I have a large number of windows servers running services (such as print
spoolers) that I wish non-admin staff - such as the helpdesk to be able to
stop and start remotely (without having to add them to the local admin group)
I have used the following solution successfully on w2k sp4 and w2k3
Apply permissions to the service in question to the group in question by
using subinacl
eg subinacl /service spooler /grant=domain\HelpdeskAdmins=STO
I then use a script to call SC
eg sc \\servername start "Spooler"
This no longer seems to work on w2k3 sp1.
I appreciate that this could be classed as a security enhancement - but
forcing people to be added to local admin when all they need to do is control
a single service seems like a backwards step?
Does anyone have a solution to administer services remotely on w2k3 sp1 that
does not require local admin rights?
Cheers
Dinny
The Server operators does have the ability to shut down the system, create
shared resources and such. You can likely use a group policy or ACL to
prevent some things like the ability to log on locally to a Domain
Controller.
--
Paul Hinsberg
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com