Rights needed to start a service remotely?

75 views
Skip to first unread message

Mike Leone

unread,
Jun 10, 2024, 3:51:02 PMJun 10
to NTSysAdmin
My boss wants my DBAs to be able to query services remotely (on SQL servers), and if necessary, start a service there. What access rights do I need to grant them on the remote box to let them do that? I'm trying not to give them local admin on the remote box, but I haven't been able to figure out what I do need to give them, instead.

He also wants them to be able to query the event logs remotely, and I know for that I can enter them on the "Event Log Readers" group on the remote server.

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Michael B. Smith

unread,
Jun 10, 2024, 3:55:28 PMJun 10
to ntsys...@googlegroups.com

I think this answers your questions. If not, be more detailed. 😊

 

https://woshub.com/set-permissions-on-windows-service/

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjKF%3D0OL8ugSGrodEkJ%3DRBgnFOD9AvffqtKG_oO8Du8JA%40mail.gmail.com.

Hammer, Erich F

unread,
Jun 10, 2024, 4:26:25 PMJun 10
to ntsys...@googlegroups.com
You could try setting up "Just Enough Administration":

https://sid-500.com/2018/02/11/powershell-implementing-just-enough-administration-jea-step-by-step/

A few years back, I was trying to figure out how to use that and build a simple GUI since the user I needed to allow service restarts isn't cmd-line savvy. I got it working on a test server/service, but hit some kind of block on the production server and never got back to it.

Erich



On Monday, June 10, 2024 at 15:50, Mike Leone eloquently inscribed:

Mike Leone

unread,
Jun 11, 2024, 9:44:09 AMJun 11
to ntsys...@googlegroups.com
On Mon, Jun 10, 2024 at 3:55 PM Michael B. Smith <mic...@smithcons.com> wrote:

I think this answers your questions. If not, be more detailed. 😊

 

https://woshub.com/set-permissions-on-windows-service/


Hmmm ... OK, that's a lot of ways. However, I'm not sure how I would apply them in this situation. Being more detailed ...

I want my SQL DBAs to be able to remotely try and restart the SQL Service if the service is not running. 
However, some of our SQL Servers are clusters, meaning I would need to set the permissions on each node of the cluster (I think). I don't know if that complicates things beyond repair or not ..

We do use SolarWinds, and I am coordinating with my co-worker who is the guy in charge of that, to try and make an alert be sent if the SQL service is down. However, once they get the alert, they would need to be able to look at an event log (easily enough done, I can add them to the local group "Event Log Readers" using a GPO), but they would also need to try and restart the service.

I'd like them to do both of these (look at event log, and try and restart service) remotely, using Computer Management. 

If the restart service fails, I'm not sure how they would proceed. Would they need to RDP to the SQL Server and do ... stuff? :-) If so, I would need to add them to the Remote Desktop users there (again, easily enough done using GPO) . But at that point, would they need to be local admin to fix .. whatever the problem is? If so, then I don't really need to worry about the event log/service restart, as they would be able to do that, if they were local admins on the remote box.

Let me ask the list: how do you handle this type of situation? Are your DBAs local admins on the SQL servers, so they can troubleshoot and fix problems? Or do you use some other method, like this more granular way of assigning permissions that I am asking about?

Me, I think maybe being local admins on the SQL Servers is the way to go, but I'm willing to listen to others.

(up until now, the DBAs had been local admins there, but we seem to have changed that. I'm wondering if that was a goo idea, or what I would need to do to allow them to do their job.
Or is the fixing more of a network admin role, working with the DBAs? I'd still like them to be able to try and restart the service, before calling me or another admin in)

What do you think?

Tony Burrows

unread,
Jun 11, 2024, 9:58:36 AMJun 11
to ntsys...@googlegroups.com
We're currently looking at CyberFox to handle local admin requirements of a couple line-of-business apps a few of our locations have to use per the OEM (looking at you General Motors). 

It helps with least privilege by keeping users as standard users (non-local admins), and intercepts the UAC prompts where you can create profiles/rules to allow/deny UAC prompts based on a number of criterias. If a rule doesn't cover the application requesting elevation, it can send a request to the helpdesk or key people to allow/deny the request. It also has a mobile app for the approval/denial process. 

