Hello, I've changed permissions on a server to allow our helpdesk to restart the spooler service. I can see on the server that the permissions have taken effect by using RSoP. The problem is that when a user tries to connect to the server by using computer management, as soon as they click on services they get "Access Denied". What additional steps will I need to perform to enable users to connect to the services part of computer management? the connection to the computer works when using computer management but its only the services part which is an issue.

Hiya, Are they logging on to the server or running script against the server? for example: sc \\<server name> stop Spooler sc \\<server name> start Spooler What O/S version is the server?

Does it have to be via the GUI, because if you could script it you could give the helpdesk an icon that allows them to restart the spooler service. There are a number of options available that could do the job: PSExec to run a net stop, net startwmic to invoke stopservice and startserviceVBscript or PowerShell to stop and start via WMIPowerShell remoting to restart serviceJaap Brasser http://www.jaapbrasser.com

Ideally we want it to be done via the gui as that is the way that they know now to work. we may also want to delegate other service management at a later date so the GUI would enable the less techie to work easy.

Hi, Thank you for the post. If non admin users want to restart service from remote MMC, you need grant users rights follow steps below: Grant user right to access service manager remotely 1.Obtain the current security descriptor settings of Service control manager: Run command sc sdshow scmanager on the computer which you want to manage remotely, we will get following D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) 2.Get SID of the user which you want to grant permission. Log on the user, run command whoami /all then we can get the SID of the user. For example, the SID of my test user is S-1-5-21-75742885-1028626651-2117483494-1107. To domain user/groups, open ADUC--view menu--selected Advanced Features, find objectSid from domain user/groups Attribute Editor tab. 3.Generate the SD, add (A;;LCRPRC;;;{SID}) before S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD), then we can get: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;LCRPRC;;; S-1-5-21-75742885-1028626651-2117483494-1107)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) 4.Run command sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;LCRPRC;;; S-1-5-21-75742885-1028626651-2117483494-1107)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) Then we can access service manager remotely. RegardsRick Tan TechNet Community Support