiinc.com
    http://www.jsifaq.com
     
    Jerold Schulman, Nov 1, 2005
    #3
  4. dinny

    dinny Guest

    Hiya,

    I have tried adding the non-admin account to every other built in group
    (except administrators) - including print operators and power users - I still
    get access denied.

    Have tried various rights within subinacl - including "F" for full control -
    makes no difference. Seems as though something in sp1 is overriding the
    Rights that subinacl used to confer remotely?

    Dinny
     
    dinny, Nov 3, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.