Allow non-admins to start and stop system services

Step 1 – Create the Console

We need to open a hidden console snap-in

1. Click Start > Run (or press WIN + R) and type “mmc.exe”
2. This opens an empty Microsoft Management Console. Click File > Add/Remove Snap-in… (Ctrl+ M)
3. Scroll down the list of available Snap-ins and select Security Configuration and Analysis
4. Click Add
5. Next select Security Templates
6. Click Add
7. Click OK

Step 2 – Create a blank Security Template

In Windows Server 2003 and below you can store these files anywhere but later versions have tougher restrictions so we will be creating everything in D:Securtiy

1. Right-click Security Templates from the console tree and select New Template Search Path …
2. Browse to D:Security, or other local path, and click OK
3. Right-click D:Security from the console tree and select New Template …
4. Give the new template a name, e.g. Custom Services. It doesn’t matter what you use.
5. The Description is optional but may be useful if you want to re-use it
6. Click OK and you will see the new template appear in the console

The point of these templates are to lock-down servers using the Windows Security Configuration Wizard but we are only using them for a simple permission change

Step 3 – Create a Security Database

1. Right-click Security Configuration and Analysis from the console tree and select Open Database…
2. Browse to D:Security, or other local path, and type a name in the File name: box e.g Security
3. Click OK. This creates an Security.sdb file that is used to apply the changes
4. An Import Template window appears. Browse to D:Security/Custom Services.inf and select Open. This applies the template with all the local services to the database
5. If you get the error “The database you are attempting to open does not exist.” then you need to choose a different path i.e. on a local disk
6. Right-click Security Configuration and Analysis from the console tree and select Analyze Computer …
7. Click OK to accept the default log file path
8. You will then be presented with something that looks very similar to the Group Policy Editor or Local Security Policy Console

Step 4 Change Service Permissions

1. Double-Click System Services
2. Scroll down to find the service you need to change, e.g. Fax
3. Double-Click the service
4. Tick the box Define this policy in the database:
5. Click the Edit Security … button
6. Click Add
7. Type in the user name of the Service account e.g. Svc-Phones, and click OK
8. With the Svc-Phones account selected, check the Allow permissions for Start, stop and pause
9. Click OK
10. Click OK on the Service Properties to bring you back to the console
11. You’ll notice the Service now has an ‘x’ on it and  Investigate message on the Permission column. This is because the new permissions we’ve chosen conflict with what is on the local computer

Step 5 – Apply new Security Permissions

1. Right-click Security Configuration and Analysis from the console tree and select Configure Computer …
2. Click OK to accept the default log file path
3. This will apply the new custom permissions to the local computer
4. You can now test it out on the server with the Svc-Phones account and test it works

You can see that this is rather long-winded just to configure permissions on a service. thankfully, you can save everything and it will be quick to re-use in the future or as part of a batch process across servers. If you want to change the permissions on a default Microsoft Service you can use the Security section of Group Policy to achieve the same results.

 

Source:

How To – Allow non-admins to start and stop system services