You can definitely use Group Policy to grant users rights to start / stop services. You just need to modify the security descriptor on the service using the "Security" group policy client side extension.
A very slight caveat: I have seen cases where some services don't like the default permission that a group policy-based modification puts on a service (look at this posting about the Windows Search service if you want to see what I'm talking about: http://peeved.org/blog/2007/12/07), but that has been uncommon in my experience.
In order to "see" the service in the Group Policy editor you'll need to do the editing on a computer that has the service installed. (If this is a stock Windows service then it's no big deal, but if it's something third-party get on a machine that has it installed, "runas" a copy of MMC, and snap-in a Group Policy editor targeted at the GPO where you want to put these settings.)
Under "Computer Settings", "Windows Settings", "Security Settings", and "System Services", locate the service you want to grant start / stop permission to and define a policy setting. You have to choose a startup type. Click "Edit Security" and modify the default ACL to include the permissions you're looking for.
I'd recommend testing the GPO on a constrained group of computers (either by linking the GPO to a test OU with a single computer, or by filtering the GPO to only a single computer) and making sure it does what you want before you go changing the security on all your computers only to find out it doesn't do what you want.
Here's some background on what the various entries in an ACE mean for services:
To see the descriptors in SDDL notation, use the "sc sdshow service-name" command.
Edit:
Delegated permission to create new services is going to be a little bit tough. There is a "SC_MANAGER_CREATE_SERVICE" right that can be granted to users on the service control manager (SCM) object in the global object manager.
In Windows versions up to Windows Server 2003, the rights could not be changed on the SCM. Starting in W2K3 SP1, you could change the rights on the SCM.
The API to change the security is SetServiceObjectSecurity, and more information is available here: http://msdn.microsoft.com/en-us/library/aa379589(VS.85).aspx
Some more reference re: the rights that can be granted to the SCM and the default DACL set on the SCM is available here: http://msdn.microsoft.com/en-us/library/ms685981(VS.85).aspx
In short, there's no way to do this w/o writing code. There's no magic registry setting, etc. If you can get somebody to write the code for you, though, it's totally feasible.
Running the installer with escalated permissions should do the trick - Right-click and "Run As Administrator", or set to run as admin in the Properties window under the Compatibility tab.
If this doesn't work, then it may be spinning off a separate process that is losing the permission escalation; in that case, you'll want to just disable UAC temporarily (Control Panel -> User Accounts -> Change User Account Control settings).
Best Answer
So just to make sure I understand you correctly:
It sounds like you tried to change the service permissions in Group Policy, but did so from a computer that doesn't have Oracle or MySQL installed, which means that those services don't appear in the list of available services.
I can think of three options:
Install the Group Policy Management Console (
gpmc.msc
) on the computer that has Oracle & MySQL.If you're on Windows XP/2003, download and install the Group Policy Management Console with Service Pack 1.
If you're using Windows Vista/7, download and install the Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1).
If you're using Windows 2008/2008R2, add the feature Group Policy Management feature directly from Server Manager.
Once
gpmc
is installed, you can edit the GPO on the computer that has Oracle & MySQL and you will see their services listed.Create a dummy service on the computer you're using to edit the GPO.
Find the
ServiceKeyName
of the service you want to change. (This is the "short name" of the service.) If you only know theDisplayName
("long name") but not theServiceKeyName
("short name"), you can find it on the machine that has it installed, eg:sc GetKeyName "MySQL Service"
Create a fake service on the computer you're using to edit the GPO:
sc create
ServiceKeyName
binPath= C:\Windows\system32\notepad.exe
Edit the GPO.
When you're done, you can delete the fake service with:
sc delete
ServiceKeyName
Forget GPO altogether and set the permissions directly on the service.
First, see what the existing permissions are:
C:\Windows\system32>sc sdshow ServiceKeyName
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Yikes! Isn't SDDL scary? Anyhow, the idea here is to add the permission bits we need into that mess. For example, you could allow all Domain Users to start, stop, pause and read permissions by adding:
(A;;RPWPDTRC;;;DU)
Or for local Users ("builtin Users"):
(A;;RPWPDTRC;;;BU)
So the final command would look something like:
sc sdset ServiceKeyName D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;RPWPDTRC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Okay, I lied, I thought of one more way while writing this. ;-) You could use
subinacl.exe
for a simpler way of doing option 3. I don't know whether it's compatible with anything newer than Windows XP/2003 though.Use a command like:
subinacl /service
ServiceKeyName
/grant=Users=TOP
(
TOP
is thesubinacl
syntax for sTart/stOp/Pause/continue)If I've misread your question, please let me know.