How to use a GPO to delegate Windows Services Administration to a non-admin on SharePoint servers.
On a SharePoint computer you will need to add the Feature – Group Policy Management. You will need to perform this on a SharePoint server as the services you need to configure for delegation must be on the server you are creating the GPO on.
Note this requires elevated rights and is typically handled by an AD group. Based on that some of these instructions may be very light.
Open up Server Manager expand Features expand Group Policy Management expand Forest:Contoso.com expand Domains expand Contoso.com right click on Group Policy Objects click New.
Right click on the new Group Policy Object just created then click edit.
Click to expand Policies Click to expand Windows Settings Click to expand Security Settings Click on System Services.
On the Right hand side you will find the services that are on the server.
Scroll through the services until you see one you wish to delegate.
The first SharePoint Service I see in Claims to Windows Token Service. Double click on this service.
Note to save time you may want to create an excel spreadsheet with all the services and startup mode for all servers in the farm for faster reference You will most likely find that you require multiple GPOs as not all startup modes will be the same across all servers.
After selecting the startup mode. Click edit Security.
Add in the AD user/group that will require rights to manage this service. In my case I added contoso\app Admins (This is the same group I used for IIS delegation and Web deploy ) with Start, stop, pause. You will also need to add contoso\farm with full control (If you have followed least privilege your farm account will not be in the local administrators group, not having full control will cause issues when running PSCONFIG).
Click OK when complete.
Claims to Windows Token Service is now configured.
Repeat this for all services you wish to delegate Setting the startup mode and permissions.
Here is the list of Windows services I ended up with (If you have Project server, you will need to add those services):
• Claims to windows token service
• Document Conversion Launcher
• Document Conversion load Balancer
• Forefront Identity Manager Service
• Forefront Identity Manager Synchronization Service
• IIS Admin Service * Note this is not a SharePoint service so Farm only needs Start, stop, pause
• SharePoint 2010 Administration
• SharePoint 2010 Timer
• SharePoint 2010 Tracing
• SharePoint 2010 User Code Host
• SharePoint 2010 VSS Writer
• SharePoint Foundation Search V4
• SharePoint server Search 14
• Web Analytics Service
Close Group Policy Editor.
Create any more GPOs that you may need.
Target the GPOs to the appropriate server(s).