43 lines
1.3 KiB
PowerShell
43 lines
1.3 KiB
PowerShell
|
function Grant-UserStartStopRightsToService {
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
Grants a non-administrative user rights to stop or start a Windows Service
|
||
|
|
#>
|
||
|
|
|
||
|
|
[CmdLetBinding()]
|
||
|
|
Param(
|
||
|
|
[Parameter(Mandatory=$true)]
|
||
|
|
[Alias("User")]
|
||
|
|
[string]$userName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory=$false)]
|
||
|
|
[Alias("Domain")]
|
||
|
|
[string]$domainName,
|
||
|
|
|
||
|
|
[Parameter(Mandatory=$true)]
|
||
|
|
[Alias("Service")]
|
||
|
|
[string]$serviceName
|
||
|
|
)
|
||
|
|
|
||
|
|
$logLead = (Get-LogLeadName);
|
||
|
|
$serviceAcls = & sc.exe sdshow "$serviceName"
|
||
|
|
$userSid = Get-SidFromUsername -userName:$userName -domainName:$domainName
|
||
|
|
|
||
|
|
if ($serviceAcls -match "$userSid")
|
||
|
|
{
|
||
|
|
Write-Warning ("$logLead : User {0} already has explicit rights to the service. Verify they are correct and remove manually if this needs to be rerun." -f $userName)
|
||
|
|
return
|
||
|
|
}
|
||
|
|
|
||
|
|
$splitAcls = ($serviceAcls -split "(?=S:\(AU)" -ne "")
|
||
|
|
$aclTemplate = ("(A;;RPWPCR;;;{0})" -f $userSid)
|
||
|
|
Write-Verbose ("$logLead : ACL String to Add: {0}" -f $aclTemplate)
|
||
|
|
|
||
|
|
$modifiedAclSegment = $splitAcls[0] + $aclTemplate
|
||
|
|
$modifiedAcls = $modifiedAclSegment + ($splitAcls | Select-Object -Skip 1)
|
||
|
|
Write-Verbose ("$logLead : Setting ACLs for Service {0} to {1}" -f $serviceName, $modifiedAcls)
|
||
|
|
|
||
|
|
& sc.exe sdset "$serviceName" $modifiedAcls
|
||
|
|
}
|
||
|
|
|