Permissions or Policy

Archived from groups: microsoft.public.win2000.security (More info?)

Can anyone suggest a way to allow certain users to start and stop particular
services on a server?
I have a group of developers who I wish not to grant administrative access
to, but require the ability to bounce their applications which are service
based. I've looked in the local security policy but do not see anything
that stands out as being able to do this.

Thanks
5 answers Last reply
More about permissions policy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    <WilliamBeau> wrote in message news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
    > Can anyone suggest a way to allow certain users to start and stop
    particular
    > services on a server?

    Such can be done through delegation on the service
    properties.

    No matter how you do it this will be a permission but
    you may distribute it to may machine by using a policy.

    On each service there are properties -- on the secure
    tab there are permissions available to be delegated.

    > I have a group of developers who I wish not to grant administrative access
    > to, but require the ability to bounce their applications which are service
    > based. I've looked in the local security policy but do not see anything
    > that stands out as being able to do this.

    Look in the Services control panel or in a GPO->
    Windows->Security->Services

    --
    Herb Martin


    >
    > Thanks
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    IIRC the subinacl tool can set permissons on services if it is
    the updated version,
    http://support.microsoft.com/default.aspx?scid=kb;en-us;827209
    else one may do this the long way using the Services section
    of a group policy or of a security config template (the last being
    the only alternative for a stand-alone).
    http://support.microsoft.com/kb/256345/EN-US/

    You must make sure that you do not remove the grant of Full to
    System when modifying the permissions of services.

    You may also seek out the third-party setacl utility which
    can manipulate much, including service permissions.
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    <WilliamBeau> wrote in message news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
    > Can anyone suggest a way to allow certain users to start and stop
    particular
    > services on a server?
    > I have a group of developers who I wish not to grant administrative access
    > to, but require the ability to bounce their applications which are service
    > based. I've looked in the local security policy but do not see anything
    > that stands out as being able to do this.
    >
    > Thanks
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Herb, this appears to be true only for system services - those basically
    included in the OS/ machine build and do not offer services that are
    installed as a result of software intallation or services created that are
    non-OS related.
    Do you know if I can change the list of services available in the group
    policy in order to accomodate these types of services?

    Thanks!

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
    > <WilliamBeau> wrote in message
    news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
    > > Can anyone suggest a way to allow certain users to start and stop
    > particular
    > > services on a server?
    >
    > Such can be done through delegation on the service
    > properties.
    >
    > No matter how you do it this will be a permission but
    > you may distribute it to may machine by using a policy.
    >
    > On each service there are properties -- on the secure
    > tab there are permissions available to be delegated.
    >
    > > I have a group of developers who I wish not to grant administrative
    access
    > > to, but require the ability to bounce their applications which are
    service
    > > based. I've looked in the local security policy but do not see anything
    > > that stands out as being able to do this.
    >
    > Look in the Services control panel or in a GPO->
    > Windows->Security->Services
    >
    > --
    > Herb Martin
    >
    >
    > >
    > > Thanks
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    <WilliamBeau> wrote in message news:uoSqPZd7EHA.3944@TK2MSFTNGP12.phx.gbl...
    > Herb, this appears to be true only for system services - those basically
    > included in the OS/ machine build and do not offer services that are
    > installed as a result of software intallation or services created that are
    > non-OS related.

    I didn't know that -- I wonder if this is the 'fault' of the
    programmers (like not using the Event Log but creating
    their own seperate feature for the same purpose) or if
    it is the 'fault' of the published APIs?

    Maybe it is as simple as the programmer creating a
    system object to control access but of course that doesn't
    help you....

    > Do you know if I can change the list of services available in the group
    > policy in order to accomodate these types of services?

    What would the user be "accessing" for these services?

    Log files? Use NTFS...

    Registry settings? Use permissions (similar to NTFS)

    What else?

    --
    Herb Martin


    > Thanks!
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
    > > <WilliamBeau> wrote in message
    > news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
    > > > Can anyone suggest a way to allow certain users to start and stop
    > > particular
    > > > services on a server?
    > >
    > > Such can be done through delegation on the service
    > > properties.
    > >
    > > No matter how you do it this will be a permission but
    > > you may distribute it to may machine by using a policy.
    > >
    > > On each service there are properties -- on the secure
    > > tab there are permissions available to be delegated.
    > >
    > > > I have a group of developers who I wish not to grant administrative
    > access
    > > > to, but require the ability to bounce their applications which are
    > service
    > > > based. I've looked in the local security policy but do not see
    anything
    > > > that stands out as being able to do this.
    > >
    > > Look in the Services control panel or in a GPO->
    > > Windows->Security->Services
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Thanks
    > > >
    > > >
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    What are the services?
    Normally if you go to a machine where the third party
    services are installed and use the Security Templates
    snap-in to define a new template you will find that all
    services that have registered for starting by the scm
    will be in the list.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    <WilliamBeau> wrote in message news:uoSqPZd7EHA.3944@TK2MSFTNGP12.phx.gbl...
    > Herb, this appears to be true only for system services - those basically
    > included in the OS/ machine build and do not offer services that are
    > installed as a result of software intallation or services created that are
    > non-OS related.
    > Do you know if I can change the list of services available in the group
    > policy in order to accomodate these types of services?
    >
    > Thanks!
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%233xt7cT7EHA.1404@TK2MSFTNGP11.phx.gbl...
    > > <WilliamBeau> wrote in message
    > news:uwkWJgR7EHA.2180@TK2MSFTNGP12.phx.gbl...
    > > > Can anyone suggest a way to allow certain users to start and stop
    > > particular
    > > > services on a server?
    > >
    > > Such can be done through delegation on the service
    > > properties.
    > >
    > > No matter how you do it this will be a permission but
    > > you may distribute it to may machine by using a policy.
    > >
    > > On each service there are properties -- on the secure
    > > tab there are permissions available to be delegated.
    > >
    > > > I have a group of developers who I wish not to grant administrative
    > access
    > > > to, but require the ability to bounce their applications which are
    > service
    > > > based. I've looked in the local security policy but do not see
    anything
    > > > that stands out as being able to do this.
    > >
    > > Look in the Services control panel or in a GPO->
    > > Windows->Security->Services
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Thanks
    > > >
    > > >
    > >
    > >
    >
    >
Ask a new question

Read More

Policy Security Permissions Windows