4

I have 4 services. All of them are run by an individual user. All 4 users are part of a group I created (ServiceWorkers) which has the Log on as a service user rights assigned. Each service needs to restart now and then. The problem is, that the user rights assignment seems not to have sufficient permission to start/stop/restart the service.

What is the correct way to grant a group permission to start/stop/restart services? It doesn't matter in my case that it's 4 different users and 4 different services. When the group is able to just start/stop/restart (all) services it would be fine for now.

I found some setups but they are either extremely old, tools are no longer available (subinacl), or seem to revolve around giving permissions to a service. Any help would be welcome.

Alex
  • 141
  • 1
  • 3

1 Answers1

0

You can also use the built-in command sc.exe to grant permissions to users or groups to be able to stop and start a specific service. The general steps are as follows:

  1. Get the user or group SID.
  2. Get the current permissions that are set on the service.
  3. Append the new permissions to the existing ones and apply them.

Below is a batch file that automates these tasks. Just make sure you replace the values in the following variable to match your environment:

Set "$ServiceName=TestService"

Set "$UserName=TestUser"

Set "$UserDomain=MyDomain"

Echo Off & Cls
SetLocal EnableExtensions EnableDelayedExpansion

Set "$ServiceName=TestService"
Set "$UserName=TestUser"
Set "$UserDomain=MyDomain"


Set "$ExitCode=-1"
Call :GetUserSID "!$UserDomain!" "!$UserName!" && (
 Call :ServiceGetPermissions "!$ServiceName!" && (
  Set "$ServicePermissions=!$ServicePermissions:)S:(=)@:(!"
  For /f "Tokens=1 Delims=@" %%x In ("!$ServicePermissions!") Do Set "$ServicePermissions=%%x"
  Set "$ServicePermissions=!$ServicePermissions!(A;;RPWPCR;;;!$UserSID!)"
  Call :ServiceSetPermissions "!$ServiceName!" "!$ServicePermissions!" && Set "$ExitCode=0" || Set "$ExitCode=3"
 ) || (
  Set "$ExitCode=2"
 )
) || (
 Set "$ExitCode=1"
)
Exit /b !$ExitCode!


:GetUserSID <UserDomain> <UserAccount>
:-------------------------------------
Set "#GetUserSID=-1"
Set "#UserDomain=%~1"
Set "#UserAccount=%~2"
Set "$UserSID="
For /f "Skip=1 Tokens=1" %%x In ('2^>Nul wmic.exe UserAccount Where ^(Name^="!#UserAccount!" And Domain^="!#UserDomain!"^) Get SID') Do (
 If Not Defined $UserSID Set "$UserSID=%%x"
 If /I Not "!$UserSID:~0,6!"=="S-1-5-" Set "$UserSID="
)
If Defined $UserSID Set "#GetUserSID=0" Else Set #GetUserSID=2"
Exit /b !#GetUserSID!


:ServiceGetPermissions <ServiceName>
:-----------------------------------
Set "#ServiceGetPermissions=-1"
Set "#ServiceName=%~1"
Set "$ServicePermissions="
For /f "Skip=1 Tokens=1" %%x In ('2^>Nul sc.exe sdshow "!#ServiceName!"') Do Set "$ServicePermissions=%%x"
If Defined $ServicePermissions Set "#ServiceGetPermissions=0" Else Set "#ServiceGetPermissions=3"
Exit /b !#ServiceGetPermissions!


:ServiceSetPermissions <ServiceName> <ServicePermissions>
:--------------------------------------------------------
Set "#ServiceSetPermissions=-1"
Set "#ServiceName=%~1"
Set "#ServicePermissions=%~2"
>Nul 2>&1 sc.exe sdset "!#ServiceName!" "!#ServicePermissions!" && Set "#ServiceSetPermissions=0" || Set "#ServiceSetPermissions=5"
Exit /b !#ServiceSetPermissions!
Safwan
  • 121