I recently stumbled across a lesser known Microsoft utility (again) called subinacl.exe that you should take a look at if you haven’t already done so. It can be downloaded for free from Microsoft.
The tool is incredibly versatile and lets you change permissions of various system objects, such as files, printers, shares, services, registry keys and more from the command line.
I came across it because we needed a way to change the permission of the EventSentry service to allow a particular user account to read the current service status. So I’m only going to cover the service aspect of the tool in this post.
So how is this useful? Imagine you have a junior admin that you want to allow to manage a particular service on one or more of your servers. You don’t want the guy to be a local admin or be able to control all services but instead only be able to control one (or more) particular service.
In this case Windows doesn’t actually offer any native way of doing this without using a third party tool – with the exception of using group policy.
So let’s say you have user “Johnny” and you want Johnny to be able to stop and start the World Wide Web Publishing service. Simply run the following subinacl.exe command:
subinacl /service W3SVC /GRANT=YOURDOMAIN\Johnny=TO
Obviously you will want to replace YOURDOMAIN with the name of your domain. The TO at the end are the identifiers that tell subinacl which actions you actually want grant to Johnny. T is used for “Start Service” and O is for “Stop Service”. The complete list is here:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
So after running the command, Johnny will be able to stop and start the service without having any other permissions on the system.
But don’t stop there. Run subinacl.exe /help to see all the other options that are available to you. Of course you can also run the tool remotely by specifying the remote computer name.
You should also check out the MS KB article 288129 that has information on how to accomplish the same thing with group policies and security templates. This might be a better way especially if you have a large number of servers you want to apply this to.
Hope this is useful!