How to Allow Non-Admin Users to Start/Stop Windows Service?

By default, widespread (non-admin) customers can’t handle Windows companies. This implies that customers can’t cease, begin, restart, or change the settings/permissions of Windows companies. In some circumstances, it’s mandatory for a consumer to have the permissions to restart or handle sure companies. In this text we’ll have a look at a number of methods to handle the permissions for Windows companies. In specific, we’ll present you the way to permit a non-admin consumer to begin, cease and restart a selected Windows service by granting the suitable permissions.

Suppose, you want to grant the area account contosotuser the permissions to restart the Print Spooler service (service title – spooler). When the non-admin tries to restart the service, an error seems:

System error 5 has occurred. Access is denied.

There isn’t any easy and handy built-in device to handle companies permissions in Windows. We’ll contemplate some methods to grant the permissions to a consumer to handle service:

Setting Windows Service Permissions Using the SC.exe (Service controller) Tool

A regular built-in Windows technique to handle system service permissions supposes utilizing the sc.exe (Service Controller) device. The primary downside with utilizing this utility is the advanced syntax of the service permissions format (the SDDL format — Security Description Definition Language).

You can get the present permissions for a Windows service as an SDDL string like this:

sc.exe sdshow Spooler


What do all these symbols imply?

S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)

The first letter after brackets means: permit (A) or deny (D).

The subsequent set of symbols is assignable permissions.

CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service standing polling)

The final 2 characters are the objects (consumer, group or SID) which are granted permissions. There is a listing of predefined teams.

AU Authenticated Users
AO Account operators
RU Alias to permit earlier Windows 2000
AN Anonymous logon
AU Authenticated customers
BA Built-in directors
BG Built-in visitors
BO Backup operators
BU Built-in customers
CA Certificate server directors
CG Creator group
CO Creator proprietor
DA Domain directors
DC Domain computer systems
DD Domain controllers
DG Domain visitors
DU Domain customers
EA Enterprise directors
ED Enterprise area controllers
WD Everyone
PA Group Policy directors
IU Interactively logged-on consumer
LA Local administrator
LG Local visitor
LS Local service account
SY Local system
NU Network logon consumer
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power customers
RS RAS servers group
RD Terminal server customers
RE Replicator
RC Restricted code
SA Schema directors
SO Server operators
SU Service logon consumer

Instead of a predefined group, you’ll be able to explicitly specify a consumer or group by SID. , you should utilize the command:

whoami /consumer

Or yow will discover the SID for any area consumer utilizing the cmdlet:

Get-ADUser -Identity 'sadams' | choose SID

You can get the SID of the AD safety group utilizing the cmdlet:

Get-ADGroup -Filter | Select SID

In order to assign the SDDL permissions string for a selected service, you should utilize the sc sdset command. For instance, the permissions might be granted to a consumer with the next command:


Using the SubInACL to Allow a User to Start/Stop/Restart Service

It is less complicated to use a command line device SubInACL from the Sysinternals (by Mark Russinovich) to handle the service permissions. The syntax of this device is far simpler and extra handy. Here is how one can grant the restart permissions for a service utilizing the SubInACL:

  1. Download subinacl.msi from this webpage ( and set up it on the goal system;
  2. In the elevated command immediate, go to the listing containing the device: cd “C:Program Files (x86)Windows Resource KitsTools"
  3. Run the command: subinacl.exe /service Spooler /grant=contosotuser=PTO
    Note. In this case we’ve granted a consumer the permissions to droop (pause/proceed), begin and cease (restart) a service. The full listing of the obtainable service permissions:

    F : Full Control
    R : Generic Read
    W : Generic Write
    X : Generic eXecute
    L : Read controL
    Q : Query Service Configuration
    S : Query Service Status
    E : Enumerate Dependent Services
    C : Service Change Configuration
    T : Start Service
    O : Stop Service
    P : Pause/Continue Service
    I : Interrogate Service
    U : Service User-Defined Control Commands

    If you want to grant permissions to a service operating on a distant laptop, use the next syntax of the subinacl command:
    subinacl /SERVICE lon-prnt1spooler /grant=contosotuser=F

  4. Now you solely have to logon the pc beneath a consumer account and take a look at to restart the service with the instructions:
    internet cease spooler
    internet begin spooler
    sc cease spooler && sc begin spooler

If you probably did all the things proper, the service ought to restart.

