WARNING: Playing with services, especially system services can break them, ensure you have a backup, this machine was in a lab and had a snapshot backup, do you go rogue and amend system services without knowing what you are doing you will break your device, please exercise caution!!!!
WARNING: Please remember that the Deny permission overrides the allow permission, and if you set the wrong command on the wrong server you may end up breaking your operating system!!!!
Most people do not need to play with service ACL's but it does have its advantages for certain scenarios, however that is down to your as the sysadmin.
Get Service ACL/SID
Lets use the "Spooler" service with its Service Name "spooler" and assign the start and stop permissions to a user or group. But its the same procedure for all other services.
The easiest way for a visual is to use process explorer, so that can get got from the link here or if you have Windows 10 or above you can use this command:
\\live.sysinternals.com\tools
Here in Process Explorer we can see that process:
If you right click and choose properties then select "service" you will get this:
Magic, but lets get to the "sc" option from the CLI, which is like I how to do this, so to get this from the CLI you need to run this:
sc sdshow spooler
You will get something like this:
C:\WINDOWS\system32>sc sdshow spooler
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Therefore for this service you need to know this to decipher this list:
S: — System Access Control List (SACL)
D: — Discretionary ACL (DACL)
The first letter after brackets means: allow (A) or deny (D).
Then you get assignable permissions:
CC — SERVICE_QUERY_CONFIG (request service settings)
LC — SERVICE_QUERY_STATUS (service status polling)
SW — SERVICE_ENUMERATE_DEPENDENTS
LO — SERVICE_INTERROGATE
CR — SERVICE_USER_DEFINED_CONTROL
RC — READ_CONTROL
RP — SERVICE_START
WP — SERVICE_STOP
DT — SERVICE_PAUSE_CONTINUE
Then the last 2 characters are the objects (user, group or SID) that are granted permissions. There is a list of predefined groups.
AU Authenticated Users
AO Account operators
RU Alias to allow previous Windows 2000
AN Anonymous logon
AU Authenticated users
BA Built-in administrators
BG Built-in guests
BO Backup operators
BU Built-in users
CA Certificate server administrators
CG Creator group
CO Creator owner
DA Domain administrators
DC Domain computers
DD Domain controllers
DG Domain guests
DU Domain users
EA Enterprise administrators
ED Enterprise domain controllers
WD Everyone
PA Group Policy administrators
IU Interactively logged-on user
LA Local administrator
LG Local guest
LS Local service account
SY Local system
NU Network logon user
NO Network configuration operators
NS Network service account
PO Printer operators
PS Personal self
PU Power users
RS RAS servers group
RD Terminal server users
RE Replicator
RC Restricted code
SA Schema administrators
SO Server operators
SU Service logon user
Now you have this you can see what the command tells you in "sc" so for the first permission:
D:(A;;CCLCSWLOCRRC;;;AU)
That tells us that its a discretionary ACL, with an allow permission for 6 permissions for AU of authenticated users.
Assign Domain Users/Groups
If you wish to assign a permission to this service for a domain user or domain group you will need the SID for this, so use this command:
Get-ADUser -Identity '<userid>' | select Name,SID
That will return you the users/groups SID in the domain which you can use to get the syntax, so once you have the GUID you can form the command section as in bold, here we have a discretionary access, with 5 permissions for the GUID listed (added X's for security) with the "RC" permission for "Read only"
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWLORC;;;S-1-5-21-xxxxxxxxx-xxxxxxxx-1115xxxxxx8-12xx3)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
That means that user now has read only access to the service which includes starting it without being an administrator to complete that function.
Assign Domain Users/Groups using CLI from MMC
If you wish to stick with SC but do not want to work it out, as it can be complex, then add the security template to the MMC:
Then choose New Template from the list:
Then once there open "system services", choose "printer spooler" and then "edit security" as below:
Then once you have the permissions correct save the template file, then once you have saved the file navigate the directory it was created in which by default is:
C:\Users\<userid>\Documents\Security\Templates
Once here open the INF file and you will notice that the ACL is all set right there in the configuration file:
sc sdset Spooler <data in bold from above, inlude the first " and the last ">
There you are done, you have set custom permissions for a service.