Sometimes you want a user to have the ability to start/stop services for certain software, but without giving their account the required administrator privileges.
The guide below will help you grant permissions for a non-administrator account to have the ability to start and stop a particular chosen service in Windows 7, Windows 8, Windows Server 2008 and Windows Server 2012.
- Click Start, Run and type "mmc.exe"
- Microsoft Management Console opens, once this happens, click File then Add/Remove Snap-in
- Choose "Security Configuration and Analysis" from the list and Add
- Choose "Security Templates" and Add, then Click OK.
We now need to create a blank security template.
- Firstly, create a folder in the root called "Security", e.g. C:\Security
- Go back into the Microsoft Management Console (MMC) and right-click "Security Templates" and then "New Template Search Path".
- Choose the newly created Security directory, e.g. C:\Security and click OK
- Right-Click C:\Security from the console tree on the left and click "New Template" and give it a name, I'll name it "custom services". Click OK
- Right-Click on the "Security Configuration and Analysis" option on the left, and select "Open Database". Browse to C:\Security (or whatever the name of the directory you created previously is) and name the database "Security". Click OK to create a Security.sdb file which is used to apply the changes.
- After clicking OK, an "Import Template" screen comes up - browse to C:\Security and choose "custom services.inf". This will then apply the template with all the local services to the database.
N.B. If you get an error at this point, then you need to go back to the start and create the security templates on a local disk
- Now Right-Click "Security Configuration and Analysis" again and choose "Analyze Computer" and accept the default log path. Then you will see a screen that looks similar to the below
- Now double-click System Services, and scroll down to find the service you want to change stop/start permissions for, e.g. Fax
- Double-Click and tick the "Define this policy in the database" box and then the click the "Edit Security button
- Click Add, and type in the username of the account you want to modify permissions for, then click OK
- Now with the username selected, check the "Allow" permissions for "Start, Stop and Pause" and click OK and OK again
- You'll see a red "x" next to the service because the permissions for it conflict with the local computer permissions, so we now need to apply the new security permissions
- Right-click "Security Configuration and Analysis" from the left and then "Configure Computer" and then click OK.
Now the new permissions should be applied, test to make sure it works, and if it doesn't double check you followed all the steps correctly all the way through
No comments:
Post a Comment