12 January 2011

Allow a non admin user to restart a service in windows server 2008

  1. Obtain the user's SID (using a short script)
  2. Format the SDDL correctly
  3. Apply the permissions
  4. Verify the process
Script in VB for SID: (copy past script in notepad and save it as "SID.vbs" and run it)
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
    ("Win32_UserAccount.Name='USERNAME',Domain='DomainName'")
Wscript.Echo objAccount.SID

Command for obtaining:
Security Descriptor Definition Language (SDDL)
cmd>> 
sc sdshow servicename (the name should be exact service name)

Command to grant permission:
cmd>>
sc sdset servicename D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)(A;;RPWP;;;S-1-5-21-671767478-4120628812-988426340-2271)
Access granted!! your done, Please verify by starting the service with non admin user.

Description:
(A;;RPWP;;;S-1-5-21-671767478-4120628812-988426340-2271) 
replace SID with what u get from the above vb script
SID   -USERNAME
A      -Allow
RP    -Read all properties
WP   -Service handling


No comments: