Sometimes Windows services in companies are used for important things, and they could stop responding, meaning critical production tasks stops being executed or the Windows print Spooler service may hang, thus they need to be restarted.
Here you can see, how you can give a “normal” user the privileges for doing just that, and nothing else.
Download the subinacl.exe from the WIndows ressource kit fro mthe Web Achive, as it’s not avail anymore:
or download as zip from my blog here: subinacl.zip
Then run as elevated prompt and change to the directory, where the msi has been installaed to:
“C:\Program Files (x86)\Windows Resource Kits\Tools\”
Type:
subinacl.exe /service Spooler /grant=domain\jt=PTO
Here the access has been granted to the user domain\jt.
=PTO means this:
Now the user can start “Service manager” and connect to the server where you set this and start/stop pause this one service 🙂
On remote server, you may encounter Access denied, when trying to restart the service, the fix is this:
Block remote callers who aren’t admins from starting/stopping services (microsoft.com)
- Select Start, select Run, type regedit in the Open box, and then click OK.
- Locate and then select the following subkey in the registry:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\SCM
Note If the subkey does not exist, you must create it: On the Edit menu, select New, and then select Key. Type the name of the new subkey and then press Enter.
- On the Edit menu, point to New, and then select REG_MULTI_SZ Value.
- Type RemoteAccessCheckExemptionList for the name of the REG_MULTI_SZ value, and then press Enter.
- Double-click the RemoteAccessCheckExemptionList value, type the name of the service to exempt from the new policy, then click OK.
- Exit Registry Editor, and then restart the computer.
The the remote user can restart the service with this simple batch script:
@echo off
sc \\server.domain.local stop “Spooler”
sc \\server.domain.local start “Spooler”
REM Add delay to wait for service to start
timeout 10
REM Check if the server actually started
sc \\server.domain.local query “Spooler”
All good:
UPDATE: 18/1-2021, found this brilliant tool, for achieving the same:
And it’s free!
Related Posts
PrintNightmare: Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability- PrintNightmare: Out-of-band updates ready – patch now!
Windows server 2019: Troubleshoot missing SYSVOL and Netlogon shares
RDS: How to block user access to Windows Update on Windows Server- Win 2016+2019: Remote Desktop Services attributes of ENVIRONMENT tab of a users object properties in AD DS are not applied
- Office 365 ProPlus will now be supported on the new Windows Server 2019 RDS!!
Thanks for these, Martin. And for those who may have any hesitation about the SSE tool he mentioned (I love it and use it regularly), I’ll note that if you’re ok with using the sysinternals tool, Process Explorer, from Microsoft, it can also be used to control service start/stop permissions. It’s just not as obvious or simple as SSE.
See a discussion of the steps in another post which, like yours, outlines a few options (not yet SSE), at http://woshub.com/set-permissions-on-windows-service/, under the section, “How to Change Windows Service Permission Using Process Explorer”