microsoft Post from around the Net technology

Delegating Monitoring-Stopping-Starting services on Servers

jayb

Thank you so much Jorge and the activedir.org mailing list. I’ve been trying to figure out how to get a junior admin access to restart the print spooler on a windows 2003 SP1 box for over a month.

Delegating permissions to manage services on servers is not the easiest thing to do. You can do it from the command line or through a GPO in the “System Services” node. Either way you MUST take the current configured permissions into account, otherwise you might/will experience issues!

I do not like to use a GPO to do this and prefer to use command line tools in scripts. I’m not going to post a script, but I’m going to provide the information for the delegation of the permissions required and how to achieve that. For the scripting part, what you need to do is retrieve the current SDDL, add what you want to add and write the complete new SDDL back.

Jorge ‘s Quest For Knowledge! : Delegating Monitoring/Stopping/Starting services on Servers

[tags]activedirectory, security, microsoft[/tags]

Monitoring of Services on Servers (W2K3/W2K8)

  • ACE on SCM object for “<AD group>” –> **ADD** SDDL part “(A;;CCLCRPRC;;;<AD group>)” to existing SDDL
  • ACE on service object for “<AD group>” –> **ADD** SDDL part “(A;;GR;;;<AD group>)” to existing SDDL

REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see http://support.microsoft.com/?kbid=914392

Monitoring of Services on Servers (W2K)

  • All users, local and remote, are allowed to monitor all services on W2K

Stopping/starting of Services on Servers (W2K3)

  • ACE on service object for “<AD group>” –> **ADD** SDDL part “(A;;RPWP;;;<AD group>)” to existing SDDL

REMARK: This can be done with: SC SDSHOW <Service | SCMANAGER> & SC SDSET <Service | SCMANAGER> <SDDL>
REMARK: also see http://support.microsoft.com/?kbid=914392

Stopping/starting of Services on Servers (W2K)

  • ACE on SCM object for “<AD group>” –> SUBINACL /service “\\<SERVER>\<SERVICE>” /grant=”<DOMAIN>\<AD GROUP>”=TO

REMARK: T = right to start a service & O = right to stop a service
REMARK: Always use the latest version of SUBINACL!

In, , , , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More Stories

Security tools bookmarks

As I'm learning about different security tools and solutions, I keep adding to my bookmarks for follow-up. Today, I'm sharing...

jayb

Recent Post