Question: How do I grant access for a user to remotely Start/Stop a service?
Answer: First the User/Group in question must have remote read permission to the scmanager (Computer Manager or sc commamd line)
Get the scmanager SDDL:
sc sdshow scmanager
Original SDDL:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Copy the Interactive User ACE (A;;CCLCRPRC;;;IU) and change the IU to the SID of the User/Group you wish to grant access and paste the new ACE before the S:
New SDDL:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Now set the new SDDL on the scmanager service:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;B
A)(A;;CCLCRPRC;;;S-1-5-3-3127463467463)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Your user now has remote access to the scmanager. Now we must grant access to start and stop a service (Alerter in this example)
Get the Alerter SDDL:
sc sdshow Alerter
Alerter Original SDDL:
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Now copy the Authenticated Users ACE (A;;CCLCSWLOCRRC;;;AU) add "WP" following the RC in the ACE and change the AU to the SID of your user and paste your new ACE prior to S: in the SDDL:
New Alerter SDDL:
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;
;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;S-1-5-3-3127463467463)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Last of all, set your new SDDL on the Alerter Service:
sc sdset Alerter D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;
;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRCWPRP;;;domain\usergroup)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
For more information on SDDL Syntax
All example SDDLs are default on Windows 2003 SP1