Remotely stop service without Admin permissions

I know that you can stop services with the SC command, but that requires Admin rights on the target machine. I have used the SC SDSET command to modify the SDDL set for the service in question. Now I have it so that the non-admin user can stop and start the service locally. This command will not work remotely. User VPN's into the netowrk and I have tried several combinations to use the SC Stop command and always get Access is Denied. I tested it locally by giving the user account Logon Locally, and the user can only stop/start the 2 services that I modified, but cannot do it remotely.
Tried creating scripts that would run the SC Stop command on the remote Server, but is being accessed via a share and therefore seems to detect that the command is not local. I have tried a local (to the VPN user's PC) script that calls a script on the remote Server that runs the SC Stop command and it still fails.
What am I missing?
Who is Participating?
StinkyPeteConnect With a Mentor Commented:
Couple of items...

I don't think its the VPN directly, I think its the type of logon (there are a few - ... and I suspect there are user rights attached to the logon type.

Using runas might still effectively not be a full console logon, and therefore be access denied for the same reason (albeit a different account) - Thats why I suggested use the AT command for a SYSTEM account context.

Thinking out of the box .. Why not use (a) some remote control software (not RDP, something that can be a Logon type 2, TeamViewer/LogMeIn etc)
and (b) allow the user (contractor) access to an unused desktop.

I think if you define the permissions through GP you might have more luck with this.

Define the permissions of the service in a GP opbject via
Computer configuration > Windows Settings > Security Settings > System Services > 

Alternatively, thinking of this another way, write a batch file to run the SC command, but like this....

Get the date & time as an env  variable, use that env variable to run a scheduled task within so many seconds .. The scheduled  task under the system account can now turn on the service with SC

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Correction .. I meant turn off the service
Igore65Author Commented:
I can't use GPO as the user is a contractor and not directly in the domain.  The PC is remote and just comes in through a VPN account.  I am trying to give the user (who has a domain account) limited access to a few folders and to manage just the 2 services that he is writing App code for...

I changed the SDDL to allow his SID to start/stop the needed services.  This works locally.  I have tried the script files thing...  Wrote a couple of simple scripts and have them on the Server.  I VPN in and open the folder with the scripts and run them and it says Access is Denied...  But if logged in locally, they work great.  They even work well if the user is logged on in the LAN and not coming in through a VPN...  There is something about the VPN...


runas /user:username@damin_name \\server_name\informz\Service_MGMT\Formatter_Stop.cmd

This calls the script that runs the sc command:
sc \\Server_Name stop informzformatter

Stumped on where to go... I am investigating other apps developed to stop services using admin permissions that will allow me to encrypt the PW.

Malli BoppeCommented:
I think its something to do with the local security policy of that server.Check the settings on that server.
When he does VPN does he logon the domain?
When logging on locally does he logon to domain?
Igore65Author Commented:
The solution turned out to be using a 3rd party utility to doa hybrid of the SC command.  Using SVCUtil.exe allows the user to stop and start the needed services.  I am not sure how this App connects to the Server differently than the Native SC command does, but it allows the user to manage the needed Services.
Igore65Author Commented:
I just want it closed
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.