How to Grant Windows Services Management Permissions via Group Policy (Server 2003 Focus)


7 views

Many administrators need to delegate Windows service management permissions without granting full administrative rights. While Group Policy (GP) is commonly used to enable/disable services, configuring service control permissions requires a different approach.

The standard Group Policy Editor (gpedit.msc) doesn't expose direct service permission controls. Most GP-related documentation focuses on service startup configuration rather than management delegation.

For Server 2003, the most effective method combines security templates with Group Policy deployment:


# Sample INF security template snippet
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
SERVICE_NAME="YourServiceName"
SERVICE_ACCESS=GENERIC_ALL

1. Create a security template (.inf file) defining specific service permissions
2. Use the Security Configuration and Analysis MMC snap-in to test
3. Deploy via Group Policy:


# Command to apply security template via GP
secedit /configure /db temp.sdb /cfg yourtemplate.inf /overwrite /log apply.log

For more granular control, Microsoft's subinacl.exe tool can modify service permissions:


subinacl /service \\computername\servicename /grant=domain\group=STO

- Remember that Server 2003 uses older security models
- Always test in non-production first
- Document permission changes thoroughly

While this article focuses on Server 2003, newer Windows versions offer:
- Managed Service Accounts (Windows Server 2008+)
- Enhanced Group Policy Service controls

Many administrators need to delegate Windows Services management permissions without granting full administrator access. While Group Policy is commonly used to enable/disable services, configuring granular permissions for service management requires a different approach.

The standard Group Policy Editor (gpedit.msc) doesn't provide direct options for service management permissions. The "System Services" section only allows enabling/disabling services, not permission delegation.

Here's how to achieve this in Server 2003:


1. Open Microsoft Management Console (mmc.exe)
2. Add the "Security Templates" snap-in
3. Create a new template or modify existing one
4. Navigate to: System Services
5. Double-click the target service (e.g., "Print Spooler")
6. Select "Define this policy setting" and click "Edit Security"
7. Add the desired user/group and assign permissions:
   - SERVICE_START
   - SERVICE_STOP
   - SERVICE_PAUSE_CONTINUE
8. Save the template (.inf file)

After creating the security template:


1. Open Group Policy Management Console (gpmc.msc)
2. Create/edit a GPO
3. Navigate to: Computer Configuration > Windows Settings > Security Settings
4. Right-click "Security Settings" > "Import Policy"
5. Select your saved .inf template
6. Link the GPO to appropriate OUs

For quick one-off permissions without GPO:


sc sdset "ServiceName" "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-32-544)"
  • Test in non-production environment first
  • Document all permission changes
  • Consider using security groups rather than individual users
  • Server 2003 has different security descriptors than newer versions

For more details, consult:

  • Microsoft KB article 914392
  • "Windows Server 2003 Security Guide"
  • TechNet documentation on Service Control Manager security