We distribute the rights to start / stop services under Windows
Naturally, I don’t want to give administrator rights.
"Powerful" user does not fit.
there are a lot of letters
and here comes the technet to the rescue , which tells about sc.
In this case, we are interested in 2 teams:
sc sdshow - shows the rights
sc sdset - sets the rights
To get started, we find out what rights our service already has: Without frills. As you can see, there are 2 interesting prefixes: S: - System Access Control List (SACL) - this does not interest us now. D: - Discretionary ACL (DACL) - here the rights for everyone and everything are indicated. We look further.
C:\Users\administrator>sc sdshow service_name
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
The first letter after the brackets means allow (A, Allow) or deny (D, Deny).
We allow:
(A ;;;;;)
And then we see combinations of two letters: In fact, we will be interested in the last three options: (A ;; RPWPDT ;;;) The last 2 letters indicate to whom we allow or prohibit: + to This list can explicitly specify the user by SID. This is the most interesting! How to find out the user's SID? there is more than one way :) but, the simplest and most convenient (in my opinion), write a small script on vb: Replace the username and domain to your liking, save the file with the extension .vbs and run it. An alert with SID appears. Copy to notepad (or to any other place)
CC - SERVICE_QUERY_CONFIG
LC - SERVICE_QUERY_STATUS
SW - SERVICE_ENUMERATE_DEPENDENTS
LO - SERVICE_INTERROGATE
CR - SERVICE_USER_DEFINED_CONTROL
RC - READ_CONTROL
RP - SERVICE_START
WP - SERVICE_STOP
DT - SERVICE_PAUSE_CONTINUEAU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon userstrComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _
("Win32_UserAccount.Name='username',Domain='domain'")
Wscript.Echo objAccount.SIDYou can run the script in the console, save time :)
And so. Learned the SID. We paste
in the key:
(A ;; RPWPDT ;;; S-1-5-21-3992622163-2725220152-438995547-4172)
Now we prepare the whole command: We insert our key in any place, but it is important that it is before the prefix S. Important make no mistake, otherwise we may lose access to the service :) We start. we check: sc \\ server stop "service_name" I hope the main idea was conveyed. I’m also waiting for criticism, I suspect that there may be simpler ways. UPD can, by the way, use groups. in order to find out the SID of the group - instead of username, write the name of the group.
sc sdset D:(A;;RPWPDT;;;S-1-5-21-3992622163-2725220152-438995547-4172)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)