It is very common requirement that most system administrators will get. They will be requested for allowing some domain user to restart specific service on specific server. In this case most Administrators, either adds the domain user to power users groups or local administrators group. While this works, it is not a efficient solution as it allow the domain user to perform more actions in the computer than what he wants. Sometimes, it might result in server down if he does something unknowingly.
One solution in such situations is, granting the permissions exclusively at service level. This allows the user to just start or stop the service but nothing else.
C:>setacl.exe -on spooler -ot srv -actn ace -ace “n:domainuser1;p:start_stop”
Processing ACL of: <spooler>SetACL finished successfully.
C:>
In above example, I am trying to give start_stop permissions to spooler (print spooler) service on computer where I am running this command.
To list the permissions of a given service, try the below command
C:>setacl.exe -on spooler -ot srv -actn list
Above steps are for doing for single computer. If you want to do it on multiple computer, then using the Group Policies is the best option. Group policies has built-in option to define service level permissions. Let me know if you need any help in doing that.
To know more option of SETACL.exe, look at the below help.
SetACL by Helge Klein
Homepage: http://setacl.sourceforge.net
Version: 2.0.1.0
Copyright: Helge Klein
License: GPL
-O-P-T-I-O-N-S——————————————————–
-on ObjectName
-ot ObjectType
-actn Action
-ace “n:Trustee;p:Permission;s:IsSID;i:Inheritance;m:Mode;w:Where”
-trst “n1:Trustee;n2:Trustee;s1:IsSID;s2:IsSID;ta:TrusteeAction;w:Where”
-dom “n1:Domain;n2:Domain;da:DomainAction;w:Where”
-ownr “n:Trustee;s:IsSID”
-grp “n:Trustee;s:IsSID”
-rec Recursion
-op “dacl:Protection;sacl:Protection”
-rst Where
-lst “f:Format;w:What;i:ListInherited;s:DisplaySID”
-bckp Filename
-log Filename
-fltr Keyword
-clr Where
-silent
-P-A-R-A-M-E-T-E-R-S————————————————-
ObjectName: Name of the object to process (e.g. ‘c:mydir’)
ObjectType: Type of object:
file: Directory/file
reg: Registry key
srv: Service
prn: Printer
shr: Network share
Action: Action(s) to perform:
ace: Process ACEs specified by parameter(s) ‘-ace’
trustee: Process trustee(s) specified by parameter(s)
‘-trst’.
domain: Process domain(s) specified by parameter(s)
‘-dom’.
list: List permissions. A backup file can be
specified by parameter ‘-bckp’. Controlled by
parameter ‘-lst’.
restore: Restore entire security descriptors backed up
using the list function. A file containing the
backup has to be specified using the parameter
‘-bckp’. The listing has to be in SDDL format.
setowner: Set the owner to trustee specified by parameter
‘-ownr’.
setgroup: Set the primary group to trustee specified by
parameter ‘-grp’.
clear: Clear the ACL of any non-inherited ACEs. The
parameter ‘-clr’ controls whether to do this for
the DACL, the SACL, or both.
setprot: Set the flag ‘allow inheritable permissions from
the parent object to propagate to this object’ to
the value specified by parameter ‘-op’.
rstchldrn: Reset permissions on all sub-objects and enable
propagation of inherited permissions. The
parameter ‘-rst’ controls whether to do this for
the DACL, the SACL, or both.
TrusteeAction: Action to perform on trustee specified:
remtrst: Remove all ACEs belonging to trustee specified.
repltrst: Replace trustee ‘n1’ by ‘n2’ in all ACEs.
cpytrst: Copy the permissions for trustee ‘n1’ to ‘n2’.
DomainAction: Action to perform on domain specified:
remdom: Remove all ACEs belonging to trustees of domain
specified.
repldom: Replace trustees from domain ‘n1’ by trustees with
same name from domain ‘n2’ in all ACEs.
cpydom: Copy permissions from trustees from domain ‘n1’ to
trustees with same name from domain ‘n2’ in all
ACEs.