Lastly, you can put it into "Technician Mode" which is more/less like running as a local admin without actually running as a local admin and lets you approve/deny all the UAC prompts like usual. 

I still have some testing to explore corner cases but it looks promising. 

Regards,
Tony

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BinQZ430N9MNAkDQQA3CFXqFLVb4ZRTJXheK%3DNxBLmFig%40mail.gmail.com.

Heaton, Joseph@Wildlife

unread,
Jun 11, 2024, 10:11:03 AMJun 11
to ntsys...@googlegroups.com

Sounds a lot like Cyberark EPM.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Tony Burrows
Sent: Tuesday, June 11, 2024 6:58 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Rights needed to start a service remotely?

 

You don't often get email from tiger...@gmail.com. Learn why this is important

WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.

 

Kevin Lundy

unread,
Jun 11, 2024, 11:45:29 AMJun 11
to ntsys...@googlegroups.com
This could all be done in Solarwinds if desired.  Including allowing for service restart.   If you want to explore that path, I can add more details.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BinQZ430N9MNAkDQQA3CFXqFLVb4ZRTJXheK%3DNxBLmFig%40mail.gmail.com.

Michael Leone

unread,
Jun 11, 2024, 11:56:48 AMJun 11
to ntsys...@googlegroups.com
Re-sending, because my original message came back as blocked? Which is
odd, because my email account is serviced by Google ...

Please do! We love our SW guy a lot, but I wouldn't exactly call his
explanations very clear ... then again, maybe he doesn't know,
either.

And the list probably wants to do, even if just know what SW can do ..

Henry Awad

unread,
Jun 11, 2024, 12:03:45 PMJun 11
to ntsys...@googlegroups.com
Most PAM solutions provide this functionality (Least Privilege) now. Secret Server also can do this.



Fut Dey

unread,
Jun 11, 2024, 12:05:44 PMJun 11
to ntsys...@googlegroups.com
+1

If cmd-line savvy.

Fut
JEA is a security technology that enables delegated administration for anything managed by PowerShell.

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Hammer, Erich F <er...@albany.edu>
Sent: Monday, June 10, 2024 1:26 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: RE: [ntsysadmin] Rights needed to start a service remotely?
 
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

Mike Leone

unread,
Jun 11, 2024, 12:06:50 PMJun 11
to ntsys...@googlegroups.com
On Tue, Jun 11, 2024 at 12:05 PM Fut Dey <fut_fut...@hotmail.com> wrote:
Not my DBAs. LOL

Kevin Lundy

unread,
Jun 11, 2024, 12:44:22 PMJun 11
to ntsys...@googlegroups.com
Here's how I would do it.   This also assumes either SW HCO, or the older Orion platform with the Software Application Monitor license.   I haven't used the SaaS version, so can't say for sure it could be done there.

1) Setup an application monitor to monitor the services - or could use the Appinsight for SQL which may interest your dbas.
2) Setup an alert, scope it to the above monitor.
    a) when component down for x minutes, start service
    b) escalate after y minutes (at least one polling interval, 5 minutes by default).  If still down, send an email to the dbas (and/or system admins)
3) Create SW accounts for the dbas (can be SW, AD, AD Group, or SAML)
    a) account limit to the SQL nodes (many ways to accomplish)
    b) in SAM, allow service action rights and real-time event log viewer.
    c) depending on the number of SQL nodes, I might create a custom view for them and assign it as their home page.

There are many more options but the above would be the bare minimum.  The dbas would be able see server metrics, disk space, etc in addition to restarting the service and viewing the event log.



--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CA%2BZrOWxHd0aebbckbJY%3Djjt2VTcZCbxxQafTGkH%2BeNoDwtWqRw%40mail.gmail.com.

Michael B. Smith

unread,
Jun 11, 2024, 2:48:38 PMJun 11
to ntsys...@googlegroups.com

This will do what you want – it just shows you four different ways to do it. Pick one. 😊

 

I agree with the least privilege perspective personally.

 

But lots of other folks gave you other ideas too. Choose what’s best for your organization.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone

Sent: Tuesday, June 11, 2024 9:44 AM
To: ntsys...@googlegroups.com

Reply all
Reply to author
Forward
0 new messages