Need to allow standard users to run sc stop/sc start commands for e1iexpress











up vote
1
down vote

favorite












A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)



We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)










share|improve this question


























    up vote
    1
    down vote

    favorite












    A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)



    We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)










    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)



      We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)










      share|improve this question













      A persistent problem we have is that on our computers, our internet drivers crash when laptops move from place to place. In theory, we could solve this by giving the users a script to restart the driver with sc stop and sc start; in practice, we can't give our users admin permissions, and any method involving /SaveCred would be very time-intensive, as we have quite a few computers here. (Unless we can use SaveCred once on a server and let everyone just access that batch file? I don't know if that works.)



      We're running Win10 with an Active Directory backend. Any help would be much appreciated. :)







      drivers permissions batch active-directory






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 3 at 8:56









      J.Swersey

      84




      84






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)



          You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.



          You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.



          Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.



          See also:




          • https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user

          • https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/






          share|improve this answer



















          • 1




            In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
            – J.Swersey
            Dec 3 at 10:06













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380348%2fneed-to-allow-standard-users-to-run-sc-stop-sc-start-commands-for-e1iexpress%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)



          You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.



          You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.



          Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.



          See also:




          • https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user

          • https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/






          share|improve this answer



















          • 1




            In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
            – J.Swersey
            Dec 3 at 10:06

















          up vote
          1
          down vote



          accepted










          Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)



          You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.



          You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.



          Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.



          See also:




          • https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user

          • https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/






          share|improve this answer



















          • 1




            In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
            – J.Swersey
            Dec 3 at 10:06















          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)



          You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.



          You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.



          Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.



          See also:




          • https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user

          • https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/






          share|improve this answer














          Services (including drivers) have a security descriptor, in other words an ACL, similar to files and folders. This describes which users can use what controls (start, stop, pause, etc.)



          You can retrieve the raw security descriptor via sc sdshow <svcname>, update it with new access rights, then use sc sdset ... to store it back. See this ServerFault thread for instructions on doing so manually.



          You can probably set service permissions via Group Policy. Unfortunately the policy editor seems to list only built-in Windows services (with no ability to enter a custom name), although technically there's no reason it shouldn't be able to edit them.



          Third-party programs also exist to edit service ACLs graphically. Personally I would use "Process Hacker" for this to build the desired SD on one computer, then grab it via sc sdshow and distribute that. There's also SubInACL, possibly PowerShell Set-Acl.



          See also:




          • https://serverfault.com/questions/187302/how-do-i-grant-start-stop-restart-permissions-on-a-service-to-an-arbitrary-user

          • https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 3 at 9:07

























          answered Dec 3 at 9:01









          grawity

          231k35486544




          231k35486544








          • 1




            In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
            – J.Swersey
            Dec 3 at 10:06
















          • 1




            In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
            – J.Swersey
            Dec 3 at 10:06










          1




          1




          In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
          – J.Swersey
          Dec 3 at 10:06






          In theory, I should be able to use the domain controller to throw the sc sdset command into a startup script, and give Authenticated Users the right to start/stop those commands with RP/WP. That worked, but then when I tried to actually stop the service, the error shifted from "Access Denied" to [SC] ControlService FAILED 1052: The requested control is not valid for this service. Which is... great. So this may have been a waste of time. But thanks a lot for the answer! :)
          – J.Swersey
          Dec 3 at 10:06




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380348%2fneed-to-allow-standard-users-to-run-sc-stop-sc-start-commands-for-e1iexpress%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?