To revoke the assigned service permissions, use the /revokechoice of the subinacl.exe device. For instance:

subinacl.exe /service Spooler /revoke=contosotuser

How to Change Windows Service Permission Using Process Explorer?

You can change Windows service permissions utilizing another Sysinternals utility – Process Explorer. Run the Process Explorer as administrator and discover the method of the service you want. In our instance, that is spoolsv.exe (the spooler executable – C:WindowsSystem32spoolsv.exe). Open the method properties and click on the Services tab.

Click the Permissions button and add the consumer or group within the window that opens. After that choose the permissions that you really want to assign (Full Control/Write/Read).

Setting Windows Service Permissions Using PowerShell

In TechNet gallery there’s a separate unofficial PowerShell module for managing permissions for various Windows objects – PowerShellAccessControl Module (you’ll be able to obtain it right here). This module additionally permits you to handle the service permissions. Install this module and import it into your PS session:

Import-Module PowerShellAccessControl

You can get the efficient permissions for a like this:

Get-Service spooler | Get-EfficientAccess -Principal corptuser

To permit non-admin consumer to begin and cease spooler service, run the command:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corptuser

Using Security Templates to Manage Service Permissions

A visible (however requiring extra actions) graphical approach to handle service permissions is utilizing Security Templates. Open mmc.exe console and add the Security Templates snap-in.

Create a brand new safety template (New Template).

Specify the title for the brand new template and go to the System Services part. In the listing of companies choose the service Print Spooler and open its properties.

Select the startup mode (Automatic) and click on Edit Security.

Using the Add button, add a consumer account or a gaggle to grant permissions to. In our case, Start, cease and pause permission is sufficient.

Save this template.

Note. The content material of the Security Template is saved because the INF file within the C:Users%usernamepercentDocumentsSecurityTemplates folder.

If you open this file, you’ll be able to see that the details about the permissions is saved within the SDDL format, talked about earlier. The string obtained on this approach can be utilized as an argument of the sc.exe command.


Now you solely have to create a brand new database (Open Database) utilizing the Security Configuration and Analysis snap-in and import your Security Template from the file Spooler User Rights.inf.

Apply this template by deciding on Configure Computer Now choice from the context menu.

Now you test that the consumer can permit handle the Print Spooler service beneath non-admin account.

How to Grant Users Rights to Manage a Service utilizing GPO?

If you have got to grant permissions to customers to begin/cease a service a number of servers or area laptop, it’s simpler to use Group Policy (GPO) options:

  1. Create a brand new GPO or edit the prevailing one, hyperlink it to the required Active Directory container (OU) with the pc objects . Go to the coverage part Computer configuration -> Windows Settings -> Security Settings -> System Services;
  2. Find the Spooler service and grant permissions to the customers like within the technique described above. Save the adjustments;
  3. Wait till the GPO is utilized on consumer computer systems and make it possible for the brand new service permissions have been assigned.
Where are the Windows service safety permissions saved?

The safety settings for all companies for which you modified the default permissions are saved in their very own registry key HKLMSystemPresentControlSetServicesSecurity within the Security parameter of the REG_BINARY sort.

This implies that one of many methods to set service permissions on different computer systems is to export/import this registry parameter (together with ).

So, we checked out a number of methods to handle the Windows service permissions, which permit you to grant any permissions for system companies to non-admin consumer. If the consumer requires distant entry to the service, with out granting it native logon or permissions, you should permit the consumer .


Check Also

How to Restore Deleted EFI System Partition in Windows 10?

In this text we’ll present you ways to manually restore an by chance deleted Windows …

Leave a Reply

Your email address will not be published. Required fields are marked *