How can I delegate permission for a user or group to control certain services?
February 26, 2006
A. By default, users can't control system services--they'll receive an "Error 5: Access is denied" error message. The following steps show how to use Group Policy to grant a user access to control the Print Spooler service.
Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services.
Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services.
Double-click the service for which you want to delegate permissions (e.g., Print Spooler) as the figure shows.
Select the "Define this policy setting" and click Edit Security.
Click Add and enter the user/group to be given permissions.
After you select the user/group, pick the permissions you want to give to group members (e.g., "Start, stop and pause") and click OK, as the figure shows.
Ensure the services startup type is correct (e.g., Automatic) and click OK.
After the Group Policy has been applied to the target machines, the user/group given control will be able to perform the delegated actions.
To Start, Stop, and Pause a service, users need the Read and the Stop, Start, and Pause permissions. These permissions are exposed only through Group Policy. You can create organizational units (OUs) that contain the workstations that you want the policy applied to. To assign service permissions to the computers in an OU, perform these steps:
Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
Right-click a domain and press New, Organizational Unit.
Name the OU and press OK.
Right-click this new OU and select Properties.
Select the Group Policy tab.
Press New and name the policy.
Highlight the new policy and select Edit.
Navigate to Computer Configuration, Windows Settings, Security Settings, System Services.
Double-click the service you want users to manage.
Select the "Define this Policy Setting" check box.
Remove the Everyone group.
Add the System account, Domain Admins, and any user or groups you desire.
Grant the System account and Domain Admins Full Control. Grant the other users and groups both Read and Stop, Start, and Pause permissions.
Click OK.
Change the startup mode from Disabled to Automatic or Manual.
Click Apply and OK.
Close the policy and press OK.
Move the computer accounts for which you want to apply the policy into the OU.
About the Author
You May Also Like