Solved

Grant user permission to start/stop non system service using group policy

Posted on 2008-09-29
1
5,852 Views
Last Modified: 2012-05-05
I want to grant a user permission to start and stop a few third party services on different servers using group policy.
Example:
DOMAIN\USER1 - permission to start/stop:
Service1 on ServerA
Service2 on ServerB

I know I need to run GPMC on the server which have these services installed.  My question is can I use the same GPO to grant these permissions, or would I need a GPO for each server or different service?

I am also investigating using subinacl , but I prefer a GPO.

Thanks!
0
Comment
Question by:DougR73
1 Comment
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 22601237
No, you don't nead to run GPMC on the server with the services.
Start MMC on the server and add 'security templates'-snapin.
Expand down to the templates in Security Templates -> C:\WINDOWS\security\templates to see what templates are found on the local server. Right-click on the folder-name and choose 'New Template' and enter a name for the template.
Expand the template-name and choose 'System services'.
Double-click on the service you want to configure and tick the checkbox 'Define this policy in the template'. Choose startup mode and click 'Edit security' to add the necessary permissions for the given service.
Do the same thing for other services
When all services are defined, right-click on the template-name and choose 'Save'.

Locate the template-file in %WINDIR%\Security\templates and copy it to a machine where you have GPMC installed.
Create/edit a GPO and expand down to 'Computer Configuration\Windows Settings\Security Settings'
Right-click on 'Security Settings' and choose 'Import Policy'

Link the GPO to the OU with the servers to configure all servers in that OU with the same service configuration.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question