Need to allow standard users to run sc stop/sc start commands for e1iexpress
up vote
1
down vote
favorite
A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)
We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)
drivers permissions batch active-directory
asked Dec 3 at 8:56
J.Swersey
84
add a comment |
up vote
1
down vote
favorite
A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)
We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)
drivers permissions batch active-directory
asked Dec 3 at 8:56
J.Swersey
84
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)
We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)
drivers permissions batch active-directory
asked Dec 3 at 8:56
J.Swersey
84
A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)
We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)
drivers permissions batch active-directory
drivers permissions batch active-directory
asked Dec 3 at 8:56
J.Swersey
84
asked Dec 3 at 8:56
J.Swersey
84
asked Dec 3 at 8:56
J.Swersey
84
asked Dec 3 at 8:56
J.Swersey
84
asked Dec 3 at 8:56
J.Swersey
84
84
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)
You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.
You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.
Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.
See also:
- https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user
- https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
answered Dec 3 at 9:01
grawity
231k35486544
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380348%2fneed-to-allow-standard-users-to-run-sc-stop-sc-start-commands-for-e1iexpress%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)
You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.
You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.
Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.
See also:
- https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user
- https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
answered Dec 3 at 9:01
grawity
231k35486544
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
add a comment |
up vote
1
down vote
accepted
Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)
You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.
You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.
Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.
See also:
- https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user
- https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
answered Dec 3 at 9:01
grawity
231k35486544
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)
You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.
You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.
Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.
See also:
- https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user
- https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
answered Dec 3 at 9:01
grawity
231k35486544
Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)
You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.
You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.
Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.
See also:
- https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user
- https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
answered Dec 3 at 9:01
grawity
231k35486544
edited Dec 3 at 9:07
answered Dec 3 at 9:01
grawity
231k35486544
answered Dec 3 at 9:01
grawity
231k35486544
answered Dec 3 at 9:01
grawity
231k35486544
231k35486544
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
add a comment |
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
1
1
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
– J.Swersey
Dec 3 at 10:06
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380348%2fneed-to-allow-standard-users-to-run-sc-stop-sc-start-commands-for-e1iexpress%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
