No announcement yet.

Delegating ability to start/restart/stop services

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegating ability to start/restart/stop services


    I had a look at this article and its basically what I want to do:

    I have all of our servers in one OU but when i create a new GPO and on that OU, - not all of the services I want to be able to delegate are in there.

    For example - Sharepoint Services which are perculiar our sharepoint server are not listed in the GPO, SQL Services which are perculiar to our SQL server do not appear.

    THe ones that do appear seem to be services which are common across all of the servers.

    Is there another way I can delegate permission to control services on individual servers? Could this be performed via Local GP?



  • #2
    Re: Delegating ability to start/restart/stop services

    system services do not appear in the local group policy.


    • #3
      Re: Delegating ability to start/restart/stop services

      Looks like i'm going to have to use security templates to perform this task.

      Method 1: Use Group Policy

      You can use Group Policy to change permissions on system services. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      324802 ( ) HOW TO: Configure Group Policies to Set Security for System Services in Windows Server 2003
      Back to the top
      Method 2: Use Security Templates

      To use security templates to change permissions on system services, create a security template. To do this, follow these steps:
      1. Click Start, click Run, type mmc in the Open box, and then click OK.
      2. On the File menu, click Add/Remove Snap-in.
      3. Click Add, click Security Configuration and Analysis, click Add, click Close, and then click OK.
      4. In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
      5. Specify a name and location for the database, and then click Open.
      6. In the Import Template dialog box that appears, click the security template that you want to import, and then click Open.
      7. In the console tree, right-click Security Configuration and Analysis, and then click Analyze Computer Now.
      8. In the Perform Analysis dialog box that appears, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK.
      9. After the analysis is complete, configure the service permissions as follows:
        1. <LI type=a>In the console tree, click System Services. <LI type=a>In the right pane, double-click the service whose permissions you want to change. <LI type=a>Click to select the Define this policy in the database check box, and then click Edit Security. <LI type=a>To configure permissions for a new user or group, click Add. In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then click OK. <LI type=a>In the Permissions for User or Group list, configure the permissions that you want for the user or group. Note that when you add a new user or group, the Allow check box next to the Start, stop and pause permission is selected by default. This setting permits the user or group to start, stop, and pause the service.
        2. Click OK two times.
      10. To apply the new security settings to the local computer, right-click Security Configuration and Analysis, and then click Configure Computer Now.
      NOTE: You can use also the Secedit command-line tool to configure and analyze system security. For more information about Secedit, click Start, and then click Run. Type cmd in the Open box, and then click OK. At the command prompt, type secedit /?, and then press ENTER. Note that when you use this method to apply settings, all the settings in the template are reapplied, and this may override other previously configured file, registry, or service permissions.


      • #4
        Re: Delegating ability to start/restart/stop services

        See also:

        Before Active Directory and GPOs, you had to configure system services on each computer individually. Then, with the advent of GPOs, you could configure system services within the GPO to apply to multiple computers in a consistent manner. With security templates, you can configure the system services offline, test them, then roll them out with a GPO.
        You can control many aspects of System Services by using security templates. Here are the options that you can configure for Services from a GPO:
        • Startup mode – You can configure Automatic, Manual, or Disabled.
        • ACL – Each service has an ACL, even though you can’t see this from the Service itself. The GPO opens up this option. You can configure users or groups to have access to Start, Stop, Manage, etc each service.
        The configuration of the security template with regard to system services is unique. Depending on which computer you use to configure the security template will dictate which system services are available in the interface to configure. For example, if you configure the security template from a Windows XP Professional computer that has a default installation, you won’t be able to configure certain services in the security template such as IIS and File Replication Service. The solution to this problem is to create and manage security templates from computers that have all of the necessary services that you need to configure on the target computers.