How do I log on as an administrator?

An administrator is someone who can make changes on a computer that will affect other users of the computer. Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts. To log on as an administrator, you need to have a user account on the computer with an Administrator account type.

If you are not sure if the account that you have on the computer is an administrator account, you can check the account type after you have logged on. The steps that you should follow will vary, depending on whether your computer is on a domain or a workgroup.

Type the user name and password for your account in the Welcome screen.

Open User Accounts by clicking the Start button , clicking Control Panel, clicking User Accounts, clicking User Accounts, and then clicking Manage User Accounts . If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

Your user name is highlighted and your account type is shown in the Group column.

Type the user name and password for your account in the Welcome screen.

Open User Accounts by clicking the Start button , clicking Control Panel, clicking User Accounts and Family Safety, clicking User Accounts, and then clicking Manage another account . If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

Your account type is displayed below your user name.

If your account type is Administrator, then you are currently logged on as an administrator.

If your account type is not Administrator, then you cannot log on as an administrator unless you know the user name password for another account on the computer that is an administrator. If you are not an administrator, you can ask an administrator to change your account type.

How to Allow Non-Admin Users to Start/Stop Windows Service?

By default, common (non-admin) users cannot manage Windows services. This means that users cannot stop, start, restart, or change the settings/permissions of Windows services. In some cases, it is necessary for a user to have the permissions to restart or manage certain services. In this article we’ll look at several ways to manage the permissions for Windows services. In particular, we’ll show you how to allow a non-admin user to start, stop and restart a specific Windows service by granting the appropriate permissions.

Suppose, you need to grant the domain account contoso\tuser the permissions to restart the Print Spooler service (service name – spooler). When the non-admin tries to restart the service, an error appears:

There is no simple and convenient built-in tool to manage services permissions in Windows. We’ll consider some ways to grant the permissions to a user to manage service:

Setting Windows Service Permissions Using the SC.exe (Service controller) Tool

A standard built-in Windows method to manage system service permissions supposes using the sc.exe (Service Controller) tool. The main problem with using this utility is the complex syntax of the service permissions format (the SDDL format — Security Description Definition Language).

You can get the current permissions for a Windows service as an SDDL string like this:

sc.exe sdshow Spooler

What do all these symbols mean?

The first letter after brackets means: allow (A) or deny (D).

The next set of symbols is assignable permissions.

The last 2 characters are the objects (user, group or SID) that are granted permissions. There is a list of predefined groups.

Instead of a predefined group, you can explicitly specify a user or group by SID. To get the SID for the current user, you can use the command:

Or you can find the SID for any domain user using the Get-ADUser cmdlet:

Get-ADUser -Identity ‘sadams’ | select SID

You can get the SID of the AD security group using the Get-ADGroup cmdlet:

In order to assign the SDDL permissions string for a specific service, you can use the sc sdset command. For example, the permissions can be granted to a user with the following command:

sc sdset Spooler «D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-2133228432-2794320136-1823075350-1000)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)»

Using the SubInACL to Allow a User to Start/Stop/Restart Service

It is easier to use a command line tool SubInACL from the Sysinternals (by Mark Russinovich) to manage the service permissions. The syntax of this tool is much easier and more convenient. Here is how you can grant the restart permissions for a service using the SubInACL:

1. Download subinacl.msi from this webpage (https://www.microsoft.com/en-us/download/details.aspx?id=23510) and install it on the target system;
2. In the elevated command prompt, go to the directory containing the tool: cd “C:\Program Files (x86)\Windows Resource Kits\Tools\»
3. Run the command: subinacl.exe /service Spooler /grant=contoso\tuser=PTO
   

If you did everything right, the service should restart.

subinacl.exe /service Spooler /revoke=contoso\tuser

How to Change Windows Service Permission Using Process Explorer?

You can change Windows service permissions using one more Sysinternals utility – Process Explorer. Run the Process Explorer as administrator and find the process of the service you need. In our example, this is spoolsv.exe (the spooler executable – C:\Windows\System32\spoolsv.exe ). Open the process properties and click the Services tab.

