delegating control of services
I wish to permit my helpdesk to restart services. I do not wish for them to become administrators of the server.How can I grant them this ability on a specific server or throughout the domainthanxdavid
December 28th, 2008 12:55pm

Hi, According to your description, you want to delegate a domain user to control certain services. You can achieve this to get help from the following procedures: Procedure 1: By default, users can't control system services--they'll receive an "Error 5: Access is denied" error message. The following steps show how to use Group Policy to grant a user access to control the Print Spooler service(example). ------------------------------------ 1, Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services. 2, Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services. 3, Double-click the service for which you want to delegate permissions (e.g., Print Spooler). 4, Select the "Define this policy setting" and click Edit Security. 5, Click Add and enter the user/group to be given permissions. 6, After you select the user/group, pick the permissions you want to give to group members (e.g., "Start, stop and pause") and click OK, as the figure shows. 7, Ensure the services startup type is correct (e.g., Automatic) and click OK. 8, After the Group Policy has been applied to the target machines, the user/group given control will be able to perform the delegated actions. ------------------------------------ Procedure 2: To Start, Stop, and Pause a service, users need the Read and the Stop, Start, and Pause permissions. These permissions are exposed only through Group Policy. You can create organizational units (OUs) that contain the workstations that you want the policy applied to. To assign service permissions to the computers in an OU, perform these steps: ------------------------------------ 1, Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 2, Right-click a domain and press New, Organizational Unit. 3, Name the OU and press OK. 4, Right-click this new OU and select Properties. 5, Select the Group Policy tab. 6, Press New and name the policy. 7, Highlight the new policy and select Edit. 8, Navigate to Computer Configuration, Windows Settings, Security Settings, System Services. 9, Double-click the service you want users to manage. 10, Select the "Define this Policy Setting" check box. 11, Remove the Everyone group. 12, Add the System account, Domain Admins, and any user or groups you desire. 13, Grant the System account and Domain Admins Full Control. Grant the other users and groups both Read and Stop, Start, and Pause permissions. 14, Click OK. 15, Change the startup mode from Disabled to Automatic or Manual. 16, Click Apply and OK. 17, Close the policy and press OK. 18, Move the computer accounts for which you want to apply the policy into the OU. ------------------------------------ In addition, please note that the above steps needs to be performed on a computer where the services are located; otherwise, the services will not be displayed in the Group Policy Editor. For more information, please refer to the following Microsoft Knowledge Base articles: 283904 How to Add Third-Party Services to the System Services in Group Policy http://support.microsoft.com/default.aspx?scid=kb;EN-US;283904 256345 How To Configure Group Policies to Set Security for System Services http://support.microsoft.com/default.aspx?scid=kb;EN-US;256345 Best regards, Vincent Hu
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2008 1:56pm

Hi, According to your description, you want to delegate a domain user to control certain services. You can achieve this to get help from the following procedures: Procedure 1: By default, users can't control system services--they'll receive an "Error 5: Access is denied" error message. The following steps show how to use Group Policy to grant a user access to control the Print Spooler service(example). ------------------------------------ 1, Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services. 2, Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services. 3, Double-click the service for which you want to delegate permissions (e.g., Print Spooler). 4, Select the "Define this policy setting" and click Edit Security. 5, Click Add and enter the user/group to be given permissions. 6, After you select the user/group, pick the permissions you want to give to group members (e.g., "Start, stop and pause") and click OK, as the figure shows. 7, Ensure the services startup type is correct (e.g., Automatic) and click OK. 8, After the Group Policy has been applied to the target machines, the user/group given control will be able to perform the delegated actions. ------------------------------------ Procedure 2: To Start, Stop, and Pause a service, users need the Read and the Stop, Start, and Pause permissions. These permissions are exposed only through Group Policy. You can create organizational units (OUs) that contain the workstations that you want the policy applied to. To assign service permissions to the computers in an OU, perform these steps: ------------------------------------ 1, Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 2, Right-click a domain and press New, Organizational Unit. 3, Name the OU and press OK. 4, Right-click this new OU and select Properties. 5, Select the Group Policy tab. 6, Press New and name the policy. 7, Highlight the new policy and select Edit. 8, Navigate to Computer Configuration, Windows Settings, Security Settings, System Services. 9, Double-click the service you want users to manage. 10, Select the "Define this Policy Setting" check box. 11, Remove the Everyone group. 12, Add the System account, Domain Admins, and any user or groups you desire. 13, Grant the System account and Domain Admins Full Control. Grant the other users and groups both Read and Stop, Start, and Pause permissions. 14, Click OK. 15, Change the startup mode from Disabled to Automatic or Manual. 16, Click Apply and OK. 17, Close the policy and press OK. 18, Move the computer accounts for which you want to apply the policy into the OU. ------------------------------------ In addition, please note that the above steps needs to be performed on a computer where the services are located; otherwise, the services will not be displayed in the Group Policy Editor. For more information, please refer to the following Microsoft Knowledge Base articles: 283904 How to Add Third-Party Services to the System Services in Group Policy http://support.microsoft.com/default.aspx?scid=kb;EN-US;283904 256345 How To Configure Group Policies to Set Security for System Services http://support.microsoft.com/default.aspx?scid=kb;EN-US;256345 Best regards, Vincent Hu I know this thread is quite old at this point, but I'm having an issue secondary to this, (as we're trying to do the same thing for the most part - I'm replying to this thread initially). I've used GP to assign the specific rights necessary to restart services. This works as expected when using pstools from command line or logged into the server with the credentials we're addressing with GP. However, what I need to be able to do is have the users launch MMC/services.msc on their local machine(s) and then 'Connect to another computer...'. When attempting to do this with their credentials, they get the "Error 5: Access is denied" error. Basically, they can restart the services but they can't SEE the services for the server(s). Ultimately, I want to be able to grant READ access to the services of multiple servers so that these services, (relating to backup utilities), can be restarted by these users. The ability to see all of them is not a concern. Can you assist? Thanks, CK
September 27th, 2010 6:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics