Monday, December 8, 2014

Allowing non admin user to start / stop windows service

Last week, we had a problem to giving permission to certain services for the local non-admin user. And 99% of the IT team won't  give local admin permission due to the security issues.
What do to now?

I found a solution after google -ing a lot.

Microsoft has a simple tool called "subInACL.exe" which allows you to set the permission at the service level.

  1. Download subinacl.exe from Microsoft, http://www.microsoft.com/en-us/download/details.aspx?id=23510
  2. Login as Administrator
  3. Install the tool
  4. Open the tool in the command mode.
  5. Navigate to C:\Program Files (x86)\Windows Resource Kits\Tools\

Syntax

 subinacl /SERVICE \\MachineName\ServiceName /GRANT=domainname.com\username=F

 Example:
 subinacl /SERVICE \\MySystem\spooler /GRANT=myDC.com\muralidharan=F

 The following permission level can be applied.

    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service 
    U : Service User-Defined Control Commands

For more details about, the permission level, refer the below link.

No comments:

Post a Comment