Monday, December 8, 2014

Allowing non admin user to start / stop windows service

Last week, we had a problem to giving permission to certain services for the local non-admin user. And 99% of the IT team won't  give local admin permission due to the security issues.
What do to now?

I found a solution after google -ing a lot.

Microsoft has a simple tool called "subInACL.exe" which allows you to set the permission at the service level.

  1. Download subinacl.exe from Microsoft,
  2. Login as Administrator
  3. Install the tool
  4. Open the tool in the command mode.
  5. Navigate to C:\Program Files (x86)\Windows Resource Kits\Tools\


 subinacl /SERVICE \\MachineName\ServiceName /\username=F

 subinacl /SERVICE \\MySystem\spooler /\muralidharan=F

 The following permission level can be applied.

    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service 
    U : Service User-Defined Control Commands

For more details about, the permission level, refer the below link.

No comments:

Post a Comment