none
Start and stop services on a remote machine

    Question

  • I installed the GPO role to a member server where the software I need to control the services is, so that I could get the correct services into a group policy.  It all seemed to work.  I assigned the user Allow - Read and Allow - Start, Stop, Pause and continue rights.

    The GPO is then applied to the OU that houses many member servers, however the security filtering is set so that it's applied to only the one server.  Server has been rebooted.

    GPResult shows it as an applied (computer) policy object.

    The user does not log into the server.  He opens the services mmc locally, and then tries to connect to the remote machine, which results in an access denied error.  I know the rights are correct for the services themselves, and he should be able to restart the services, but he needs to be able to get into the services snapin first.  Did I miss something with rights that would enable the snapin to be opened?

    Wednesday, August 24, 2016 5:59 PM

Answers

  • Hi Willmeister and thanks for posting here.
    Have seen this earlier post regarding same thing?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5a2c5546-27a8-4fd1-abfd-71761b335c8b/non-admin-access-to-windows-services-on-a-server-via-mmc-from-a-client-pc?forum=winserverprint

    Regards
    -Tomi

    Tomi Pietilä, Blog, Twitter


    Wednesday, August 24, 2016 8:10 PM

All replies

  • Hi Willmeister and thanks for posting here.
    Have seen this earlier post regarding same thing?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5a2c5546-27a8-4fd1-abfd-71761b335c8b/non-admin-access-to-windows-services-on-a-server-via-mmc-from-a-client-pc?forum=winserverprint

    Regards
    -Tomi

    Tomi Pietilä, Blog, Twitter


    Wednesday, August 24, 2016 8:10 PM
  • i should have mentioned, the sc  command doesn't seem to work.  i'll have him try once more.
    Wednesday, August 24, 2016 9:21 PM
  • Hi,
    Please have a try to add the user account into the administrator group of that server which is hosting the service and try again to see if it works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 5:51 AM
    Moderator
  • OK.  But for compliance reasons I can't leave it.  I'm pretty sure that will work though.

    EDIT:  just tried it, that works of course.  but if i'm an administrator on the machine, then i don't need the above GPO to give me rights to start/stop the specific services.  So what's next?

    • Edited by Willmeister Friday, August 26, 2016 7:18 PM tested...
    Friday, August 26, 2016 5:18 PM
  • Hi,

    You might need to grant remote desktop services permissions for the users which are used to control which users or groups can perform particular tasks on the RD Session Host server. Please see details from: https://technet.microsoft.com/en-us/library/cc753032(v=ws.11).aspx
    Please refer to the following thread regarding to allow non admins to restart certain services:
    Allow non admins to restart certain services - Server 2008
    https://social.technet.microsoft.com/Forums/office/en-US/718ac736-17df-4c03-ae3a-533cf1020fe4/allow-non-admins-to-restart-certain-services-server-2008?forum=winservergen

    Best Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, August 30, 2016 2:36 AM
    Moderator
  • This is not an RDSH server, not really sure where that came from.  It's a member server with a standalone application.  And it's also Server 2008 R2.

    The users that administer the application do not have RDP or log on rights to the server.

    In order to support their application they need to be able to remotely restart specific services, from their own machine.  Easiest way is for the users to do that is to open the services.msc snapin, and then connect to this server.  The GPO grants them rights to these services.  But apparently having rights to the services simply isn't enough to run the services.msc GUI on the remote box.  Though I think it should be.  That's my first real problem.

    Tomi's reply above and the link are exactly what I'm trying to do, however the SC command does not work either.  It very much appears to be a rights issue.  However, when i'm logged into the server as admin, and I run SC SDSHOW on one of these services:

    sc sdshow cosmosadapterservice

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-
    1201439989-xxxxxxxxxx-xxxxxxxxx-6662)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCL
    CSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1201439989-xxxxxxxxxx-xxxxxxxxxx-4000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    The SID ending in 6662 is my test user that is added to the GPO that's applied to this machine.  I don't know the syntax but I can see "RPWPDTLO" which i believe is start, stop, restart and query.

    So everything *looks* correct but it's not working, at least not as I expect it to.

    Tuesday, August 30, 2016 6:38 PM
  • New interesting find.  Added the vmtools service to the GPO and tested.  Worked flawlessly.

    Is it possible that the services from this app are written in such a way they do NOT respond to SC requests?

    Also, my original intent was to have the users use the services.msc console and connect to this server, and my thought was that once they have access to a few of the services (through the gpo) that they would then be able to open that snapin.  I see now the flawed logic and why SC is the way to go.   They would need admin rights on the server in order to open services.msc.  But by giving the rights to the services individually, they can and should be able to use the SC command............so now the question, why is it not working with these specific services?
    • Edited by Willmeister Wednesday, August 31, 2016 6:26 PM Addded an update..
    Wednesday, August 31, 2016 4:51 PM
  • Hi,
    What is the specific services? Are they built-in service in windows or third party services?
    Best Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 02, 2016 10:09 AM
    Moderator
  • Hi,
    Could you try to grant needed permissions via subinacl.exe
    As the SC command is not working for you could you try to do it via powershell which is described on the following article?

    Please check the following articles:
    http://serverfault.com/questions/357424/how-do-i-grant-permissions-to-remotely-start-stop-a-service-using-powershell

    http://woshub.com/set-permissions-on-windows-service/

    Regards,
    -Tomi

    Tomi Pietilä, Blog, Twitter

    Friday, September 02, 2016 10:38 PM
  • These are for 3rd party applications.  They are not Windows services.

    I'm waiting on the user to test.  The problem is it's a production app server so I can't just restart the services whenever, we usually have to wait for there to be an issue.  Luckily that happens fairly regularly so I'm sure an opportunity to restart the services is coming this week :)

    Tuesday, September 06, 2016 10:37 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 09, 2016 1:19 AM
    Moderator
  • Thanks for checking back.  Actually it's now working on 2 out of 3 servers.  The last one is that production box, that i'm still waiting for there to be a reason to restart the services.  But at this point I know that SC is the way to go.  I now know that if you have access to services, if you don't have admin rights on the actual server, you can't open services.msc, which was part of the misunderstanding.  So I think it's all good now...thanks everyone!

    Friday, September 09, 2016 5:16 PM
  • Hi Team,

    Please check the following link for answer!!

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/4c984184-6749-4069-83d8-336a923096d3/stopstart-restart-service-on-remote-server?forum=ITCG#25f30718-3e19-483a-8646-900be8ae702c

    Thanks,
    NTRao.
    Wednesday, November 23, 2016 10:02 AM