Sign in with
Sign up | Sign in
Your question

Permissions or Policy

Last response: in Windows 2000/NT
Share
December 28, 2004 4:01:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Can anyone suggest a way to allow certain users to start and stop particular
services on a server?
I have a group of developers who I wish not to grant administrative access
to, but require the ability to bounce their applications which are service
based. I've looked in the local security policy but do not see anything
that stands out as being able to do this.

Thanks

More about : permissions policy

Anonymous
a b 8 Security
December 28, 2004 8:44:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

<WilliamBeau> wrote in message news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
> Can anyone suggest a way to allow certain users to start and stop
particular
> services on a server?

Such can be done through delegation on the service
properties.

No matter how you do it this will be a permission but
you may distribute it to may machine by using a policy.

On each service there are properties -- on the secure
tab there are permissions available to be delegated.

> I have a group of developers who I wish not to grant administrative access
> to, but require the ability to bounce their applications which are service
> based. I've looked in the local security policy but do not see anything
> that stands out as being able to do this.

Look in the Services control panel or in a GPO->
Windows->Security->Services

--
Herb Martin


>
> Thanks
>
>
Anonymous
a b 8 Security
December 28, 2004 8:47:52 PM

Archived from groups: microsoft.public.win2000.security (More info?)

IIRC the subinacl tool can set permissons on services if it is
the updated version,
http://support.microsoft.com/default.aspx?scid=kb;en-us;827209
else one may do this the long way using the Services section
of a group policy or of a security config template (the last being
the only alternative for a stand-alone).
http://support.microsoft.com/kb/256345/EN-US/

You must make sure that you do not remove the grant of Full to
System when modifying the permissions of services.

You may also seek out the third-party setacl utility which
can manipulate much, including service permissions.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<WilliamBeau> wrote in message news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
> Can anyone suggest a way to allow certain users to start and stop
particular
> services on a server?
> I have a group of developers who I wish not to grant administrative access
> to, but require the ability to bounce their applications which are service
> based. I've looked in the local security policy but do not see anything
> that stands out as being able to do this.
>
> Thanks
>
>
Related resources
December 29, 2004 2:43:36 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Herb, this appears to be true only for system services - those basically
included in the OS/ machine build and do not offer services that are
installed as a result of software intallation or services created that are
non-OS related.
Do you know if I can change the list of services available in the group
policy in order to accomodate these types of services?

Thanks!

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
> <WilliamBeau> wrote in message
news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
> > Can anyone suggest a way to allow certain users to start and stop
> particular
> > services on a server?
>
> Such can be done through delegation on the service
> properties.
>
> No matter how you do it this will be a permission but
> you may distribute it to may machine by using a policy.
>
> On each service there are properties -- on the secure
> tab there are permissions available to be delegated.
>
> > I have a group of developers who I wish not to grant administrative
access
> > to, but require the ability to bounce their applications which are
service
> > based. I've looked in the local security policy but do not see anything
> > that stands out as being able to do this.
>
> Look in the Services control panel or in a GPO->
> Windows->Security->Services
>
> --
> Herb Martin
>
>
> >
> > Thanks
> >
> >
>
>
Anonymous
a b 8 Security
December 29, 2004 8:18:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

<WilliamBeau> wrote in message news:uoSqPZd7EHA.3944@TK2MSFTNGP12.phx.gbl...
> Herb, this appears to be true only for system services - those basically
> included in the OS/ machine build and do not offer services that are
> installed as a result of software intallation or services created that are
> non-OS related.

I didn't know that -- I wonder if this is the 'fault' of the
programmers (like not using the Event Log but creating
their own seperate feature for the same purpose) or if
it is the 'fault' of the published APIs?

Maybe it is as simple as the programmer creating a
system object to control access but of course that doesn't
help you....

> Do you know if I can change the list of services available in the group
> policy in order to accomodate these types of services?

What would the user be "accessing" for these services?

Log files? Use NTFS...

Registry settings? Use permissions (similar to NTFS)

What else?

--
Herb Martin


> Thanks!
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
> > <WilliamBeau> wrote in message
> news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
> > > Can anyone suggest a way to allow certain users to start and stop
> > particular
> > > services on a server?
> >
> > Such can be done through delegation on the service
> > properties.
> >
> > No matter how you do it this will be a permission but
> > you may distribute it to may machine by using a policy.
> >
> > On each service there are properties -- on the secure
> > tab there are permissions available to be delegated.
> >
> > > I have a group of developers who I wish not to grant administrative
> access
> > > to, but require the ability to bounce their applications which are
> service
> > > based. I've looked in the local security policy but do not see
anything
> > > that stands out as being able to do this.
> >
> > Look in the Services control panel or in a GPO->
> > Windows->Security->Services
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thanks
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
December 30, 2004 1:37:13 AM

Archived from groups: microsoft.public.win2000.security (More info?)

What are the services?
Normally if you go to a machine where the third party
services are installed and use the Security Templates
snap-in to define a new template you will find that all
services that have registered for starting by the scm
will be in the list.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
<WilliamBeau> wrote in message news:uoSqPZd7EHA.3944@TK2MSFTNGP12.phx.gbl...
> Herb, this appears to be true only for system services - those basically
> included in the OS/ machine build and do not offer services that are
> installed as a result of software intallation or services created that are
> non-OS related.
> Do you know if I can change the list of services available in the group
> policy in order to accomodate these types of services?
>
> Thanks!
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
> > <WilliamBeau> wrote in message
> news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
> > > Can anyone suggest a way to allow certain users to start and stop
> > particular
> > > services on a server?
> >
> > Such can be done through delegation on the service
> > properties.
> >
> > No matter how you do it this will be a permission but
> > you may distribute it to may machine by using a policy.
> >
> > On each service there are properties -- on the secure
> > tab there are permissions available to be delegated.
> >
> > > I have a group of developers who I wish not to grant administrative
> access
> > > to, but require the ability to bounce their applications which are
> service
> > > based. I've looked in the local security policy but do not see
anything
> > > that stands out as being able to do this.
> >
> > Look in the Services control panel or in a GPO->
> > Windows->Security->Services
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Thanks
> > >
> > >
> >
> >
>
>
!