Click the Permissions button and add the user or group in the window that opens. After that select the permissions that you want to assign (Full Control/Write/Read).

Setting Windows Service Permissions Using PowerShell

In TechNet gallery there is a separate unofficial PowerShell module for managing permissions for different Windows objects – PowerShellAccessControl Module (you can download it here). This module also allows you to manage the service permissions. Install this module and import it into your PS session:

You can get the effective permissions for a specific Windows service from PowerShell like this:

Get-Service spooler | Get-EffectiveAccess -Principal corp\tuser

To allow non-admin user to start and stop spooler service, run the command:

Get-Service spooler | Add-AccessControlEntry -ServiceAccessRights Start,Stop -Principal corp\tuser

Using Security Templates to Manage Service Permissions

A visual (but requiring more actions) graphical way to manage service permissions is using Security Templates. Open mmc.exe console and add the Security Templates snap-in.

Create a new security template (New Template).

Specify the name for the new template and go to the System Services section. In the list of services select the service Print Spooler and open its properties.

Select the startup mode (Automatic) and click Edit Security.

Using the Add button, add a user account or a group to grant permissions to. In our case, Start, stop and pause permission is enough.

Save this template.

If you open this file, you can see that the information about the permissions is saved in the SDDL format, mentioned earlier. The string obtained in this way can be used as an argument of the sc.exe command.

[Unicode]
Unicode=yes
[Version]
signature=»$CHICAGO$»
Revision=1
[Service General Setting]
«Spooler»,2,»D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;RPWPDTRC;;;S-1-5-21-3243688314-1354026805-3292651841-1127)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)»

Now you only have to create a new database (Open Database) using the Security Configuration and Analysis snap-in and import your Security Template from the file Spooler User Rights.inf.

Apply this template by selecting Configure Computer Now option from the context menu.

Now you check that the user can allow manage the Print Spooler service under non-admin account.

How to Grant Users Rights to Manage a Service using GPO?

If you have to grant permissions to users to start/stop a service multiple servers or domain computer, it’s easier to use Group Policy (GPO) features:

1. Create a new GPO or edit the existing one, link it to the necessary Active Directory container (OU) with the computer objects . Go to the policy section Computer configuration -> Windows Settings -> Security Settings -> System Services;
2. Find the Spooler service and grant permissions to the users like in the method described above. Save the changes;

The security settings for all services for which you changed the default permissions are stored in their own registry key HKLM\System\CurrentControlSet\Services\ \Security in the Security parameter of the REG_BINARY type.

This means that one of the ways to set service permissions on other computers is to export/import this registry parameter (including through a GPO).

So, we looked at several ways to manage the Windows service permissions, which allow you to grant any permissions for system services to non-admin user. If the user requires remote access to the service, without granting it local logon or RDP access permissions, you must allow the user to connect remotely and enumerate services via Service Control Manager.

Отказать во входе в качестве службы Deny log on as a service

Область применения Applies to

В этой статье описываются рекомендации, рекомендации по расположению, значениям, **** управлению политиками и безопасности для запрета входа в систему в качестве параметра политики безопасности службы. This article describes the recommended practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.

Справочные материалы Reference

Этот параметр политики определяет, какие пользователи не могут войти в приложения-службы на устройстве. This policy setting determines which users are prevented from logging on to the service applications on a device.

Служба — это тип приложения, который выполняется в системной фоновой системе без пользовательского интерфейса. A service is an application type that runs in the system background without a user interface. Он предоставляет основные функции операционной системы, такие как веб-обслуживание, ведение журнала событий, обслуживание файлов, печать, шифрование и отчеты об ошибках. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting.

