locked
Preventing users from stopping a particular service with a GPO. RRS feed

  • Question

  • Our IT users currently are admins of their machines and because of this they can start and stop any services they want. There is one particular services that we don't want them to stop since it performs daily hardware and software audits. Is there simple way to prevent them from stopping this particular service without hindering the ability to stop/start other services with the use of a GPO? Thanks for any help.

    Kraag
    Tuesday, August 26, 2008 8:10 PM

Answers

  • This can certainly be achieved using Group Policies.
    Here's a detailed how to:
          
    1. Log on to a machine that has the particular service installed using an account with sufficient rights to create group policy objects. (for instance a Domain Admin)
    2. Install the Group Policy Management Console (GPMC) available here.
    3. Start the Group Policy Management MMC (gpmc.msc)
    4. Select the Organization Unit (OU) where you've placed your client computers
      (if this is the default Computers OU, you can't link a Group Policy object. Link it to the domain instead)
    5. Right click the OU and select the Create and link a new gpo here... option from the menu
    6. Give the new Group Policy object (GPO) a distinctive name (like Policy to enable Service ABC)
    7. Select the Group Policy Object itself, richt click it and select the Edit option from the menu
    8. Navigate to the Computer Configuration\Window Settings\Security Settings\System Services part of the GPO.
    9. A list of Services on the local computer should show up.
    10. Search the service you want to be forced and select it.
    11. Double click the Service Name
    12. Click Define this policy.
    13. Change the security setting to only enable a group of 'real' administrators to overrule these settings
    14. Set the Service startup mode as Automatic.
    15. Click OK
    16. Close the Group Policy Management Console
    17. Log off

       

    Now you only have to wait 90 minutes for the default background policy refresh and your settings will be applied to the computers in the Organizational Unit you applied the settings to.

    Wednesday, August 27, 2008 7:15 AM

All replies

  • This can certainly be achieved using Group Policies.
    Here's a detailed how to:
          
    1. Log on to a machine that has the particular service installed using an account with sufficient rights to create group policy objects. (for instance a Domain Admin)
    2. Install the Group Policy Management Console (GPMC) available here.
    3. Start the Group Policy Management MMC (gpmc.msc)
    4. Select the Organization Unit (OU) where you've placed your client computers
      (if this is the default Computers OU, you can't link a Group Policy object. Link it to the domain instead)
    5. Right click the OU and select the Create and link a new gpo here... option from the menu
    6. Give the new Group Policy object (GPO) a distinctive name (like Policy to enable Service ABC)
    7. Select the Group Policy Object itself, richt click it and select the Edit option from the menu
    8. Navigate to the Computer Configuration\Window Settings\Security Settings\System Services part of the GPO.
    9. A list of Services on the local computer should show up.
    10. Search the service you want to be forced and select it.
    11. Double click the Service Name
    12. Click Define this policy.
    13. Change the security setting to only enable a group of 'real' administrators to overrule these settings
    14. Set the Service startup mode as Automatic.
    15. Click OK
    16. Close the Group Policy Management Console
    17. Log off

       

    Now you only have to wait 90 minutes for the default background policy refresh and your settings will be applied to the computers in the Organizational Unit you applied the settings to.

    Wednesday, August 27, 2008 7:15 AM
  • Thanks for the detailed step by step. You the man!
    Wednesday, August 27, 2008 1:59 PM
  • Any way to do this on Windows 7 without a domain?
    Sunday, February 16, 2014 1:48 PM
  • This is a good way to do that, but even if the domain admins has full control they can't start the process back. Is there any way to do this?
    Thursday, June 15, 2017 5:49 PM
  • It should be noted that a smart Administrator can modify the service also directly in Registry at

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\...

    and thus bypass the GPO.

    I assume setting "Start = 3" will not help as the GPO will reset the startup type. But you can modify the "ImagePath" value and put some junk into it. Then the service does not start anymore.

    Monday, January 28, 2019 2:59 PM