3

I have a temporary consultant that is working on a project. He often needs to restart a service that is on another server and he asks me to restart it for him. This server is on a different domain from the working domain. I don't want to make him administrator of the server. Is there a way to give him the possibility to remotely restart the service without using credentials and without passing unprotected passwords, from his working computer? I found subinacl.exe that should let me change the permission of the service, but how can I connect to the remote computer? Psexec is not ok because it needs an explicit password.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
maurice
  • 51
  • 2
  • 6
  • I think [JEA](http://blogs.technet.com/b/privatecloud/archive/2014/05/14/just-enough-administration-step-by-step.aspx) is meant to provide that sort of functionality. – alx9r Nov 13 '15 at 15:58

1 Answers1

0

You can do this through command line. Not sure if it will prompt for credentials, though. I guess it depends on the service you're wanting to stop and start.

sc \machine stop (to stop) sc \machine start (to start)

Jonas Lear
  • 460
  • 1
  • 3
  • 5
  • It doesn't ask for credentials, but I have to run this command from a prompt running with a user with rights on the remote machine, otherwise I get "access denied". – maurice Nov 12 '15 at 16:00
  • Then the rights will have to be bumped up. I know you made a comment that you don't want him to be admin, but try making him a power user (but don't tell him). Power users have a little more rights than regular users do and this trick might work with that. – Jonas Lear Nov 12 '15 at 16:04
  • Tried with adding the user in "power users" remote group, I still get access denied. I'm thinking there could be no way to let a normal user do something that is usually permitted only to an administrator, or it would be a big security hole... what do you think? – maurice Nov 12 '15 at 16:12
  • 1
    Well, restarting services generally isn't a thing regular end users do, although some may have the ability to do that with some services. I know that if you make him local admin of that server, it will work. I unfortunately don't see any other way around this though. However, if he does not have RDP access to the server and you make him a local admin of it, there is only so much he will be able to do (unless he knows cmd line). – Jonas Lear Nov 12 '15 at 16:15