By default normal users cannot manage Windows services. This means that users cannot stop, start, restart, or change the settings/permissions of Windows services. In some cases, it is necessary for a user to have the permissions to restart or manage certain services. In this post we’ll look at several ways to manage the permissions for Windows services. In particular, we’ll show you how to allow a non-admin user to start, stop and restart a specific Windows service by granting the appropriate permissions.
Suppose, you need to grant the domain account contosotuser the permissions to restart the Print Spooler service (service name – spooler). When the non-admin tries to restart the service, an error appears:
System error 5 has occurred. Access is denied.
There is no simple and convenient built-in tool to manage services permissions in Windows. We’ll look at some ways to grant the permissions to a user to manage the service:
Setting Windows Service Permissions Using the SC.exe (Service controller) Tool
A standard built-in Windows method to manage system service permissions is using the sc.exe (Service Controller) tool. The main problem with using this utility is the complex syntax of the service permissions format (the SDDL format — Security Description Definition Language).
You can get the current permissions for a Windows service as an SDDL string like this:
sc.exe sdshow Spooler
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
What do all these symbols mean?
S: — System Access Control List (SACL) D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A) or deny (D).
The next set of symbols is assignable permissions.
CC — SERVICE_QUERY_CONFIG (request service settings) LC — SERVICE_QUERY_STATUS (service status polling) SW — SERVICE_ENUMERATE_DEPENDENTS LO — SERVICE_INTERROGATE CR — SERVICE_USER_DEFINED_CONTROL RC — READ_CONTROL RP — SERVICE_START WP — SERVICE_STOP DT — SERVICE_PAUSE_CONTINUE
The last 2 characters are the objects (user, group or SID) that are granted permissions. There is a list of predefined groups.
AU Authenticated Users AO Account operators RU Alias to allow previous Windows 2000 AN Anonymous logon AU Authenticated users BA Built-in administrators BG Built-in guests BO Backup operators BU Built-in users CA Certificate server administrators CG Creator group CO Creator owner DA Domain administrators DC Domain computers DD Domain controllers DG Domain guests DU Domain users EA Enterprise administrators ED Enterprise domain controllers WD Everyone PA Group Policy administrators IU Interactively logged-on user LA Local administrator LG Local guest LS Local service account SY Local system NU Network logon user NO Network configuration operators NS Network service account PO Printer operators PS Personal self PU Power users RS RAS servers group RD Terminal server users RE Replicator RC Restricted code SA Schema administrators SO Server operators SU Service logon user
Instead of a predefined group, you can explicitly specify a user or group by SID. To get the SID for the current user, you can use the command:
whoami /user
Or you can find the SID for any domain user using the Get-ADUser cmdlet:
Get-ADUser -Identity 'sadams' | select SID
You can get the SID of the AD security group using the Get-ADGroup cmdlet:
Get-ADGroup -Filter {Name -eq "ny-ithelpdesk"} | Select SID
In order to assign the SDDL permissions string for a specific service, you can use the sc sdset command. For example, the permissions can be granted to a user with the following command:
sc sdset Spooler "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Using the SubInACL to Allow a User to Start/Stop/Restart Service
It is easier to use a command line tool SubInACL from the Sysinternals (by Mark Russinovich) to manage the service permissions. The syntax of this tool is much easier and more convenient. Here is how you can grant the restart permissions for a service using the SubInACL:
- Download subinacl.msi from this webpage (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it on the target system;
- In the elevated command prompt, go to the directory containing the tool:
cd “C:Program Files (x86)Windows Resource KitsTools"
- Run the command:
subinacl.exe /service Spooler /grant=contosotuser=PTO
Note. In this case we have granted a user the permissions to suspend (pause/continue), start and stop (restart) a service. The full list of the available service permissions:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
If you need to grant permissions to a service running on a remote computer, use the following syntax of the subinacl command:subinacl /SERVICE \my-otherserverspooler /grant=contosotuser=F
- Now you only have to logon the computer under a user account and try to restart the service with the commands:
net stop spooler
net start spooler
orsc stop spooler && sc start spooler
If you did everything right, the service should restart. To revoke the assigned service permissions, use the /revoke
option of the subinacl.exe tool. For example:
subinacl.exe /service Spooler /revoke=contosotuser
How to Change Windows Service Permission Using Process Explorer?
You can change Windows service permissions using one more Sysinternals utility – Process Explorer. Run the Process Explorer as administrator and find the process of the service you need. In our example, this is spoolsv.exe (the spooler executable – C:WindowsSystem32spoolsv.exe
). Open the process properties and click the Services tab.
Click the Permissions button and add the user or group in the window that opens. After that select the permissions that you want to assign (Full Control/Write/Read).
Setting Windows Service Permissions Using PowerShell
In TechNet gallery there is a separate unofficial PowerShell module for managing permissions for different Windows objects – PowerShellAccessControl Module (you can download it here). This module also allows you to manage the service permissions. Install this module and import it into your PS session:
Import-Module PowerShellAccessControl
You can get the effective permissions for a specific Windows service from PowerShell like this:
Get-Service spooler | Get-EffectiveAccess -Principal corptuser
To allow non-admin user to start and stop spooler service, run the command:
Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corptuser
Using Security Templates to Manage Service Permissions
A visual (but requiring more actions) graphical way to manage service permissions is using Security Templates. Open mmc.exe console and add the Security Templates snap-in.
Create a new security template (New Template).
Specify the name for the new template and go to the System Services section. In the list of services select the service Print Spooler and open its properties.
Select the startup mode (Automatic) and click Edit Security.
Using the Add button, add a user account or a group to grant permissions to. In our case, Start, stop and pause permission is enough.
Save this template.
Note. The content of the Security Template is saved as the INF file in the C:Users%username%DocumentsSecurityTemplates folder.
If you open this file, you can see that the information about the permissions is saved in the SDDL format, mentioned earlier. The string obtained in this way can be used as an argument of the sc.exe command.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"Spooler",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-3243688314-1354026805-3292651841-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Now you only have to create a new database (Open Database) using the Security Configuration and Analysis snap-in and import your Security Template from the file Spooler User Rights.inf.
Apply this template by selecting Configure Computer Now option from the context menu.
Now you check that the user can allow manage the Print Spooler service under non-admin account.
How to Grant Users Rights to Manage a Service using GPO?
If you have to grant permissions to users to start/stop a service multiple servers or domain computer, it’s easier to use Group Policy (GPO) features:
- Create a new GPO or edit the existing one, link it to the necessary Active Directory container (OU) with the computer objects . Go to the policy section Computer configuration -> Windows Settings -> Security Settings -> System Services;
- Find the Spooler service and grant permissions to the users like in the method described above. Save the changes;
- Wait until the GPO is applied on client computers and make sure that the new service permissions have been assigned.
Where are the Windows service security permissions stored?
The security settings for all services for which you changed the default permissions are stored in their own registry key HKLMSystemCurrentControlSetServices<servicename>Security
in the Security parameter of the REG_BINARY type.
This means that one of the ways to set service permissions on other computers is to export/import this registry parameter (including through a GPO).
So, we looked at several ways to manage the Windows service permissions, which allow you to grant any permissions for system services to non-admin user.