How do I grant permissions to remotely start/stop a service using Powershell?

Question

We have a PowerShell script that restarts a service on another computer. When we use PowerShell's built-in service control cmdlets, like so:

$svc = Get-Service -Name MyService -ComputerName myservicehostname
Stop-Service -InputObject $svc
Start-Service -InputObject $svc

We get this error back:

Stop-Service : Cannot open MyService service on computer 'myservicehostname'.

However, when we use sc.exe, like so:

C:\Windows\System32\sc \\myservicehostname stop MyService
C:\Windows\System32\sc \\myservicehostname start MyService

the start and stop succeed.

The user doing the restarting is not an administrator. We use subinacl to grant the user permissions to start/stop and query the service:

subinacl.exe /service MyService /GRANT=MyServiceControlUser=STO

How come PowerShell can't stop my service but sc.exe can?

splattered bits · Accepted Answer · 2013-06-04T23:37:30.433

It turns out I wasn't giving enough permissions with subinacl. The possible access values for the grant action are:

    F : Full Control  
    R : Generic Read  
    W : Generic Write  
    X : Generic eXecute  
  or any following values  
    L : Read controL  
    Q : Query Service Configuration  
    S : Query Service Status  
    E : Enumerate Dependent Services  
    C : Service Change Configuration  
    T : Start Service  
    O : Stop Service  
    P : Pause/Continue Service  
    I : Interrogate Service  
    U : Service User-Defined Control Commands

I was using S (Query Service Status), T (Start Service), and O (Stop Service). I also needed E (Enumerate Dependent Services). It appears that the PowerShell cmdlets need to look at dependent services when starting/stopping.

Here's my updated subinacl command:

subinacl.exe /service MyService /GRANT=MyServiceControlUser=STOE

If you don't want to download/use subinacl.exe, you can use PowerShell via the Carbon module's Grant-ServiceControlPermission or Grant-ServicePermission functions. (DISCLAIMER: I am the owner/maintainer of the Carbon project.)

Please mark this as your correct answer. This was a huge help for me for the exact same issue :) — Alain O'Dea, Oct 02 '12 at 13:10
I've never heard of `subinacl` before. What a useful utility! Thank you for coming back to leave this information for the rest of us. — Dan, Aug 17 '15 at 18:34
Works great in non-domain environment with Windows 2016 servers to control services on remote computers. — Doug Knudsen, May 03 '18 at 18:06

score 0 · Answer 2 · answered Feb 06 '12 at 22:52

0

The following command works as expected on my Windows Server 2008 R2 machine.

Start-Service -InputObject $(Get-Service -Computer [ComputerName] -Name spooler)

Can you also try this one-off command to determine if that works, annd have you verified that the user is a member of a group that is a member of the Users group on the target servers?

answered Feb 06 '12 at 22:52

Greg Askew

34,339
3
52
81

Your snipped doesn't work for me. Due to security requirements, I can't make the user a member of the Users group (or any built-in Windows group). – splattered bits Feb 07 '12 at 19:16

How do I grant permissions to remotely start/stop a service using Powershell?

2 Answers2

Linked