Method 1: (applies to local users)
By default, users can't control system services they'll receive an "Error 5: Access is denied" error message. The following steps show how to use Group Policy to grant a user access to control the service (ex : print spooler service)1, Open the Group Policy Object (GPO) that contains the computers that need the users to be able to control services.
2, Navigate to the Computer Configuration, Windows Settings, Security Settings, System Services.
3, Double-click the service for which you want to delegate permissions (e.g., Print Spooler).
4, Select the "Define this policy setting" and click Edit Security.
5, Click Add and enter the user/group to be given permissions.
6, After you select the user/group, pick the permissions you want to give to group members (e.g., "Start, stop and pause") and click OK.
7, Ensure the services startup type is correct (e.g., Automatic) and click OK.
8, After the Group Policy has been applied to the target machines, the user/group given control will be able to perform the delegated actions.
Method 2: (applies to domain users)
To Start, Stop, and Pause a service, users need the Read and the Stop, Start, and Pause permissions. These permissions are exposed only through Group Policy. You can create organizational units (OUs) that contain the workstations that you want the policy applied to. To assign service permissions to the computers in an OU, perform these steps:
1, Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
2, Right-click a Domain (example: Contoso.com) and press New, Organizational Unit.
3, Name the OU (example: Services) and press OK.
4, Open the Microsoft Management Console (MMC) Group Policy Management snap-in.
4, Right-click this Services OU and select Create a GPO in this domain, and Link it here.
5, Name the policy (example: Services) and press OK.
6- Right-click this Services GPO and select Edit.
7- Navigate to Computer Configuration\Windows Settings\Security Settings\System Services and Double-click or Right-click the service you want users to manage (example: DHCP Client).
6- Select the "Define this Policy Setting" check box, than select "Automatic". Now select "Edit Security". Select "Add" and add any user or groups you desire (example: Ed.Price@Contoso.com) and press "OK".
7- Grant the User "Ed.Price@Contoso.com" both "Read" and "Stop, Start, and Pause" permissions and press "OK".
8- Close the policy and press "OK".
9- Move the computer accounts (example: CLIENT1) for which you want to apply the policy into the Services OU.
Community Resources
How to Add Third-Party Services to the System Services in Group Policy
How To Configure Group Policies to Set Security for System Services
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
文章评论