Delegating Minimal Permissions to Access Windows Services

You might find this information handy if you work with Windows Services, and wish to grant some basic permissions to user accounts.  In my scenario, I wanted to be able to list the status of several key Windows Services used in my overall architecture (for a diagnostic website/control panel) and to be able to restart the service(s) should they stop for some reason.

This has become increasingly difficult as, over time, Windows Server has become further locked down.  By default, local users and non-administrative accounts do not even possess the rights to even aggregate local services, let alone query their status or restart them.  Luckily, there is a way to remedy this.  Please note that this applies on a per Account basis, I have not found a solution which applies to security groups.

You’ll need a special utility (called Subinacl) to grant permissions, you can download a copy from  Microsoft hereNote that you will require local administrative privileges to perform the following steps.

The first thing you need to do is to [1] determine the SID (security identifier) of the account you wish to grant permissions to.  This can be achieved a number of ways, the easiest being the execution of a little VBS script.  Copy and paste the below VBS into a text file, save it with a .vbs extension,  and double click the file to execute.

strComputer = "."   ‘ — or the full name of the machine
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _ ("Win32_UserAccount.Name=’<USERNAME>‘,Domain=’<DOMAIN OR LOCAL MACHINE NAME>")
Wscript.Echo objAccount.SID

Once you’ve obtained the SID for the account you wish to grant permissions to, read the following blog article – scroll down to the section titled “Grant access to run the Services Control Panel“.  This blog article will take you the rest of the way.  I strongly suggest reading through the linked article.

If, however, you’d prefer a quick summary of the remaining steps, keep reading below.

  1. Open a Command Prompt and execute the following statement:

    sc sdshow scmanager

  2. Copy the output (SDDL) to a text editor, it will look something like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  3. Copy the section of the SDDL that ends in IU (interactive users) to just before the S: in the SDDL line.
  4. Replace ‘IU’ with the SID of the user you looked up previously, it may look like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  5. Run the following command to grant the permission to enumerate local Windows services to the specified User Account/SID:

    sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

You’ll need to know the “short name” of the Windows Service you want to grant permissions on, to do this quickly, type the following command:

sc getkeyname "<Service Name>”

You can also get the name from the Services applet in the Control Panel –> Administrative Tools.

Then, using subinacl (which you previously downloaded and installed, right?) you can grant permissions to your user account like so:

subinacl /verbose /service “<short name of service>” /grant=<DOMAIN or MACHINE>\<user account>=F

Note that the “=F” grants full permissions.

A big thanks to the two blog entries I’ve referenced for steering the way here.  I found the VBS script an easier way to lookup the user SID than the one referenced in the second blog article.

To grant enumeration rights to a security group, you may be able to follow steps outlined in the following blog article, though I have not tested it out myself.

Source Articles:

[1] http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx

[2] http://lanestechblog.blogspot.com/2010/07/how-to-delegate-services-control-in.html
[3] http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20allow%20users%20to%20enumerate%20service%20remotely.aspx

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 thoughts on “Delegating Minimal Permissions to Access Windows Services”