Community Pick: Many members of our community have endorsed this article.

How to: Allow users to start / stop (server) services

If you're working for a huge coorporation, you'll probably shiver at the idea of allowing any users to start or stop services on your Windows Servers.  In small companies, however, it's not always easy or even possible for the System Admin to follow the "perfect safety instructions".  

Take my example.  I work for a company, Drenco N.V.  Although we're active in different markets, there's only a few people that actually work at the main office.  Of those people, there's only one System Admin, and that's me.  So, if I want to have some rest during my vacations it's of the upmost importance that others can "fix" problems that occur.  

One of these errors happens to be the DNS server on our SBS 2003 box that occasionally needs a restart.  Just recently, I found a way to allow (trusted) users to stop / start this service (and other services), so they'll be able to perform this simple task, without much risk to the rest of the network.

Are you in a situation like mine? If you need certain non-admin users to be able to stop / start services on a Windows server, the following guide will be usefull to you.  

How to do it.

First of all, we need to install a component from the Microsoft Resource kit.  The file in question is SUBINACL.exe Link to the download:

If you've downloaded the file, install it on your server.  Note: choose an installation location that's easy to find.  You'll need to navigate there w/ the command prompt.  
Open your command prompt, and navigate to the folder where you installed the tool. (Default: c:\Program Files\Microsoft Resource Kit\Tools)
Run the following command - replace everything between ( ) with your own parameters and, obviously, get rid of the ( ).  
SUBINACL /service \\(target machine)\(short name of service to restart) GRANT= (domain)\(user).  

Create a Batch job

Now that the server side is all taken care off, you'll want to make it as easy as possible for your user in question to start / stop the service.  Open notepad, and use the following lines:
sc \\(target machine) (command) (service)
Save the file as (somename).bat and send it to the user; who then only needs to run the file.  


For the SUBINACL command= SUBINACL /service \\\DNS GRANT= toretto.local\Toretto
For the SC command (this .bat file would restart the DNS service on the target machine):  
sc \\ stop DNS
sc \\ start DNS

And that's it!  Remember, be carefull which rights you're giving to what user, the commands can be very powerful and a little dangerous in the wrong hands.  

Comments (4)

I received an error saying the Service does not exist but it does, I tryed the short name and full name of the servcie, same result

Please provide the service name rather than the display name attaching a sample screenshot showing the service name and dispaly name.

sorry attachment not wokring you can double click the service and see the service name and the display name
Hello Toretto.

This is excellent How To. The one thing that I would like to add is that with the sc command, once executed, it immediately exits out to the command prompt. In a batch script, this means that the second command (to start the service in this example) would execute immediately. I've had times where some services don't stop quickly enough and the attempt to start a shutting down service causes an error.

In these cases I've had to add a 'pause' between stopping and starting commands. The simplest way I've found to do this is to invoke Ping.

You will want to ping the localhost, or (technically, anything at, with a count. This way it is universally compatible with any computer running the script. Each ping takes approximately one second, so if you needed to wait 5 seconds the command would look like this:
"ping -n 5"

Good article!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.