Константа: SeDenyServiceLogonRight Constant: SeDenyServiceLogonRight

Возможные значения Possible values

• Определяемый пользователей список учетных записей User-defined list of accounts
• Не определено Not defined

Рекомендации Best practices

1. При назначении этого права пользователя тщательно проверьте, что эффект именно тот, который вы планировали. When you assign this user right, thoroughly test that the effect is what you intended.
2. В домене измените этот параметр для соответствующего объекта групповой политики (GPO). Within a domain, modify this setting on the applicable Group Policy Object (GPO).

Location Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Значения по умолчанию Default values

В следующей таблице перечислены фактические и эффективные значения политики по умолчанию для последних поддерживаемых версий Windows. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Значения по умолчанию также можно найти на странице свойств политики. Default values are also listed on the policy’s property page.

Тип сервера или объект групповой политики Server type or GPO	Значение по умолчанию Default value
Default Domain Policy Default Domain Policy	Не определено Not defined
Политика контроллера домена по умолчанию Default Domain Controller Policy	Не определено Not defined
Параметры по умолчанию для автономного сервера Stand-Alone Server Default Settings	Не определено Not defined
Действующие параметры по умолчанию для контроллера домена Domain Controller Effective Default Settings	Не определено Not defined
Действующие параметры по умолчанию для рядового сервера Member Server Effective Default Settings	Не определено Not defined
Действующие параметры по умолчанию для клиентского компьютера Client Computer Effective Default Settings	Не определено Not defined

Управление политикой Policy management

В этом разделе описываются функции и средства, доступные для управления этой политикой. This section describes features and tools available to help you manage this policy.

Для активации этого параметра политики не требуется перезагрузка компьютера. A restart of the computer isn’t required for this policy setting to be effective.

Изменения прав пользователя вступают в силу при его следующем входе в учетную запись. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Групповая политика Group Policy

На устройстве, которое присоединилось к домену, включая контроллер домена, эта политика может быть перезаписана политикой домена, которая не позволит изменить параметр локальной политики. On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.

Этот параметр политики может конфликтовать с параметром входа в качестве параметра службы и отменять его. This policy setting might conflict with and negate the Log on as a service setting.

Параметры применяются в следующем порядке с помощью объекта групповой политики (GPO), который будет перезаписывать параметры на локальном компьютере при следующем обновлении групповой политики: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

1. Параметры локальной политики Local policy settings
2. Параметры политики сайта Site policy settings
3. Параметры политики домена Domain policy settings
4. Параметры политики подразделения OU policy settings

Если локальный параметр затеняется, это означает, что в настоящее время этот параметр контролируется GPO. When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Вопросы безопасности Security considerations

В этом разделе описывается, каким образом злоумышленник может использовать компонент или его конфигурацию, как реализовать меры противодействия, а также рассматриваются возможные отрицательные последствия их реализации. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Уязвимость Vulnerability

Учетные записи, которые могут входить в приложение-службу, можно использовать для настройки и запуска новых несанкционированных служб, таких как килоггер или другие вредоносные программы. Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. Преимущество указанного противодействия несколько сокращается тем фактом, что только пользователи с правами администратора могут устанавливать и настраивать службы, а злоумышленник, у которого уже есть такой уровень доступа, может настроить службу для запуска с помощью системной учетной записи. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure services, and an attacker who already has that level of access could configure the service to run by using the System account.

Противодействие Countermeasure

Не рекомендуется назначать учетным **** записям право «Запретить вход» в качестве пользователя службы. We recommend that you don’t assign the Deny log on as a service user right to any accounts. Эта конфигурация является конфигурацией по умолчанию. This configuration is the default. Организации, которые сильно беспокоится о безопасности, могут назначить это право пользователям группам и учетным записям, если они уверены, что им не потребуется входить в приложение-службу. Organizations that have strong concerns about security might assign this user right to groups and accounts when they’re certain that they’ll never need to log on to a service application.

Возможное влияние Potential impact

Если запретить **** вход в систему как право пользователя службы определенным учетным записям, службы могут не запускаться, и может возникнуть условие отказа в обслуживании. If you assign the Deny log on as a service user right to specific accounts, services may not start and a denial-of-service condition could result.