Unable to stop fax service on SBS2003 (Permissions problem)

I'm currently setting up a domain user with slightly less rights than a domain admin but enough to perform daily administration.

It was all going well until I discovered that this new user isnt able to stop the Fax Service (occasionally needs restarting). I can't think of how to grant access to do this and preferably without giving it access to stop/start/restart all services.

I'm probably going about this all wrong bacause this user is now practically everything but a domain admin.

Currently a member of:
Domain Power Users
Domain Users
Fax Operators
Remote Desktop Users
Remote Web Workplace Users
Server Operators
+(Anti-virus and WSUS groups)

Luckily i've started setting this up a good 2 weeks before i go on holiday so i have time to get it sorted.

Thanks in advance
CaTFiNcHAsked:
Who is Participating?
 
oBdACommented:
You have several possibilities to delegate permissions to manage services.
I'd suggest to create a dedicated domain local group like "DL-Svc_FaxService" or whatever, give permissions to this group, and then add the user(s) or a global group with the user(s) to this group. Do NOT assign permissions directly to any resources unless there is a really good reason to do so.
How to grant users rights to manage services in Windows 2000
http://support.microsoft.com/kb/288129

If the user will be controlling the service(s) from a remote machine (which is likely, I guess), you need to change the permissions of the SCM as well, otherwise there won't be access to control any service at all:
Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1
http://support.microsoft.com/kb/907460
0
 
CaTFiNcHAuthor Commented:
Thanks for the response oBdA, from briefly looking at that solution it seems quite invasive, but i'm more than willing to have a play in the test enviroment. I should get a chance to try this a work tomorrow and post back.
0
 
oBdACommented:
You can try the service permission delegation on any machine for testing; it doesn't have to be the DC.
The advantage to setting permissions with a GPO is that you can see where the permissions are coming from even afterwards; but in case you want to do it from the command line using subinacl.exe, and you have the W2k3 ResKit installed already, do NOT use this version (v4.x.), it's buggy and doesn't do anything. The corrected version is here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.