Share via

Windows: Grant Rights to Control Service as Standard User

  • Article

Usually, non administrator accounts arent't allowed to start or stop a windows service.

If you want to grant a specific user the rights to start and stop a service, you have no option to do so with the GUI.

There are a few options to change the rights, in this article a manual command line approach is shown.

First you'll need the name of the service you want to grant the user or group rights to.

You can either open in the Services Control the properties of a service and check "Service Name" or you can get this information with command line "sc query".

In the below given example, the spooler service is used. Note that the SID and ACE strings will differ for you, so don't copy them from this article, but make sure to generate them in your environment.

Open a notepad to copy the various bits together before executing them.

1. Run "sc sdshow spooler" in an elevated command prompt

  1. Copy the output into notepad

   (The output looks something like D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) )

  1. Open Powershell

  2. Execute $name = 'youraccount@yourdomain.local' to define the user or group you want to grant rights to

  3. Execute (New-Object System.Security.Principal.NTAccount($name)).Translate([System.Security.Principal.SecurityIdentifier]).value

  4. Copy the output into notepad

   (The SID looks something like S-1-5-21-4213571765-3011660797-781512315-2226

  1. Now copy the last braket of the "D:" part of the string you got as output of sc sdshow and paste it just before the "S:"

  2. Modify the pasted braket, replace the SY with the SID you got in step 5 and the part between 2nd and 3rd semi colon with "RPWPCR"

   (For the sample given, the string would look like D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;RPWPCR;;;S-1-5-21-4213571765-3011660797-781512315-2226)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) now)

  1. Run "sc sdset spooler <The string you generated in step 8>" in an elevated command prompt

   (sc sdset spooler D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;RPWPCR;;;S-1-5-21-4213571765-3011660797-781512315-2226)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) )

After that, the user is able to start and stop the changed Service.

More information about the ACE Strings can be found here.