Service Restart Delegation for AD Group

%3CLINGO-SUB%20id%3D%22lingo-sub-1571653%22%20slang%3D%22en-US%22%3EService%20Restart%20Delegation%20for%20AD%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571653%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeed%20help%20in%20delegating%20a%20specific%20service%20restart%20right%20to%20an%20AD%20group.%3CBR%20%2F%3EI%20noticed%20this%20could%20be%20done%20through%20SubInacl.exe%20or%20SetACL.exe%20but%20these%20utilities%20are%20not%20available%20anymore.%20Any%20suggestion%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOS%3A%20Windows%20Server%202019%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1571653%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1572375%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Restart%20Delegation%20for%20AD%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1572375%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20use%20group%20policies%20for%20this.%3C%2FP%3E%3CP%3ECreate%20a%20GPO%20and%20set%20the%20service%20permissions%20there%3A%3C%2FP%3E%3CP%3EComputer%20Configuration%20-%26gt%3B%20Policies%20-%26gt%3B%20Windows%20Settings%20-%26gt%3B%20Security%20Settings%20-%26gt%3B%20System%20Services%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20set%20the%20startup%20type%20and%20edit%20the%20ACL%20of%20any%20service%20there.%20Just%20add%20your%20AD%20Group%20to%20the%20list%20and%20allow%20service%20start%20and%20service%20stop.%20Now%20link%20the%20GPO%20to%20the%20workstations%20and%20server%20where%20you%20want%20the%20permissions%20to%20apply.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F358623%22%20target%3D%22_blank%22%3E%40TARUN_KV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

 

Need help in delegating a specific service restart right to an AD group.
I noticed this could be done through SubInacl.exe or SetACL.exe but these utilities are not available anymore. Any suggestion ?

 

Non-Windows Service on OS: Windows Server 2019.

1 Reply

You can use group policies for this.

Create a GPO and set the service permissions there:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services

 

You can set the startup type and edit the ACL of any service there. Just add your AD Group to the list and allow service start and service stop. Now link the GPO to the workstations and server where you want the permissions to apply.

@TARUN_KV