Link to home
Create AccountLog in
Avatar of kalbarriman
kalbarriman

asked on

Start Stop Services as User

Is there any relatively simple way in Windows for a User who does not have Administrator rights to Start and Stop Services? It is no problem that the Installation containing our Services within our software must be done by an Adminstrator, but once done, most IT people want to then lock down the computer so that the user is not given Admin rights. However this then prohibits them from launching or stopping the various Services we have.
Avatar of mrcannon
mrcannon
Flag of United States of America image

I would suggest this.

1.  Created a scheduled task in task manager for each action (ie. net start SERVICENAME) - you can add credentials to the task.
2.  Use schtasks /run /tn TASKNAME in batch file or as part of software to kick off the Windows task.

here are command line parameters for schtasks.exe...


C:\>SCHTASKS /?

SCHTASKS /parameter [arguments]

Description:
    Enables an administrator to create, delete, query, change, run and
    end scheduled tasks on a local or remote system.

Parameter List:
    /Create         Creates a new scheduled task.

    /Delete         Deletes the scheduled task(s).

    /Query          Displays all scheduled tasks.

    /Change         Changes the properties of scheduled task.

    /Run            Runs the scheduled task on demand.

    /End            Stops the currently running scheduled task.

    /ShowSid        Shows the security identifier corresponding to a scheduled t
ask name.

    /?              Displays this help message.

Examples:
    SCHTASKS
    SCHTASKS /?
    SCHTASKS /Run /?
    SCHTASKS /End /?
    SCHTASKS /Create /?
    SCHTASKS /Delete /?
    SCHTASKS /Query  /?
    SCHTASKS /Change /?
    SCHTASKS /ShowSid /?

Avatar of kalbarriman
kalbarriman

ASKER

Thanks MrC. I am only slightly familar with Task Scheduler in Administrative Tools and have done a test run on creating a new task but can see no option for adding credentials to the task. (I am assuming that setting credentials is the most important part of allowing a 'User' to run a Service).
So before we get to the batch file, I'd really appreciate a step by step on how to create said Scheduled Task for, as an example, a file called myservice.exe in C:\My Folder.

However, before going down that path, will this also solve another issue which is that the User needs to be able to change DSN attributes? Although a System DSN is created by the installer, the ODBC database path changes depending on what the user is doing. Seems like you need to be an Adminstrator to do this.

Had a bit of a play with icacls in the command prompt but it doesn't appear to do what I want, which is basically to say "Run any program or service in the C:\My Folder directory and all it's sub directories" with Adminstrator priveledges..oh.. and also grant permission to modify System DSN.Perhaps I am trying to achieve the impossible, but IT guys get SO cranky when they have to give Users, Admin rights.

Thanks

ASKER CERTIFIED SOLUTION
Avatar of mrcannon
mrcannon
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
The suggestion about using a User DSN instead of system might just work. I'll try it out. Thanks for that pretty simple solution option.

As for Subinacl.exe I was under the impression that icacls.exe had replaced that. Our software is pretty much always installed on Server 2003/2008/2011 and sometimes Vista and Win7. My understanding was that Subinacl was for older OS?? No?
Let's say you want to stop, then start the print spooler service


@ECHO OFF

NET STOP SPOOLER
NET START SPOOLER

EXIT

Open in new window

I responded to your question to quickly. Should have read your question more carefully. Sorry for that.

If you want the user to start/stop a service, you could create a batch file running a command line containing local admin rights. And in order to prevent them to see admin credentials, you could convert the batch file to EXE.

The suggestion of "mrcannon" is very good. You could also use the Task Scheduler" found in the Control Panel, or create a batch file by using the SCHTASKS command for deploying this on all the PCs in the network with something like:

FOR /F %%A in ('net view ^| FINDSTR -i \\PC') DO PSEXEC %%A SCHTASKS...

Cheers,
Rene
Thanks. Subinacl.exe does it.