Permissions or Policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Can anyone suggest a way to allow certain users to start and stop particular
services on a server?
I have a group of developers who I wish not to grant administrative access
to, but require the ability to bounce their applications which are service
based. I've looked in the local security policy but do not see anything
that stands out as being able to do this.

Thanks
 
Can anyone suggest a way to allow certain users to start and stop particular
services on a server?
Click to expand...

Such can be done through delegation on the service
properties.

No matter how you do it this will be a permission but
you may distribute it to may machine by using a policy.

On each service there are properties -- on the secure
tab there are permissions available to be delegated.
I have a group of developers who I wish not to grant administrative access
to, but require the ability to bounce their applications which are service
based. I've looked in the local security policy but do not see anything
that stands out as being able to do this.
Click to expand...

Look in the Services control panel or in a GPO->
Windows->Security->Services
 
IIRC the subinacl tool can set permissons on services if it is
the updated version,
http://support.microsoft.com/default.aspx?scid=kb;en-us;827209
else one may do this the long way using the Services section
of a group policy or of a security config template (the last being
the only alternative for a stand-alone).
http://support.microsoft.com/kb/256345/EN-US/

You must make sure that you do not remove the grant of Full to
System when modifying the permissions of services.

You may also seek out the third-party setacl utility which
can manipulate much, including service permissions.
 
Herb, this appears to be true only for system services - those basically
included in the OS/ machine build and do not offer services that are
installed as a result of software intallation or services created that are
non-OS related.
Do you know if I can change the list of services available in the group
policy in order to accomodate these types of services?

Thanks!
 
Herb, this appears to be true only for system services - those basically
included in the OS/ machine build and do not offer services that are
installed as a result of software intallation or services created that are
non-OS related.
Click to expand...

I didn't know that -- I wonder if this is the 'fault' of the
programmers (like not using the Event Log but creating
their own seperate feature for the same purpose) or if
it is the 'fault' of the published APIs?

Maybe it is as simple as the programmer creating a
system object to control access but of course that doesn't
help you....
Do you know if I can change the list of services available in the group
policy in order to accomodate these types of services?
Click to expand...

What would the user be "accessing" for these services?

Log files? Use NTFS...

Registry settings? Use permissions (similar to NTFS)

What else?
 
What are the services?
Normally if you go to a machine where the third party
services are installed and use the Security Templates
snap-in to define a new template you will find that all
services that have registered for starting by the scm
will be in the list.
 
Back
Top