By default, normal users cannot manage Windows services. This means that users cannot stop, start, restart Windows services or change their settings/permissions. In some cases, users must have permission to restart or control certain services. In this article, we will explain some ways to manage permissions for Windows services. More specifically, we will show how a non-administrative user can start, stop and restart certain Windows services by giving him/her the appropriate permissions.

Suppose you need to give the domain user permission to restart the Print Spooler service (the service name is spooler). If a non-administrator tries to restart the service, an error message appears :

System error 5 occurred. Access Denied.

There is no simple, easy-to-use built-in tool for managing service permissions on Windows. We will look at a few ways to give a user permission to use a :

Configure Windows services permissions with the SC.exe tool (Service Controller)

The standard built-in method for managing service permissions on the Windows system is to use the sc.exe (Service Controller) utility. The main problem in using this tool is the complex syntax of the service permission format (SDDL – Security Description Definition Language format).

You can get the current permissions for a Windows service in the form of an SDDL line like this :

sc.exe sdshow Spooler

D:(A;;CCLCSWRPDLOCRRC; ; AU)(A;;CCDCLCSWRPDTLOCRSDRCWDWO; ; BA)(A;
;CCLCSWRPDTLOCRRC; ; SY)S:(AU;FA; CCDCLCSWRPDTLOCRSDRCWDWO; ; WD)

What do all these symbols mean?

S: – System Access Control List (
CASL) D: – Discretionary CASL (DACL).

The first letter after the brackets means Allow (A) or Reject (D).

The following character set corresponds to the assigned permissions.

CC – SERVICE_QUERY_CONFIG (retrieval of service parameters)
LC – SERVICE_QUERY_STATUS (retrieval of service status)
SW – SERVICE_ENUMERATE_DEPENDENTSLO –
SERVICE_INTERROGATECR –
SERVICE_USER_DEFINED_CONTROLRC – READ_CONTROLRP –
SERVICE_STARTWP –
SERVICE_STOPDT –
SERVICE_PAUSE_CONTINUE

The last 2 characters are the objects (user, group or SID) for which permissions are granted. There is a list of predefined groups.

AU Authenticated UsersAO
Account AdministratorsRU
Alias for Windows 2000AN
Anonymous LoginAU
Authenticated UsersBA Embedded
AdministratorsBG Embedded
GuestsBO
Backup AdministratorsBU
Embedded UsersCA
Certificate Server AdministratorsCG
Creator GroupCO
Creator OwnerDA
Domain AdministratorsDC
Domain ComputersDD
Domain ControllersDG
Domain UsersDU
Domain UsersEA
EnterpriseadministratorsED
Enterprise domain controllersWD
AnyPA
Group policy administratorsIU
Interactive….
Local administratorLG Local
guestsLS Local
service accountSҮ Local
systemNU
Network connection usersNO
Network configurationNS
Network service accountPO
Printer operatorsPS
Personal
Self Service
Power
UsersRS
Server group RAS
RD Terminal Server UsersRE
ReplicatorRC
Restricted CodeSA
Schema AdministratorsSO
Server AdministratorsSU
Service Login Users

Instead of a predefined group, you can specify a user or group explicitly by SID. To retrieve the SID of the current user, you can use the following command

WHO/USER

You can also retrieve the SID of each domain user using the Get-ADUser command:

Get-ADUUer -Identity “sadams” | select SID.

You can retrieve the SID of an AD security group with the Get-ADGroup command:

Get-ADGroup -Filter {name -eq “ny-ithelpdesk”} Select SID

You can use the sc sdset command to assign an SDDL permission set to a specific service. For example, access rights can be assigned to a user with the following command:

sc sdset spooler “D.(A;;CCLCSWRPWPDTLOCRRC;; SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWDO;;;;; BA)(A;;CCLCSWLOCRRC;;; IU)(A;;CCLCSWLOCRRC;; SU)(A;;RPWPCR;;;;; S-1-5-21-2133228432-2794320136-1823075350-1000)S :(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)”.

Use SubInACL to allow a user to start/stop/restart a service.

It is easier to use Sysinternals’ SubInACL command line utility (by Mark Russinovich) to manage service permissions. The syntax of this tool is much simpler and easier to use. Here is how to grant authorization for a service restart using SubInACL :

  1. Download subinacl.msi from this site (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it on the target system;
  2. At the top of the command line, navigate to the folder that contains the utility: cd “C:Program Files (x86)Windows Resource KitsTools”.
  3. Run the command: subinacl.exe /service Spooler /grant=contosotuser=PTONote
    . In this case we have given the
    user permission to
    stop (pause/resume), start and stop (restart) the service.
    Here is the complete list of available service permissions:
    F: Full control
    A: Common ReadW: Common
    WriteX:
    Common eXecuteL:
    Read controlLQ:
    Request Service ConfigurationS:
    Request Service StatusE:
    Enumerate Dependent ServicesC: Service
    Change ConfigurationT:
    Start ServiceO:
    Stop ServiceP:
    Pause/Continue ServiceI:
    Interrogate ServiceU: Service
    User-Defined Control CommandsI If you need to enable a service running on a remote computer, use the following subinacl syntax:
    subinacl /SERVICE my-othersverspooler /grant=contosotuser=F
  4. Now you just need to log in to your computer with a user account and try to restart the service with the command:
    net stop spoolernet
    start spooleror
    Start the spooler and start the spooler sc

If you have done everything correctly, the service should restart. Use the /revoke option of the subinacl.exe utility to override the assigned service permissions. For example, use the /revoke option of the subinacl.exe utility:

subinacl.exe /service spooler /revoke=contosotuser

How can I change the resolution of a Windows service via Process Explorer?

