How to: Allow users to start / stop (server) services

If you’re working for a huge corporation, you’ll probably shiver at the idea of allowing any users to start or stop services on your Windows Servers.  In small companies, however, it’s not always easy or even possible for the System Admin to follow the “perfect safety instructions”.

Take my example.  I work for a company, Drenco N.V.  Although we’re active in different markets (IT, Media, Health and Food), there’s only a few people who actually work at the main office.  Of those people, there’s only one System Admin, and that’s me.  So, if I want to have some rest during my vacations it’s of the utmost importance that others can “fix” problems that occur often.  One of these errors happens to be the DNS server on our SBS 2003 box that needs a restart.  Just recently, I found a way to allow users to stop / start this service (and others), so they’ll be able to do this common task, without much risk to the rest of the network.

Are you in a situation like mine? If you need certain non-admin users to be able to stop / start services on a Windows server, the following guide will be usefull to you.

How to do it.

  • First of all, we need to install a component of the Microsoft Resource kit.  The file in question is SUBINACL.  Google will point you in the right direction; download the version that matches your server.
    Link to the download:
  • If you’ve downloaded the file, install it on your server.  note: choose an installation location that’s easy to find.  You’ll need to navigate there w/ the command prompt.
  • Open your command prompt, and navigate to the folder where you installed the tool. (Default: c:\Program Files\Microsoft Resource Kit\Tools)
  • Run the following command –replace everything between ( ) with your own parameters and, obviously, get rid of the ( ).
    SUBINACL /service \\(target machine)\(short name of service to restart) GRANT= (domain)\(user)=F.
  • Now that the server side is all taken care off, you’ll want to make it as easy as possible for your user in question to start / stop the service.  Open notepad, and use the following lines:
    sc \\(target machine) (command) (service)
  • Save the file as (somename).bat and send it to the user; who then only needs to run the file.

Examples:

And that’s it!  Remember, be carefull which rights you’re giving to what user.  The only person you can trust in a network, is you. (Unless you’re unreliable, in which case your IT department is doomed).

Advertisements

6 thoughts on “How to: Allow users to start / stop (server) services”

  1. My appologies there was a small error my previous post of this batch file.

    “set ANSWER=” was missing, meaning the service status would not refresh on user input of ENTER. The previous example would continue to issue the last entered command as it was not cleared at the begining of the script.

    Steve please feel free to delete this and above text and the original post! Thanks!

    ——————————————————————————-

    Great information, thank you.
    I’ve made this useful batch file for the end user, it maybe of use to anyone reading this. Just set the SERVER & SERVICE variables and deploy.

    —————————-begin service.bat—————————

    REM ****Service start/stop script D.Collings 07.Nov.2011

    REM ****Set the 2 variables below for server & service, that is all.

    set SERVER=fran-dc01.emea.ad.beck-pollitzer.com
    set SERVICE=winvnc

    REM ****Begin script. Nothing needs to be edited below this line.

    @echo off
    :ask
    set ANSWER=
    cls
    echo ——————————————————————————–
    echo Status of %SERVICE% service on %SERVER%
    echo.
    echo ——————————————————————————–
    sc “\\%SERVER%” query “%SERVICE%”
    echo.
    echo ——————————————————————————–
    echo.
    echo Hit ENTER to refresh service status.
    echo.
    SET /P ANSWER= Options: START/STOP/EXIT:
    echo User selected option: [%ANSWER%]
    if /i {%ANSWER%}=={start} (goto :start)
    if /i {%ANSWER%}=={stop} (goto :stop)
    if /i {%ANSWER%}=={exit} (goto :exit)
    goto :ask
    :start
    cls
    echo.
    echo Attempting to %ANSWER% %SERVICE% service on %SERVER%
    sc “\\%SERVER%” %ANSWER% “%SERVICE%”
    echo.
    pause
    goto ask
    exit /b 0

    :stop
    cls
    echo.
    echo Attempting to %ANSWER% %SERVICE% service on %SERVER%
    sc “\\%SERVER%” %ANSWER% “%SERVICE%”
    echo.
    pause
    goto ask
    exit /b 1

    :exit
    cls
    exit
    exit /b 2

    Like

  2. On your commnad there is an “=F” missing at he end.

    So the ommand should look like this

    SUBINACL /service \\192.168.0.200\DNS GRANT= toretto.local\Toretto=F

    Like

Comments are closed.