Set Permissions to Windows services

I have many application servers and there are many application administrators. I'm the responsible of the Operating system and the Hardware but there have been several problems because the application administrators wants to be able to stop and start some services like SQL Server Service or MSSQL Agent Service. Well, Of course that I wont give them administrators rights, either Server Operators rights because they don't need them.

My way to resolve this issue its to give permissions only to specified services and to specified people. An excelent tool called SetACL its able to set this kind of permissions. Another plus, its that you can do it remotely or in a batch file... After I download this tool and save it to temporary location, I typed setacl -help to display the help.

Well, I do the following to set permissions to a server named server1 to the service MSSQLSERVER.

c:\tmp>setacl -on "\\server1\SQLSERVERAGENT" -ot srv -act ace -ace "n:domain\group1;p:start_stop"

-on ObectName: its to specify in wich server it'll be the change.

-ot ObjectTYpe: The type of object.(Files, Registery keys, Network Shares, Printers, Services, Active DIrectory object ans processes.)

-actn Action: Type of Action.(ace, trustee, domain, list, restore, setwoner, setgroup, clear.....may more).

-ace Acces contro entry: On services are read, start_stop or full.

Many excellent examples are available on the Examples page.


Dont forget to test firts this tool (all tools really) on a test server...


REGARDS