Tuesday, November 20, 2012 10:01 AM
Morning guys! Today's topic: allow a user to restart a service on a server.
We have third party software running on one of our servers, and this software also runs a service. This service needs to be restarted every now and then - the software is kinda buggy. And because I'm working in a 24x7 environment in can happen that this service needs to be restarted at 3am. Instead of people calling me at 3am, I want to grant a couple of users the rights to restart the service when they need to.
In the Server 2003 era, a great tool was available to do this: subinacl. However, this tool was never released for Server 2008 officialy, but I heard about people running it perfectly on ws2008. Before putting this into a production environment, I tried to allow a user to restart the Windows Update service in a testing environment. I downloaded and installed a toolkit containing subinacl. I have one server (lab-dc01) running ws2008r2 and a client running w7.
I opened a command prompt on the server where I wanted the user to start/stop the Windows update service, and entered this:
subinacl /service wuauserv GRANT=testlab\s.trekhaak=TO
But then I got this:
/primary group =system
/audit ace count =1
/aace =everyone SYSTEM_AUDIT_ACE_TYPE-0x2
SERVICE_QUERY_CONFIG-0x1 SERVICE_CHANGE_CONFIG-0x2 SE
SERVICE_ENUMERATE_DEPEND-0x8 SERVICE_START-0x10 SE
SERVICE_INTERROGATE-0x80 DELETE-0x10000 RE
/perm. ace count =3
/pace =authenticated users ACCESS_ALLOWED_ACE_TYPE-0x0
SERVICE_QUERY_CONFIG-0x1 SERVICE_QUERY_STATUS-0x4 SE
SERVICE_START-0x10 SERVICE_INTERROGATE-0x80 RE
/pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
/pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 0, Syntax errors 0
Last Done : wuauserv
Wow, lots of text, not a simple "command executed successfully"... so I tried to restart a service on the server, from a client in the testdomain as a standard user:
C:\Users\s.trekhaak>sc \\lab-dc01 stop wuauserv
[SC] OpenService FAILED 5:
Access is denied.
Hmm, so it's not working. I am logged on as testlab\s.trekhaak on the client, and as an admin on the server. I tried to specify a server when running the command:
SUBINACL /service \\lab-dc01\wuauserv GRANT=testlab\s.trekhaak=TO
But I got the same results. I found another topic about this problem on Technet, which was solved by using this command:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)Unfortunately, that didn't help either. Does anyone know what the error from subinacl means? It's just gibberish to me :(
Wednesday, November 21, 2012 8:35 AM
I suggest you check similar thread
Regards, Ravikumar P
Thursday, November 22, 2012 12:33 PM
I found that thread when looking for a solution, I tried the command which solved his problem but it didn't work for me :( I guess it's not possible to change the ACL on ws2008 services.
- Marked As Answer by Cheers ZHANGMicrosoft Contingent Staff, Moderator Tuesday, November 27, 2012 2:27 AM