Remotely stop service without Admin permissions

I know that you can stop services with the SC command, but that requires Admin rights on the target machine. I have used the SC SDSET command to modify the SDDL set for the service in question. Now I have it so that the non-admin user can stop and start the service locally. This command will not work remotely. User VPN's into the netowrk and I have tried several combinations to use the SC Stop command and always get Access is Denied. I tested it locally by giving the user account Logon Locally, and the user can only stop/start the 2 services that I modified, but cannot do it remotely.
Tried creating scripts that would run the SC Stop command on the remote Server, but is being accessed via a share and therefore seems to detect that the command is not local. I have tried a local (to the VPN user's PC) script that calls a script on the remote Server that runs the SC Stop command and it still fails.
What am I missing?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think if you define the permissions through GP you might have more luck with this.

Define the permissions of the service in a GP opbject via
Computer configuration > Windows Settings > Security Settings > System Services > 

Alternatively, thinking of this another way, write a batch file to run the SC command, but like this....

Get the date & time as an env  variable, use that env variable to run a scheduled task within so many seconds .. The scheduled  task under the system account can now turn on the service with SC

Correction .. I meant turn off the service
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Igore65Author Commented:
I can't use GPO as the user is a contractor and not directly in the domain.  The PC is remote and just comes in through a VPN account.  I am trying to give the user (who has a domain account) limited access to a few folders and to manage just the 2 services that he is writing App code for...

I changed the SDDL to allow his SID to start/stop the needed services.  This works locally.  I have tried the script files thing...  Wrote a couple of simple scripts and have them on the Server.  I VPN in and open the folder with the scripts and run them and it says Access is Denied...  But if logged in locally, they work great.  They even work well if the user is logged on in the LAN and not coming in through a VPN...  There is something about the VPN...


runas /user:username@damin_name \\server_name\informz\Service_MGMT\Formatter_Stop.cmd

This calls the script that runs the sc command:
sc \\Server_Name stop informzformatter

Stumped on where to go... I am investigating other apps developed to stop services using admin permissions that will allow me to encrypt the PW.

Couple of items...

I don't think its the VPN directly, I think its the type of logon (there are a few - ... and I suspect there are user rights attached to the logon type.

Using runas might still effectively not be a full console logon, and therefore be access denied for the same reason (albeit a different account) - Thats why I suggested use the AT command for a SYSTEM account context.

Thinking out of the box .. Why not use (a) some remote control software (not RDP, something that can be a Logon type 2, TeamViewer/LogMeIn etc)
and (b) allow the user (contractor) access to an unused desktop.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Malli BoppeCommented:
I think its something to do with the local security policy of that server.Check the settings on that server.
When he does VPN does he logon the domain?
When logging on locally does he logon to domain?
Igore65Author Commented:
The solution turned out to be using a 3rd party utility to doa hybrid of the SC command.  Using SVCUtil.exe allows the user to stop and start the needed services.  I am not sure how this App connects to the Server differently than the Native SC command does, but it allows the user to manage the needed Services.
Igore65Author Commented:
I just want it closed
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.