In my example I have a service that needs administrative permissions to start, restart and stop, I need to be able to do this as a normal user, without elevate myself, is there any way to do this?
Sure you say why don’t you use the “Computer Configuration\Policies\Windows Settings\Security Settings\System Services” Group policy settings for that? Well, in my case I just can’t, so how do I do?
First we will use the command SC.exe and the parameter SDSHOW and SDSET and we also need some knowledge to SDDL.
SC is a command line program used for communicating with the Service Control Manager and services. And the parameters SDSHOW will display the security descriptor of a service and SDSET will help to set a new one.
We will use the service BITS, Background Intelligent Transfer Service, as an example. As you understand you should not change these permissions in any production environment, this is only used for educational purpose.
First to demonstrate the error message the occurs
And now run the command SC.exe SDSHOW bits to get the current security descriptor.
This looks like a foreign language to most people, what is this? This is the SDDL, Security Descriptor Definition Language, simply explained by what permissions a certain user/group/system will have and is explained on MSDN: http://msdn.microsoft.com/en-us/library/aa379567(v=vs.85).aspx
Let’s try to break this down a bit. The format of the SDDL is described like this
(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute))
So if we look at the first paragraph (A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
The first is explained by ACE type
- And A means SDDL_ACCESS_ALLOWED
The second two letters is the ACE flags
- CI means SDDL_CONTAINER_INHERIT
CCDCLCSWRPWPDTLOCRSDRCWDWO indicates what specific rights that will be delegated and needs to break down a little bit more
- CC = SDDL_CREATE_CHILD
- DC = SDDL_DELETE_CHILD
- LC = SDDL_LIST_CHILDREN
Etcetera, look at the rights table at this page: http://msdn.microsoft.com/en-us/library/aa374928(v=vs.85).aspx and for explanations
The last SY is a SID String and means SDDL_LOCAL_SYSTEM and corresponding RID is SECURITY_LOCAL_SYSTEM_RID
This wasn’t that hard, right? So let’s find out how to build this string for us. We need permissions somewhere between what an interactive user (IU) and the built in administrators (BA)
Built in Administrators = (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
Interactive Users = (A;;CCLCSWLOCRRC;;;IU)
That gives me something like (A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU) where BU stands for Built in Users.
We will add this string to the original string before the S: in the end. This means
To this string D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;SAFA;WDWO;;;BA) add (A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)
Equals this command to set the permission
SC.exe SDSET bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)S:(AU;SAFA;WDWO;;;BA)
Verify the settings
And finally try to start and stop the service with normal user permission and it works like a charm
DeployWindows 
Thank you for this! Solved a big issue at my org.
LikeLike
Glad to hear that! Happy I could help.
I drink coffee https://ko-fi.com/Mattias ☕😊
LikeLike
Great article. If you would like to accomplish the same result, but without having to learn SDDL syntax or make potentially breaking changes to systems and have even more control using a web interface, I would invite you take a look at System Frontier.
LikeLike