So far I'm having no luck on this one. There is a -ton- of data on 2003 - all of which does not seem to apply to 2008. Edition: Standard 2008 (not R2). Limitations: I have no access to AD at this time; so a Group Policy cannot be used (pity). So.. I guess the question is, how do I setup a user to allow them to restart services remotely (pref using the manage remote computer mmc) on 2008?

In the CA console in the security tab, add the user/group and give them the Manage CA permission. Restart CA service.Or add the user/group tp local admins and restart the service in the service-console.Edit: Must be a local user/group as u don't have access to the AD.Edit 2: U might have to add the user/group to the "Access this computer from the network" in local policy but that shouldn't be necessary if u connect via the CA-console (Connect to another comp alt.)

Thanks.. I don't want to add the user to the admins group as this is a secured business server - but the user will be adding software and their software has service controls that they will occasionally need to restart for patching/etc. Also... sorry for the ignorance, but what is the CA Console? Only thing I can think of is certificate authority console (enterprise only I think) - but that doesn't seem correct.

Ohh, u ment restarting ANY service!?!Then the user must be a member of the local admins group. No other way around it except very complicated security policy settings together with ntfs-permissions etc.Starting/stopping services are hi elevated rights so no real reason to not make em local admins.Forget the CA-thingy. I'm a PKI-admin and sometimes can't see outside the box. ;-)

first, go to the MMC, add snap-in called Security Configuration And Analysis. then Analyse your server and find the System Services node.there you will find current permissions for each service. Note them exactly.then you can either use the Group Policy, Computer Configuration / Windows Settings / Security Settings / System Services node to configure this centrally or you can use Securite Templates MMC snap-in together with the previously used Security Configuration and Analysis to apply the template you created.ondrej.

Thanks Ondrej, Good thing - I can access AD on my own pc. But.. only services I can see in AD are services on my own machine and general services (with no way to add service names). Whenever I run the SCA mmc, it wants me to provide a template - which I don't have :o I would be happy allowing all services to be restarted, if that is the only way - admin access would be inappropriate though.

I stand corrected. Good info.

hi,if you want to see the services in GPO/AD, you will have to do one of two things - either open the GPO snap-in remotelly (as you do it already) from a computer that has the service installed.the other method would be to use Security Templates snap-in on the computer that has the service installed, creating a template .INF file directly on the computer and exporting the .INF file to the DC, where you would IMPORT the .INF file into some group policy object (right click on the Computer Config - Windows Settings - Security Settings / Import).As of what I know, there is no simple way how to enable somebody to restart ANY service. You will always have to grant the users (better to use a group) restarting only particular services through the policy.The Security Templates snap-in is also the way how to create a template (even empty one) for use with the Security Configuration and Analysis if your computer does not have any templates available.ondrej.