Stopping and starting services remotely - without local admin righ

Hiya,

I have a large number of windows servers running services (such as print
spoolers) that I wish non-admin staff - such as the helpdesk to be able to
stop and start remotely (without having to add them to the local admin group)

I have used the following solution successfully on w2k sp4 and w2k3

Apply permissions to the service in question to the group in question by
using subinacl

eg subinacl /service spooler /grant=domain\HelpdeskAdmins=STO

I then use a script to call SC

eg sc \\servername start "Spooler"

This no longer seems to work on w2k3 sp1.

I appreciate that this could be classed as a security enhancement - but
forcing people to be added to local admin when all they need to do is control
a single service seems like a backwards step?

Does anyone have a solution to administer services remotely on w2k3 sp1 that
does not require local admin rights?

Cheers

Dinny

 

Have you thought about adding them to the Print Operators or Server Operators
groups? These groups specifically have the ability to stop and start some
services (but not all) as well as manage the system to an extent. They do
not have any group or account management capabilities.

The Server operators does have the ability to shut down the system, create
shared resources and such. You can likely use a group policy or ACL to
prevent some things like the ability to log on locally to a Domain
Controller.

 

To be safe, try:
subinacl /service spooler /grant=domain\HelpdeskAdmins=STROP

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

Hiya,

I have tried adding the non-admin account to every other built in group
(except administrators) - including print operators and power users - I still
get access denied.

Have tried various rights within subinacl - including "F" for full control -
makes no difference. Seems as though something in sp1 is overriding the
Rights that subinacl used to confer remotely?

Dinny