The non-admin user: The Battle of Restarting Services

Last Updated on June 7, 2022 by rudyooms

This blog will show you, how you could give regular users permission to restart some services… Why? because sometimes a user needs to restart a specific service and they really don’t have the time to reboot the device itself.

I will divide this blog into multiple parts:

  1. Introduction
  2. The Idea
  3. The Script
  4. The results

1.Introduction

Some time ago, Oliver Kieselbach discovered a very great new method to start the IME sync process with just a simple command: “intunemanagementextension://syncapp”.  To make sure users could perform this action. you could push a shortcut with a nice command to all your user desktops. An excellent new approach.

Like Oliver was mentioning, you could restart the Microsoft Intune Management service, which also triggers the sync. But when your users have no admin privileges, this is not possible.

This got me thinking, shouldn’t it be possible to restart some services for end-users? Just like the possibility to install printers / installing programs from the company portal. This would be a great addition to self-servicing users.

2. The Idea

It always starts with an idea… So In this example, I have created a Win32 app to let end users restart the Microsoft Intune management service. Do you know what is beautiful? You could do the same with some other services like for example the Print Spooler. Let me explain why…

How many times didn’t you (when working as a service desk engineer) get a call there was something wrong with the Printer and you needed to restart the Spooler Service?

Before we can do anything with the service, we need to change the permissions of the service itself because a regular user doesn’t have permission to do so. When we have changed the permission we still need to make sure the end-user could easily perform this action him/herself. To do so we are also going to publish a shortcut to an additional program to restart the service.

Below is a screenshot how it would be like when you are done

3. The Script

Let’s start with the easiest part, the restartintune.exe. It is just a simple PowerShell script with 2 commands in it and converted to an EXE. I converted it to an EXE because I am blocking PowerShell and the command line. It’s obvious your standard users don’t need PowerShell access.

I also placed it in the Program files folder, to be sure Applocker isn’t going to “kill” it. I am placing it in the Applocker folder because, in a normal Applocker setup, the Program Files folders are excluded from the block! If you want to read about how to deploy Applocker to Intune, read my blog below.

Now we know what the very simple script would look like that I converted to an exe (restartintun.exe), here it is. Of course, when you want to do the same with the Printer Spooler.. don’t forget to change it.


net stop IntuneManagementExtension
Net start IntuneManagementExtension

And now the Windows10_restartservice.ps1 part. As you can see, you will need some modules, to begin with. After installing the modules you just assign the proper service permission.

Looking at the script below, you will notice that after the service permissions are changed with the Grant-servicepermission command, the restartintune.exe and the corresponding icon file are copied to a new folder inside program files (x86). As mentioned earlier, this folder is excluded from my AppLocker policy.

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-1-0")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$everyone = $objUser.Value

#install and import module
install-packageprovider -name nuget -minimumversion 2.8.5.201 -force | out-null
Install-Module -Name 'Carbon' -AllowClobber -force | out-null
Import-Module 'Carbon'

#grant permission and restart service to take affect
Grant-CServicePermission -Name IntuneManagementExtension -Identity $everyone -QueryStatus -EnumerateDependents -Start -Stop

md "c:\program files (x86)\restartservice"
copy .\restartintune.exe "c:\program files (x86)\restartservice\restartintune.exe"
copy .\intune.ico "c:\program files (x86)\restartservice\intune.ico"

#Create Shortcut Desktops
if (-not (Test-Path "C:\Users\Public\Desktop\Restart-Service.url"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\Restart-Service.url"
$targetpath = "c:\program files (x86)\restartservice\restartintune.exe"
$iconlocation = "c:\program files (x86)\restartservice\intune.ico"
$iconfile = "IconFile=" + $iconlocation
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Save()

Add-Content $path "HotKey=0"
Add-Content $path "$iconfile"
Add-Content $path "IconIndex=0"
}

The only thing left to do is to create the intunewinapp and upload it to Intune and assign it to the users who need that power!

4 .The Results

After a while, the App is installed and a new icon appears on the desktop. I opened the event log and services.msc as an admin user to check out if it was working. So clicking on the Restart Service button, stopped and start the Intune Management Extension service as expected! 

Conclusion:

I guess the puzzle is almost complete now, we have some options to let end-users install apps on their own, install printers on their own and now we can also let end users stop and start some services if needed.

You Need To Stop GIFs - Get the best GIF on GIPHY

Best of all, these actions can be performed without local admin permissions. Of course, maybe the Intune management service is not the best example… but you could use it for any service you like.

5 thoughts on “The non-admin user: The Battle of Restarting Services

  1. Could you do the same to grant permission to stop the print spooler, delete files in a folder and then restart the spooler after file deletion?

    1. Hi, everything is possible :).. I guess. In this (old blog… need to update it) I am only granting the permissions to restart this service. Maybe a way better idea would be to create a powershell script which does everything you say and create an available app for it. When configuring the detection rules, you could make sure the can (install –> read… run it) from the company portal app when needed. They can launch the app is an normal user.. but it will do everything you want as system… And maybe combining it with PSADT to show the enduser a little bit more information about the process?

      Let me know if it works for you… if so please send me a pm so we can transform this problem/issue/solution to a blog to help out others

    1. Thanx…that servicepermissions would be removed in next major version indeed… I changed it and also changed the everyone part to match the sid

  2. Looks exactly like something I’m needing now, thanks. Going to to try making some adjustments.
    A couple of questions though:

    How do your install and uninstall commands look?
    Also when deplying with Intune, what did you make your detection rules like?

    Thanks a bunch!

Leave a Reply

Your email address will not be published.

5  +  2  =