?
Solved

Grant user permission to start/stop non system service using group policy

Posted on 2008-09-29
1
Medium Priority
?
6,137 Views
Last Modified: 2012-05-05
I want to grant a user permission to start and stop a few third party services on different servers using group policy.
Example:
DOMAIN\USER1 - permission to start/stop:
Service1 on ServerA
Service2 on ServerB

I know I need to run GPMC on the server which have these services installed.  My question is can I use the same GPO to grant these permissions, or would I need a GPO for each server or different service?

I am also investigating using subinacl , but I prefer a GPO.

Thanks!
0
Comment
Question by:DougR73
1 Comment
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 2000 total points
ID: 22601237
No, you don't nead to run GPMC on the server with the services.
Start MMC on the server and add 'security templates'-snapin.
Expand down to the templates in Security Templates -> C:\WINDOWS\security\templates to see what templates are found on the local server. Right-click on the folder-name and choose 'New Template' and enter a name for the template.
Expand the template-name and choose 'System services'.
Double-click on the service you want to configure and tick the checkbox 'Define this policy in the template'. Choose startup mode and click 'Edit security' to add the necessary permissions for the given service.
Do the same thing for other services
When all services are defined, right-click on the template-name and choose 'Save'.

Locate the template-file in %WINDIR%\Security\templates and copy it to a machine where you have GPMC installed.
Create/edit a GPO and expand down to 'Computer Configuration\Windows Settings\Security Settings'
Right-click on 'Security Settings' and choose 'Import Policy'

Link the GPO to the OU with the servers to configure all servers in that OU with the same service configuration.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question