?
Solved

Windows Server 2012 R2 Local Policy Editor is missing System Services?

Posted on 2016-10-25
4
Medium Priority
?
87 Views
Last Modified: 2016-11-20
I'm trying to give privileges to a couple of users so that they can start/stop/restart services on a Windows 2012 R2 Server who is a member of a domain. The server is not a DC but has Terminal Services installed on it.
As fast as I understand you could use Group Policies to give them this right before, but in this OS there is no such path (Computer Configuration/Windows Settings/Security Settings/System Services).
And as it's not a DC I can't use the approach of using a new Organisational Unit (since I can't see the Services on the server in question from the DC server)...

Anyone with ideas or experiences of this?
0
Comment
Question by:MicaelO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points (awarded by participants)
ID: 41858852
You never could do that with the local policy editor. This was only ever available in the domain group policy management.
For a single server, you can do that with subinacl.exe (you don't need to actually install it, all you need is the .exe which you can extract from the msi, for example with 7-Zip).
And do not assign the right to users. Create a local or domain local group, "Service_Restart_Whatever", and assign the required rights to this group. Then add the user(s) in question to this group, or (better) a global group containing these users.
Note: the service name is the short name (under "Service Name" in the service properties), not the Display Name.
Example:
subinacl.exe /Service "Whatever" /grant="SomeDomain\Service_Restart_Whatever"=TOP

Open in new window

Still works on W2k12R2.
 
How to grant users rights to manage services in Windows Server 2003
https://support.microsoft.com/en-us/kb/325349

SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
1
 

Author Comment

by:MicaelO
ID: 41859438
Thanks oBdA!

I'll try this! :)

Maybe I have misunderstood it but I found this article and was referring to method 1 in it when I referred to doing it locally: http://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx
0
 
LVL 85

Expert Comment

by:oBdA
ID: 41859759
I'm not sure what they mean with "(applies to local users)", but "Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services." indicates that this is about a domain controlled GPO as well,
The second method just seems to be the same as the first one, only with screen shots and creating a new OU and GPO instead of editing an existing one.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 41894647
Question answered.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question