How to Grant Users Rights to Manage Services (Start, Stop, Etc.)

How to Grant Users Rights to Manage Services (Start, Stop, Etc.)



 

Method 1: (applies to local users)

  
By default, users can't control system services they'll receive an "Error 5: Access is denied" error message. The following steps show how to use Group Policy to grant a user access to control the service (ex : print spooler service)

1, Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services.

2, Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services.

3, Double-click the service for which you want to delegate permissions (e.g., Print Spooler).

4, Select the "Define this policy setting" and click Edit Security.

5, Click Add and enter the user/group to be given permissions.

6, After you select the user/group, pick the permissions you want to give to group members (e.g., "Start, stop and pause") and click OK.

7, Ensure the services startup type is correct (e.g., Automatic) and click OK.

8, After the Group Policy has been applied to the target machines, the user/group given control will be able to perform the delegated actions.
  
 

Method 2: (applies to domain users)

  
To Start, Stop, and Pause a service, users need the Read and the Stop, Start, and Pause permissions. These permissions are exposed only through Group Policy. You can create organizational units (OUs) that contain the workstations that you want the policy applied to. To assign service permissions to the computers in an OU, perform these steps:
 
1, Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.


2, Right-click a Domain (example: Contoso.com) and press New, Organizational Unit.



3, Name the OU (example: Services) and press OK.



4, Open the Microsoft Management Console (MMC) Group Policy Management snap-in.


4, Right-click this Services OU and select Create a GPO in this domain, and Link it here.


5, Name the policy (example: Services) and press OK.





6- Right-click this Services GPO and select Edit.



7- Navigate to Computer Configuration\Windows Settings\Security Settings\System Services and Double-click or Right-click the service you want users to manage (example: DHCP Client).




6- Select the "Define this Policy Setting" check box, than select "Automatic". Now select "Edit Security". Select "Addand add any user or groups you desire (example: Ed.Price@Contoso.com) and press "OK".

7- Grant the User "Ed.Price@Contoso.com" both "Read" and "Stop, Start, and Pause" permissions and press "OK".


8- Close the policy and press "OK".



9- Move the computer accounts (example: CLIENT1) for which you want to apply the policy into the Services OU.



Community Resources

How to Add Third-Party Services to the System Services in Group Policy

How To Configure Group Policies to Set Security for System Services

How To Configure Group Policies to Set Security for System Services in Windows Server 2003  

 

 

Leave a Comment
  • Please add 3 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 6. Comment: Removed (en-US) from title, added tags

  • Patris_70 edited Revision 4. Comment: Thanks Ed

  • Ed Price - MSFT edited Revision 2. Comment: Great article, Patris!

  • Ed Price - MSFT edited Revision 1. Comment: Title and font

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price - MSFT edited Revision 1. Comment: Title and font

  • Ed Price - MSFT edited Revision 2. Comment: Great article, Patris!

  • Patris_70 edited Revision 4. Comment: Thanks Ed

  • Good job

  • Thanks M.Abdelhamid

  • Excellent, thank you.

  • Nice Pat

  • Another option is to use System Frontier. It allows you to delegate permissions to start and/or stop one or more services. You can use wildcards and apply permissions using role based access. Check it out at http://systemfrontier.com

  • Richard Mueller edited Revision 6. Comment: Removed (en-US) from title, added tags

  • Thanks RBogdan & i.biswajith

Page 1 of 1 (10 items)