![]() ![]() Get-Service spooler | Get-EffectiveAccess -Principal corp\tuser You can get the effective permissions for a specific Windows service from PowerShell like this: Install this module and import it into your PS session: This module also allows you to manage the service permissions. In TechNet gallery there is a separate unofficial PowerShell module for managing permissions for different Windows objects – PowerShellAccessControl Module (you can download it here). Setting Windows Service Permissions Using PowerShell After that select the permissions that you want to assign (Full Control/Write/Read). Open the process properties and click the Services tab.Ĭlick the Permissions button and add the user or group in the window that opens. In our example, this is spoolsv.exe (the spooler executable – C:\Windows\System32\spoolsv.exe). Run the Process Explorer as administrator and find the process of the service you need. You can change Windows service permissions using one more Sysinternals utility – Process Explorer. How to Change Windows Service Permission Using Process Explorer? Run the command: subinacl.exe /service Spooler /grant=contoso\tuser=PTO.In the elevated command prompt, go to the directory containing the tool: cd “C:\Program Files (x86)\Windows Resource Kits\Tools\".Download subinacl.msi from this webpage ( ) and install it on the target system.Here is how you can grant the restart permissions for a service using the SubInACL: The syntax of this tool is much easier and more convenient. It is easier to use a command line tool SubInACL from the Sysinternals (by Mark Russinovich) to manage the service permissions. ![]() Sc sdset Spooler "D:(A CCLCSWRPWPDTLOCRRC SY)(A CCDCLCSWRPWPDTLOCRSDRCWDWO BA)(A CCLCSWLOCRRC IU)(A CCLCSWLOCRRC SU)(A RPWPCR S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU FA CCDCLCSWRPWPDTLOCRSDRCWDWO WD)" Using the SubInACL to Allow a User to Start/Stop/Restart Service For example, the permissions can be granted to a user with the following command: In order to assign the SDDL permissions string for a specific service, you can use the sc sdset command. You can get the SID of the AD security group using the Get-ADGroup cmdlet: Get-ADUser -Identity 'sadams' | select SID Or you can find the SID for any domain user using the Get-ADUser cmdlet: To get the SID for the current user, you can use the command: Instead of a predefined group, you can explicitly specify a user or group by SID. The last 2 characters are the objects (user, group or SID) that are granted permissions. LC - SERVICE_QUERY_STATUS (service status polling) CC - SERVICE_QUERY_CONFIG (request service settings)
0 Comments
Leave a Reply. |