kalbarriman
asked on
Start Stop Services as User
Is there any relatively simple way in Windows for a User who does not have Administrator rights to Start and Stop Services? It is no problem that the Installation containing our Services within our software must be done by an Adminstrator, but once done, most IT people want to then lock down the computer so that the user is not given Admin rights. However this then prohibits them from launching or stopping the various Services we have.
ASKER
Thanks MrC. I am only slightly familar with Task Scheduler in Administrative Tools and have done a test run on creating a new task but can see no option for adding credentials to the task. (I am assuming that setting credentials is the most important part of allowing a 'User' to run a Service).
So before we get to the batch file, I'd really appreciate a step by step on how to create said Scheduled Task for, as an example, a file called myservice.exe in C:\My Folder.
However, before going down that path, will this also solve another issue which is that the User needs to be able to change DSN attributes? Although a System DSN is created by the installer, the ODBC database path changes depending on what the user is doing. Seems like you need to be an Adminstrator to do this.
Had a bit of a play with icacls in the command prompt but it doesn't appear to do what I want, which is basically to say "Run any program or service in the C:\My Folder directory and all it's sub directories" with Adminstrator priveledges..oh.. and also grant permission to modify System DSN.Perhaps I am trying to achieve the impossible, but IT guys get SO cranky when they have to give Users, Admin rights.
Thanks
So before we get to the batch file, I'd really appreciate a step by step on how to create said Scheduled Task for, as an example, a file called myservice.exe in C:\My Folder.
However, before going down that path, will this also solve another issue which is that the User needs to be able to change DSN attributes? Although a System DSN is created by the installer, the ODBC database path changes depending on what the user is doing. Seems like you need to be an Adminstrator to do this.
Had a bit of a play with icacls in the command prompt but it doesn't appear to do what I want, which is basically to say "Run any program or service in the C:\My Folder directory and all it's sub directories" with Adminstrator priveledges..oh.. and also grant permission to modify System DSN.Perhaps I am trying to achieve the impossible, but IT guys get SO cranky when they have to give Users, Admin rights.
Thanks
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
The suggestion about using a User DSN instead of system might just work. I'll try it out. Thanks for that pretty simple solution option.
As for Subinacl.exe I was under the impression that icacls.exe had replaced that. Our software is pretty much always installed on Server 2003/2008/2011 and sometimes Vista and Win7. My understanding was that Subinacl was for older OS?? No?
As for Subinacl.exe I was under the impression that icacls.exe had replaced that. Our software is pretty much always installed on Server 2003/2008/2011 and sometimes Vista and Win7. My understanding was that Subinacl was for older OS?? No?
Let's say you want to stop, then start the print spooler service
@ECHO OFF
NET STOP SPOOLER
NET START SPOOLER
EXIT
I responded to your question to quickly. Should have read your question more carefully. Sorry for that.
If you want the user to start/stop a service, you could create a batch file running a command line containing local admin rights. And in order to prevent them to see admin credentials, you could convert the batch file to EXE.
The suggestion of "mrcannon" is very good. You could also use the Task Scheduler" found in the Control Panel, or create a batch file by using the SCHTASKS command for deploying this on all the PCs in the network with something like:
FOR /F %%A in ('net view ^| FINDSTR -i \\PC') DO PSEXEC %%A SCHTASKS...
Cheers,
Rene
If you want the user to start/stop a service, you could create a batch file running a command line containing local admin rights. And in order to prevent them to see admin credentials, you could convert the batch file to EXE.
The suggestion of "mrcannon" is very good. You could also use the Task Scheduler" found in the Control Panel, or create a batch file by using the SCHTASKS command for deploying this on all the PCs in the network with something like:
FOR /F %%A in ('net view ^| FINDSTR -i \\PC') DO PSEXEC %%A SCHTASKS...
Cheers,
Rene
ASKER
Thanks. Subinacl.exe does it.
1. Created a scheduled task in task manager for each action (ie. net start SERVICENAME) - you can add credentials to the task.
2. Use schtasks /run /tn TASKNAME in batch file or as part of software to kick off the Windows task.
here are command line parameters for schtasks.exe...
C:\>SCHTASKS /?
SCHTASKS /parameter [arguments]
Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system.
Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task on demand.
/End Stops the currently running scheduled task.
/ShowSid Shows the security identifier corresponding to a scheduled t
ask name.
/? Displays this help message.
Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?
SCHTASKS /ShowSid /?