How to Grant Windows Services Management Permissions via Group Policy (Server 2003 Focus)


22 views

Many administrators need to delegate Windows service management permissions without granting full administrative rights. While Group Policy (GP) is commonly used to enable/disable services, configuring service control permissions requires a different approach.

The standard Group Policy Editor (gpedit.msc) doesn't expose direct service permission controls. Most GP-related documentation focuses on service startup configuration rather than management delegation.

For Server 2003, the most effective method combines security templates with Group Policy deployment:


# Sample INF security template snippet
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
SERVICE_NAME="YourServiceName"
SERVICE_ACCESS=GENERIC_ALL

1. Create a security template (.inf file) defining specific service permissions
2. Use the Security Configuration and Analysis MMC snap-in to test
3. Deploy via Group Policy:


# Command to apply security template via GP
secedit /configure /db temp.sdb /cfg yourtemplate.inf /overwrite /log apply.log

For more granular control, Microsoft's subinacl.exe tool can modify service permissions:


subinacl /service \\computername\servicename /grant=domain\group=STO

- Remember that Server 2003 uses older security models
- Always test in non-production first
- Document permission changes thoroughly

While this article focuses on Server 2003, newer Windows versions offer:
- Managed Service Accounts (Windows Server 2008+)
- Enhanced Group Policy Service controls

Many administrators need to delegate Windows Services management permissions without granting full administrator access. While Group Policy is commonly used to enable/disable services, configuring granular permissions for service management requires a different approach.

The standard Group Policy Editor (gpedit.msc) doesn't provide direct options for service management permissions. The "System Services" section only allows enabling/disabling services, not permission delegation.

Here's how to achieve this in Server 2003:


1. Open Microsoft Management Console (mmc.exe)
2. Add the "Security Templates" snap-in
3. Create a new template or modify existing one
4. Navigate to: System Services
5. Double-click the target service (e.g., "Print Spooler")
6. Select "Define this policy setting" and click "Edit Security"
7. Add the desired user/group and assign permissions:
   - SERVICE_START
   - SERVICE_STOP
   - SERVICE_PAUSE_CONTINUE
8. Save the template (.inf file)

After creating the security template:


1. Open Group Policy Management Console (gpmc.msc)
2. Create/edit a GPO
3. Navigate to: Computer Configuration > Windows Settings > Security Settings
4. Right-click "Security Settings" > "Import Policy"
5. Select your saved .inf template
6. Link the GPO to appropriate OUs

For quick one-off permissions without GPO:


sc sdset "ServiceName" "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-32-544)"
  • Test in non-production environment first
  • Document all permission changes
  • Consider using security groups rather than individual users
  • Server 2003 has different security descriptors than newer versions

For more details, consult:

  • Microsoft KB article 914392
  • "Windows Server 2003 Security Guide"
  • TechNet documentation on Service Control Manager security