question

PatReagan-9330 avatar image
1 Vote"
PatReagan-9330 asked PatReagan-9330 answered

Grant access to stop and start a service on an on premise domain controller without domain admin rights

Due to a successful breach during a pen test by using the print spooler service on a domain controller, we are being challenged to stop/disable the print spooler service on all of our domain controllers. With the pruning responsibility of the print spooler on a domain controller for domain published printers, we would like to schedule a start and stop of the print spooler service on a DC using a scheduled task. We attempted to use the Local Service account to run the task, but it fails to start the service with no errors or warning in the logs. We need to complete this task as a non domain administrator. Any suggestions?

windows-server-2016
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

PatReagan-9330 avatar image
1 Vote"
PatReagan-9330 answered

OK. So we used a GPO to set the service to manual, and deliver a a scheduled task, using System context to run the process. No account required to give access to the DC.

Hope this helps someone else!

Thanks

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered

Hi,

Have you tried giving Windows service permissions to a domain account by using the SC.exe (Service controller) tool?

How to Allow Non-Admin Users to Start/Stop Windows Service?
http://woshub.com/set-permissions-on-windows-service/


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PatReagan-9330 avatar image
0 Votes"
PatReagan-9330 answered

We have thought about this option. But don't know if changing the permissions for a service on a DC can cause issues since the service is used to interact with the domain. Or am I over thinking it?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.