You can change the permissions for Windows services with another Sysinternals utility – Process Explorer. Start Process Explorer as administrator and locate the desired service process. In our example, it is spoolsv.exe (the spooler executable file is C:WindowsSystem32spoolsv.exe). Open the process properties and go to the Services tab.

Click on the “Permissions” button and add a user or group in the window that opens. Then select the permissions you want to grant (Full Control/Mail/Playback).

Setting Windows service permissions with PowerShell

There is a separate unofficial PowerShell module in TechNet Gallery to manage permissions for various Windows objects – the PowerShellAccessControl module (you can download it here). You can also use this module to manage service permissions. Install this module and import it into your PS session:

PowerShellAccessControl import module

You can obtain effective permissions for a specific Windows service in PowerShell as follows

Get-service-spooler | Get-efficient-access-principle-corptuiser

To allow a non-administrative user to start and stop the Spooler service, run the command :

Spooler-Dienst abrufen | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corptuser

Use of security templates to manage service authorizations

Using security templates is a visual (but more action-intensive) graphical method for managing service authorizations. Open the mmc.exe console and add the snap-in security templates.

Create a new security template (new template).

Enter a new model name and go to System Services. In the list of services, select the “Print Spooler” service and open its properties.

Select the startup mode (Automatic) and press the change security button.

Use the Add button to add an account or user group to grant permissions. In our case, the Start, Stop and Pause permissions are sufficient.

Register this model.
Tip. The content of the security template is
saved as an
INF file in the
C:Users%username%DocumentsSecurityTemplates folder.

When you open this file, you will see that the permission information is stored in the SDDL format mentioned above. The resulting string can be used as an argument to the sc.exe command.

Unicode] Unicode=yes
[Version] caption=”$CHICAGO$”
Version=1
[General Service Settings] “Spooler “2,D :AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;BA)(A;;CCLCSWLOCRRC;;IU)(A; RPWPDTRC;; S-1-5-21-3243688314-1354026805-3292651841-1127)S(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;;WD).”.

All you need to do is create a new database (Open Database) with the Security Configuration and Analysis snap-in and import your security model from the Spooler User Rights.inf file.

Apply this template by choosing “Configure Computer Now” from the context menu.

Now verify that the user can allow management of the spooler service under a non-admin account.

How can I give users the right to manage the service through a GPO?

If you need to give users permission to start/stop on multiple servers or on a single domain computer, it is easier to use Group Policy Objects (GPOs) :

  1. Create a new GPO or modify an existing GPO, associate it with the desired Active Directory (OU) container of computer objects . Go to Computer Configuration Policy -> Windows Settings -> Security Settings -> System Services ;
  2. Locate the Spooler service and grant authorizations to users as in the method above. Save the changes;
  3. Wait for the GPO to be applied to the client computers and verify that the new service permissions have been assigned.

Where are Windows security permissions stored?

The security settings for all services for which you changed the default permissions are stored in the HKLMSystemCurrentControlSetServicesSecurity key in the REG_BINARY security setting.

This means that one way to set service permissions on other computers is to export/import this registry setting (also via a GPO).

So far we have looked at different ways to manage Windows service permissions that allow you to grant arbitrary system service permissions to non-administrators.

Frequently asked questions

How can I start a Windows service without administrator rights?

Manually configure : Go to Administration -> Local security policy -> Local policy -> Assign rights to users. Change the point “Login as a service” and add a domain user to it. You can also use Service Security Editor for GUI to configure all services. You can define specific user rights for each service.

How can I restart the print spooler without administrator rights?

Languages

How do I change my service authorizations?

Right-click, select Properties from the menu and choose the Services tab. Click on the “Permissions” button and open the advanced settings. You can assign different permissions to each user or group.

start netlogon service without admin rights,install windows service without admin rights,how to start service without admin,windows service permissions,subinacl /service permissions,can power users restart services,nssm non admin,how to start a service with specific user account in windows server 2016

You May Also Like

How to make a checklist in Word?

Microsoft Word is probably the most popular word processing program. In several…

Gradle sync failed, NDK not configured, download it with SDK manager –

Development issue/problem: I’m completely new in Android development and I just installed…

The Best Commercial Truck Tracking Devices

You have a large commercial truck tracking system and you are concerned…

Analyzing Android Project with Lint and SonarQube –

Development issue/problem: I’ve been very busy making the connection between these things.…