Solved

Windows Server 2012 R2 Local Policy Editor is missing System Services?

Posted on 2016-10-25
4
37 Views
Last Modified: 2016-11-20
I'm trying to give privileges to a couple of users so that they can start/stop/restart services on a Windows 2012 R2 Server who is a member of a domain. The server is not a DC but has Terminal Services installed on it.
As fast as I understand you could use Group Policies to give them this right before, but in this OS there is no such path (Computer Configuration/Windows Settings/Security Settings/System Services).
And as it's not a DC I can't use the approach of using a new Organisational Unit (since I can't see the Services on the server in question from the DC server)...

Anyone with ideas or experiences of this?
0
Comment
Question by:MicaelO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points (awarded by participants)
ID: 41858852
You never could do that with the local policy editor. This was only ever available in the domain group policy management.
For a single server, you can do that with subinacl.exe (you don't need to actually install it, all you need is the .exe which you can extract from the msi, for example with 7-Zip).
And do not assign the right to users. Create a local or domain local group, "Service_Restart_Whatever", and assign the required rights to this group. Then add the user(s) in question to this group, or (better) a global group containing these users.
Note: the service name is the short name (under "Service Name" in the service properties), not the Display Name.
Example:
subinacl.exe /Service "Whatever" /grant="SomeDomain\Service_Restart_Whatever"=TOP

Open in new window

Still works on W2k12R2.
 
How to grant users rights to manage services in Windows Server 2003
https://support.microsoft.com/en-us/kb/325349

SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
1
 

Author Comment

by:MicaelO
ID: 41859438
Thanks oBdA!

I'll try this! :)

Maybe I have misunderstood it but I found this article and was referring to method 1 in it when I referred to doing it locally: http://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx
0
 
LVL 84

Expert Comment

by:oBdA
ID: 41859759
I'm not sure what they mean with "(applies to local users)", but "Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services." indicates that this is about a domain controlled GPO as well,
The second method just seems to be the same as the first one, only with screen shots and creating a new OU and GPO instead of editing an existing one.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 41894647
Question answered.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NTP problem 24 80
IR 1023 Scanning 4 52
Cannot access RDP (AD 2012) 6 47
role based administration in SCCM 2012 - desktop only managers 6 31
In my previous Experts Exchange Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most have featured Basic and Intermediate VMware Topics.  As a Virtualisation Consultant, we implement many different virtual…
Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question