Trustee: Name or SID of trustee (user or group). Format:
a) [(computer | domain)]name
Where:
computer: DNS or NetBIOS name of a computer -> ‘name’ must
be a local account on that computer.
domain: DNS or NetBIOS name of a domain -> ‘name’ must
be a domain user or group.
name: user or group name
If no computer or domain name is given, SetACL tries to find
a SID for ‘name’ in the following order:
1. built-in accounts and well-known SIDs
2. local accounts
3. primary domain
4. trusted domains
b) SID string
Domain: Name of a domain (NetBIOS or DNS name).
Permission: Permission to set. Validity of permissions depends on the
object type (see below). Comma separated list.
Example: ‘read,write_ea,write_dacl’
IsSID: Is the trustee name a SID?
y: Yes
n: No
DisplaySID: Display trustee names as SIDs?
y: Yes
n: No
b: Both (names and SIDs)
Inheritance: Inheritance flags for the ACE. This may be a comma separated
list containing the following:
so: sub-objects
sc: sub-containers
np: no propagation
io: inherit only
Example: ‘io,so’
Mode: Access mode of this ACE:
a) DACL:
set: Replace all permissions for given trustee by
those specified.
grant: Add permissions specified to existing permissions
for given trustee.
deny: Deny permissions specified.
revoke: Remove permissions specified from existing
permissions for given trustee.
b) SACL:
aud_succ: Add an audit success ACE.
aud_fail: Add an audit failure ACE.
revoke: Remove permissions specified from existing
permissions for given trustee.
Where: Apply settings to DACL, SACL, or both (comma separated list):
dacl
sacl
dacl,sacl
Recursion: Recursion settings, depends on object type:
a) file:
no: No recursion.
cont: Recurse, and process directories only.
obj: Recurse, and process files only.
cont_obj: Recurse, and process directories and files.
b) reg:
no: Do not recurse.
yes: Do Recurse.
Protection: Controls the flag ‘allow inheritable permissions from the
parent object to propagate to this object’:
nc: Do not change the current setting.
np: Object is not protected, i.e. inherits from
parent.
p_c: Object is protected, ACEs from parent are
copied.
p_nc: Object is protected, ACEs from parent are not
copied.
Format: Which list format to use:
sddl: Standardized SDDL format. Only listings in this
format can be restored.
csv: SetACL’s csv format.
tab: SetACL’s tabular format.
What: Which components of security descriptors to include in the
listing. (comma separated list):
d: DACL
s: SACL
o: Owner
g: Primary group
Example: ‘d,s’
ListInherited: List inherited permissions?
y: Yes
n: No
Filename: Name of a (unicode) file used for list/backup/restore
operations or logging.
Keyword: Keyword to filter object names by. Names containing this
keyword are not processed.
-R-E-M-A-R-K-S——————————————————–
Required parameters (all others are optional):
-on (Object name)
-ot (Object type)
Parameters that may be specified more than once:
-actn (Action)
-ace (Access control entry)
-trst (Trustee)
-dom (Domain)
-fltr (Filter keyword)
Only actions specified by parameter(s) ‘-actn’ are actually performed,
regardless of the other options set.
Order in which multiple actions are processed:
1. restore
2. clear
3. trustee
4. domain
5. ace, setowner, setgroup, setprot
6. rstchldrn
7. list
-V-A-L-I-D–P-E-R-M-I-S-S-I-O-N-S————————————-
a) Standard permission sets (combinations of specific permissions)
Files / Directories:
read: Read
write: Write
list_folder: List folder
read_ex: Read, execute
change: Change
profile: = change + write_dacl
full: Full access
Printers:
print: Print
man_printer: Manage printer
man_docs: Manage documents
full: Full access
Registry:
read: Read
full: Full access
Service:
read: Read
start_stop: Start / Stop
full: Full access
Share:
read: Read
change: Change
full: Full access
b) Specific permissions
Files / Directories:
traverse: Traverse folder / execute file
list_dir: List folder / read data
read_attr: Read attributes
read_ea: Read extended attributes
add_file: Create files / write data
add_subdir: Create folders / append data
write_attr: Write attributes
write_ea: Write extended attributes
del_child: Delete subfolders and files
delete: Delete
read_dacl: Read permissions
write_dacl: Write permissions
write_owner: Take ownership
Registry:
query_val: Query value
set_val: Set value
create_subkey: Create subkeys
enum_subkeys: Enumerate subkeys
notify: Notify
create_link: Create link
delete: Delete
write_dacl: Write permissions
write_owner: Take ownership
read_access: Read control