Windows: Give user allow to restart services.

Sometimes Windows services in companies are used for important things, and they could stop responding, meaning critical production tasks stops being executed or the Windows print Spooler service may hang, thus they need to be restarted.

Here you can see, how you can give a “normal” user the privileges for doing just that, and nothing else.

Download the subinacl.exe from the WIndows ressource kit fro mthe Web Achive, as it’s not avail anymore:

https://web.archive.org/web/20190830103837/http://www.microsoft.com/en-us/download/confirmation.aspx?id=23510

or download as zip from my blog here: subinacl.zip

Then run as elevated prompt and change to the directory, where the msi has been installaed to:

‚ÄúC:\Program Files (x86)\Windows Resource Kits\Tools\”

Type:

subinacl.exe /service Spooler /grant=domain\jt=PTO

Here the access has been granted to the user domain\jt.

=PTO means this:

Now the user can start “Service manager” and connect to the server where you set this and start/stop pause this one service ūüôā

On remote server, you may encounter Access denied, when trying to restart the service, the fix is this:

Block remote callers who aren’t admins from starting/stopping services (microsoft.com)

  1. Select Start, select Run, type regedit in the Open box, and then click OK.
  2. Locate and then select the following subkey in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM

    Note If the subkey does not exist, you must create it: On the Edit menu, select New, and then select Key. Type the name of the new subkey and then press Enter.

  3. On the Edit menu, point to New, and then select REG_MULTI_SZ Value.
  4. Type RemoteAccessCheckExemptionList for the name of the REG_MULTI_SZ value, and then press Enter.
  5. Double-click the RemoteAccessCheckExemptionList value, type the name of the service to exempt from the new policy, then click OK.
  6. Exit Registry Editor, and then restart the computer.

The the remote user can restart the service with this simple batch script:

@echo off
sc \\server.domain.local stop “Spooler”
sc \\server.domain.local start “Spooler”
REM Add delay to wait for service to start
timeout 10
REM Check if the server actually started
sc \\server.domain.local query “Spooler”

All good:

UPDATE: 18/1-2021, found this brilliant tool, for achieving the same:

Set Windows Service Permissions | A free GUI to configure start/stop access rights for any service (coretechnologies.com)

And it’s free!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close