windows – Granting Service Permissions to Users on Non-Domain Servers

group-policypermissionsSecuritywindowswindows-service

We have a suite of Windows Services running on our servers which perform a bunch of automated tasks independently of one another, with the exception of one service which looks after the other services.

In the event that one of the services should fail to respond or hang, this service attempts to restart the service and, if an exception is thrown during the attempt, emails the support team instead, so that they can restart the service themselves.

Having done a little research, I've come across a few 'solutions' which range from the workaround mentioned in KB907460 to giving the account under which the service is running administrator rights.

I'm not comfortable with either of these methods – I don't understand the consequences of the first method as outlined in Microsoft's knowledge base article, but I definitely don't want to give administrator access to the account under which the service is running.

I've taken a quick look through the Local Security Policy and other than the policy which defines whether or not an account can log on as a service, I can't see anything else which looks like it refers to services.

We're running this on Server 2003 and Server 2008, so any ideas or pointers would be graciously received!

Clarification: I don't want to grant the ability to start/stop/restart ALL services to a given user or group – I want to be able to grant the permission to do so on specific services only, to a given user or group.

Further Clarification: The servers I need to grant these permissions on do not belong to a domain – they are two internet-facing servers which receive files, process them and send them on to third parties, as well as serving a couple of websites, so Active Directory Group Policy isn't possible. Sorry that I didn't make this clearer.

Best Answer

There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.

I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.

To append to the service's existing security descriptor, use sc sdshow "Service Name" to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We needed to grant permissions RP (to start the service), WP (to stop the service), DT (to pause/continue the service) and LO (to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.

Using runas to open a command prompt under the service account, I ran whoami /all which gave me the SID of the service account, and then constructed the additional SDDL below:

(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)

This then gets added to the D: section of the SDDL string above:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)

This is then applied to the service using the sc sdset command (before the S: text):

sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)

If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows – way to refresh computer group membership without rebooting

For Windows 2008 and higher:

psexec -s -i -d cmd.exe

C:\Windows\system32>whoami
nt authority\system

-- List the session 0 tickets (0x3e7 is the machine session 0)
klist -lh 0 -li 0x3e7  

-- Purge the session 0 tickets  
klist -lh 0 -li 0x3e7 purge  

Should display:  

Current LogonId is 0:0x3e7  
        Deleting all tickets:  
        Ticket(s) purged!

PSExec is a free SysInternals download from Microsoft.

To clear up any confusion, this process absolutely will refresh the group memberships of a computer, and allow a group policy that applies to a security group to now apply to the computer, without rebooting the computer. This has been tested and verified on Windows Server 2012 R2 and Windows Server 2008 R2 and a universal security group. The short version would be:

psexec -s -i -d cmd.exe
klist tgt (view the current ticket, make note of the size. Also note that since you are running as system, the Current Logon Id is 0x3e7)
Add the computer to the security group. (Allow time to replicate, if applicable)
klist purge
nltest /dsgetdc:domain.com (run this or any other command that will connect to a network resource and force a TGT request)
klist tgt (view the current ticket, make note of the size. It should be slightly larger. Note that whoami /groups will not reflect the new membership)

At this point, it the system command prompt may be exited.

gpupdate /force
gpresult /h gpresult.html

View the gpreport, it should now show the group policy is applied.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows – way to refresh computer group membership without rebooting

Related Topic