How to: Allow users to start / stop (server) services

Published on
13,502 Points
1 Endorsement
Last Modified:
Community Pick
If you're working for a huge coorporation, you'll probably shiver at the idea of allowing any users to start or stop services on your Windows Servers.  In small companies, however, it's not always easy or even possible for the System Admin to follow the "perfect safety instructions".  

Take my example.  I work for a company, Drenco N.V.  Although we're active in different markets, there's only a few people that actually work at the main office.  Of those people, there's only one System Admin, and that's me.  So, if I want to have some rest during my vacations it's of the upmost importance that others can "fix" problems that occur.  

One of these errors happens to be the DNS server on our SBS 2003 box that occasionally needs a restart.  Just recently, I found a way to allow (trusted) users to stop / start this service (and other services), so they'll be able to perform this simple task, without much risk to the rest of the network.

Are you in a situation like mine? If you need certain non-admin users to be able to stop / start services on a Windows server, the following guide will be usefull to you.  

How to do it.

First of all, we need to install a component from the Microsoft Resource kit.  The file in question is SUBINACL.exe Link to the download:

If you've downloaded the file, install it on your server.  Note: choose an installation location that's easy to find.  You'll need to navigate there w/ the command prompt.  
Open your command prompt, and navigate to the folder where you installed the tool. (Default: c:\Program Files\Microsoft Resource Kit\Tools)
Run the following command - replace everything between ( ) with your own parameters and, obviously, get rid of the ( ).  
SUBINACL /service \\(target machine)\(short name of service to restart) GRANT= (domain)\(user).  

Create a Batch job

Now that the server side is all taken care off, you'll want to make it as easy as possible for your user in question to start / stop the service.  Open notepad, and use the following lines:
sc \\(target machine) (command) (service)
Save the file as (somename).bat and send it to the user; who then only needs to run the file.  


For the SUBINACL command= SUBINACL /service \\\DNS GRANT= toretto.local\Toretto
For the SC command (this .bat file would restart the DNS service on the target machine):  
sc \\ stop DNS
sc \\ start DNS

And that's it!  Remember, be carefull which rights you're giving to what user, the commands can be very powerful and a little dangerous in the wrong hands.  
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free