Thursday, April 9, 2009

Remote Services / Permissions (SC and Subinacl)

So with our new solution for pushing updates to a new software package I discovered that I needed to disable, stop, and change permissions on remote computers (and local for devices in my office).

Here's a handy tool that I've used for viewing remote processes:
sc [machine name] query [service name]

To stop the remote service:
sc [machine name] stop [service name] (use start to "start")

To change service to manual startup:
sc [machine name] config [service name] start= demand (for disabled replace with "disabled")

Of course ommiting the [machine name] makes the command apply to the local machine

Then comes the fact that I needed to change permissions so that the users could start / stop the service as needed without making them administrators. For this I used a tool called Subinacl which can be downloaded from MS. First off note that you do have to move this to the machine in question. This actually took me longer to realize than changing the permissions since by default I install the Admin tools on my machine when built. Having not realized that the tool comes with this installation and not by default (duh) I puttered with why the command wasn't working on the remote machine for a good 30 minutes. So, make sure you pull the tool to the remote machine if it doesn't already have it.

Change permissions:
SUBINACL /SERVICE file://machinename/ServiceName /GRANT=[DomainName\]UserName[=Access]
for local station with local account (or group)

T = Start Service
O = Stop Service
R = Generic Read (may be needed depending on situation)

Note: you can also do it through Group Policy and Security Templates. I recommend checking those methods as well to see what will work best for your scenario.

1 comment:

  1. Hi Denny,
    I do see the review at

    I'll take a look at your tool :)