Solved

Grant user permission to start/stop non system service using group policy

Posted on 2008-09-29
1
5,793 Views
Last Modified: 2012-05-05
I want to grant a user permission to start and stop a few third party services on different servers using group policy.
Example:
DOMAIN\USER1 - permission to start/stop:
Service1 on ServerA
Service2 on ServerB

I know I need to run GPMC on the server which have these services installed.  My question is can I use the same GPO to grant these permissions, or would I need a GPO for each server or different service?

I am also investigating using subinacl , but I prefer a GPO.

Thanks!
0
Comment
Question by:DougR73
1 Comment
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 22601237
No, you don't nead to run GPMC on the server with the services.
Start MMC on the server and add 'security templates'-snapin.
Expand down to the templates in Security Templates -> C:\WINDOWS\security\templates to see what templates are found on the local server. Right-click on the folder-name and choose 'New Template' and enter a name for the template.
Expand the template-name and choose 'System services'.
Double-click on the service you want to configure and tick the checkbox 'Define this policy in the template'. Choose startup mode and click 'Edit security' to add the necessary permissions for the given service.
Do the same thing for other services
When all services are defined, right-click on the template-name and choose 'Save'.

Locate the template-file in %WINDIR%\Security\templates and copy it to a machine where you have GPMC installed.
Create/edit a GPO and expand down to 'Computer Configuration\Windows Settings\Security Settings'
Right-click on 'Security Settings' and choose 'Import Policy'

Link the GPO to the OU with the servers to configure all servers in that OU with the same service configuration.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory not migrating to 2012 DC correctly 35 63
ticket bloat 3 22
Admin account lockout 10 35
User account lockout - Server 2012R2 7 26
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now