A consultant is doing some database work on one of our servers that's also a domain controller (DC). I don't want to make her a domain administrator, but she needs the ability to restart the Microsoft SQL Server service frequently. How can I grant her that permission without making her an administrator?
Services have ACLs like other objects do, so you can grant services specific start and stop permissions. Unfortunately, the Microsoft Management Console (MMC) Services snap-in doesn't expose service ACLs in the interface, but two other methods for editing service permissions are available. With the first method, you create a security template via the MMC Security Templates snap-in and navigate to the System Services folder. Open the SQL Service Properties page, select the Define this property check box, and click Edit Security, which opens the ACL for the service. Grant the consultant Start, stop and pause permission. Save the policy, and apply it by using the MMC Configuration and Analysis snap-in.
The other method is more direct but it requires that you use the command line. Using the /service parameter with the Subinacl command lets you grant permissions to a service. For example, to grant Randy in domain Acme Start, stop and pause permission for the Spooler service, open a command line and type
subinacl /service spooler
/grant=acme\randy=top
Note that you must specify the service name of the service, not its display name. You can get a list of all services with their display names and actual names by typing the command
sc query
You can download Subinacl from http://go.microsoft.com/fwlink/?LinkId=23418. When you execute the subinacl.msi file, it installs the Subinacl command and a Help file in the %programfiles%\Windows Resource Kits\Tools folder.