≡ Menu

Allow normal users to start stop specific service(s)

It is very common requirement that most system administrators will get. They will be requested for allowing some domain user to restart specific service on specific server. In this case most Administrators, either adds the domain user to power users groups or local administrators group. While this works, it is not a efficient solution as it allow the domain user to perform more actions in the computer than what he wants. Sometimes, it might result in server down if he does something unknowingly.

One solution in such  situations is, granting the permissions exclusively at service level. This allows the user to just start or stop the service but nothing else.

C:>setacl.exe -on spooler -ot srv -actn ace -ace “n:domainuser1;p:start_stop”
Processing ACL of: <spooler>

SetACL finished successfully.


In above example, I am trying to give start_stop permissions to spooler (print spooler) service on computer where I am running this command. 

To list the permissions of a given service, try the below command 

C:>setacl.exe -on spooler -ot srv -actn list


Above steps are for doing for single computer. If you want to do it on multiple computer, then  using the Group Policies is the best option. Group policies has built-in option to define service level permissions. Let me know if you need any help in doing that.

To know more option of SETACL.exe, look at the below help.

SetACL by Helge Klein

Homepage:        http://setacl.sourceforge.net


Copyright:       Helge Klein

License:         GPL


-on    ObjectName

-ot    ObjectType

-actn  Action

-ace   “n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where”

-trst  “n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where”

-dom   “n1:Domain;n2:Domain;da:DomainAction;w:Where”

-ownr  “n:Trustee;s:IsSID”

-grp   “n:Trustee;s:IsSID”

-rec   Recursion

-op    “dacl:Protection;sacl:Protection”

-rst   Where

-lst   “f:Format;w:What;i:ListInherited;s:DisplaySID”

-bckp  Filename

-log   Filename

-fltr  Keyword

-clr   Where



ObjectName:      Name of the object to process (e.g. ‘c:mydir’)

ObjectType:      Type of object:

                 file:       Directory/file

                 reg:        Registry key

                 srv:        Service

                 prn:        Printer

                 shr:        Network share

Action:          Action(s) to perform:

                 ace:        Process ACEs specified by parameter(s) ‘-ace’

                 trustee:    Process trustee(s) specified by parameter(s)


                 domain:     Process domain(s) specified by parameter(s)


                 list:       List permissions. A backup file can be

                             specified by parameter ‘-bckp’. Controlled by

                             parameter ‘-lst’.

                 restore:    Restore entire security descriptors backed up

                             using the list function. A file containing the

                             backup has to be specified using the parameter

                             ‘-bckp’. The listing has to be in SDDL format.

                 setowner:   Set the owner to trustee specified by parameter


                 setgroup:   Set the primary group to trustee specified by

                             parameter ‘-grp’.

                 clear:      Clear the ACL of any non-inherited ACEs. The

                             parameter ‘-clr’ controls whether to do this for

                             the DACL, the SACL, or both.

                 setprot:    Set the flag ‘allow inheritable permissions from

                             the parent object to propagate to this object’ to

                             the value specified by parameter ‘-op’.

                 rstchldrn:  Reset permissions on all sub-objects and enable

                             propagation of inherited permissions. The

                             parameter ‘-rst’ controls whether to do this for

                             the DACL, the SACL, or both.

TrusteeAction:   Action to perform on trustee specified:

                 remtrst:    Remove all ACEs belonging to trustee specified.

                 repltrst:   Replace trustee ‘n1’ by ‘n2’ in all ACEs.

                 cpytrst:    Copy the permissions for trustee ‘n1’ to ‘n2’.

DomainAction:    Action to perform on domain specified:

                 remdom:     Remove all ACEs belonging to trustees of domain


                 repldom:    Replace trustees from domain ‘n1’ by trustees with

                             same name from domain ‘n2’ in all ACEs.

                 cpydom:     Copy permissions from trustees from domain ‘n1’ to

                             trustees with same name from domain ‘n2’ in all


Trustee:         Name or SID of trustee (user or group). Format:

                 a) [(computer | domain)]name


                 computer:   DNS or NetBIOS name of a computer -> ‘name’ must

                             be a local account on that computer.

                 domain:     DNS or NetBIOS name of a domain -> ‘name’ must

                             be a domain user or group.

                 name:       user or group name

                 If no computer or domain name is given, SetACL tries to find

                 a SID for ‘name’ in the following order:

                 1. built-in accounts and well-known SIDs

                 2. local accounts

                 3. primary domain

                 4. trusted domains

                 b) SID string

Domain:          Name of a domain (NetBIOS or DNS name).

