If you’re working for a huge corporation, you’ll probably shiver at the idea of allowing any users to start or stop services on your Windows Servers. In small companies, however, it’s not always easy or even possible for the System Admin to follow the “perfect safety instructions”.
Take my example. I work for a company, Drenco N.V. Although we’re active in different markets (IT, Media, Health and Food), there’s only a few people who actually work at the main office. Of those people, there’s only one System Admin, and that’s me. So, if I want to have some rest during my vacations it’s of the utmost importance that others can “fix” problems that occur often. One of these errors happens to be the DNS server on our SBS 2003 box that needs a restart. Just recently, I found a way to allow users to stop / start this service (and others), so they’ll be able to do this common task, without much risk to the rest of the network.
Are you in a situation like mine? If you need certain non-admin users to be able to stop / start services on a Windows server, the following guide will be usefull to you.
How to do it.
- First of all, we need to install a component of the Microsoft Resource kit. The file in question is SUBINACL. Google will point you in the right direction; download the version that matches your server.
Link to the download:
- If you’ve downloaded the file, install it on your server. note: choose an installation location that’s easy to find. You’ll need to navigate there w/ the command prompt.
- Open your command prompt, and navigate to the folder where you installed the tool. (Default: c:\Program Files\Microsoft Resource Kit\Tools)
- Run the following command –replace everything between ( ) with your own parameters and, obviously, get rid of the ( ).
SUBINACL /service \\(target machine)\(short name of service to restart) GRANT= (domain)\(user)=F.
- Now that the server side is all taken care off, you’ll want to make it as easy as possible for your user in question to start / stop the service. Open notepad, and use the following lines:
sc \\(target machine) (command) (service)
- Save the file as (somename).bat and send it to the user; who then only needs to run the file.
- For the SUBINACL command= SUBINACL /service \\192.168.0.200\DNS GRANT= toretto.local\Toretto
- For the SC command (this .bat file would restart the DNS service on the target machine):
sc \\192.168.168.0.200 stop DNS
sc \\192.£168.0.200 start DNS
And that’s it! Remember, be carefull which rights you’re giving to what user. The only person you can trust in a network, is you. (Unless you’re unreliable, in which case your IT department is doomed).