Permission:      Permission to set. Validity of permissions depends on the

                 object type (see below). Comma separated list.

                 Example:    ‘read,write_ea,write_dacl’

IsSID:           Is the trustee name a SID?

                 y:          Yes

                 n:          No

DisplaySID:      Display trustee names as SIDs?

                 y:          Yes

                 n:          No

                 b:          Both (names and SIDs)

Inheritance:     Inheritance flags for the ACE. This may be a comma separated

                 list containing the following:

                 so:         sub-objects

                 sc:         sub-containers

                 np:         no propagation

                 io:         inherit only

                 Example:    ‘io,so’

Mode:            Access mode of this ACE:

                 a) DACL:

                 set:        Replace all permissions for given trustee by

                             those specified.

                 grant:      Add permissions specified to existing permissions

                             for given trustee.

                 deny:       Deny permissions specified.

                 revoke:     Remove permissions specified from existing

                             permissions for given trustee.

                 b) SACL:

                 aud_succ:   Add an audit success ACE.

                 aud_fail:   Add an audit failure ACE.

                 revoke:     Remove permissions specified from existing

                             permissions for given trustee.

Where:           Apply settings to DACL, SACL, or both (comma separated list):




Recursion:       Recursion settings, depends on object type:

                 a) file:

                 no:         No recursion.

                 cont:       Recurse, and process directories only.

                 obj:        Recurse, and process files only.

                 cont_obj:   Recurse, and process directories and files.

                 b) reg:

                 no:         Do not recurse.

                 yes:        Do Recurse.

Protection:      Controls the flag ‘allow inheritable permissions from the

                 parent object to propagate to this object’:

                 nc:         Do not change the current setting.

                 np:         Object is not protected, i.e. inherits from


                 p_c:        Object is protected, ACEs from parent are


                 p_nc:       Object is protected, ACEs from parent are not


Format:          Which list format to use:

                 sddl:       Standardized SDDL format. Only listings in this

                             format can be restored.

                 csv:        SetACL’s csv format.

                 tab:        SetACL’s tabular format.

What:            Which components of security descriptors to include in the

                 listing. (comma separated list):

                 d:          DACL

                 s:          SACL

                 o:          Owner

                 g:          Primary group

                 Example:    ‘d,s’

ListInherited:   List inherited permissions?

                 y:          Yes

                 n:          No

Filename:        Name of a (unicode) file used for list/backup/restore

                 operations or logging.

Keyword:         Keyword to filter object names by. Names containing this

                 keyword are not processed.


Required parameters (all others are optional):

                 -on         (Object name)

                 -ot         (Object type)

Parameters that may be specified more than once:

                 -actn       (Action)

                 -ace        (Access control entry)

                 -trst       (Trustee)

                 -dom        (Domain)

                 -fltr       (Filter keyword)

Only actions specified by parameter(s) ‘-actn’ are actually performed,

regardless of the other options set.

Order in which multiple actions are processed:

                 1.          restore

                 2.          clear

                 3.          trustee

                 4.          domain

                 5.          ace, setowner, setgroup, setprot

                 6.          rstchldrn

                 7.          list


a) Standard permission sets (combinations of specific permissions)

Files / Directories:

              read:          Read

              write:         Write

              list_folder:   List folder

              read_ex:       Read, execute

              change:        Change

              profile:       = change + write_dacl

              full:          Full access


              print:         Print

              man_printer:   Manage printer

              man_docs:      Manage documents

              full:          Full access


              read:          Read

              full:          Full access


              read:          Read

              start_stop:    Start / Stop

              full:          Full access


              read:          Read

              change:        Change

              full:          Full access

b) Specific permissions

Files / Directories:

              traverse:      Traverse folder / execute file

              list_dir:      List folder / read data

              read_attr:     Read attributes

              read_ea:       Read extended attributes

              add_file:      Create files / write data

              add_subdir:    Create folders / append data

              write_attr:    Write attributes

              write_ea:      Write extended attributes

              del_child:     Delete subfolders and files

              delete:        Delete

              read_dacl:     Read permissions

              write_dacl:    Write permissions

              write_owner:   Take ownership


              query_val:     Query value

              set_val:       Set value

              create_subkey: Create subkeys

              enum_subkeys:  Enumerate subkeys

              notify:        Notify

              create_link:   Create link

              delete:        Delete

              write_dacl:    Write permissions

              write_owner:   Take ownership

              read_access:   Read control

{ 6 comments… add one }

Leave a Comment