The non admin user: The battle of restarting services

The non admin user: The battle of restarting services

Some time ago, Oliver Kieselbach discovered a very great new method to start the IME sync process with just a simple command: “intunemanagementextension://syncapp”.  You could push a shortcut to with command to all your user desktops. An excellent new approach.

Like Oliver was mentioning, you could restart the Microsoft intune management service, which also triggers the sync. But when your users have no admin privileges, this is not possible.

This got me thinking, shouldn’t it be possible to restart some services for end-users? Just like the possibility to install printers / installing programs from the company portal. This would be a great addition to self-servicing users.

In this example, I have created a Win32 app to let end users restart the Microsoft Intune management service. You could do the same with some other services like for example the print spooler.

We need to change the permissions of the service itself and publish a shortcut to an additional program to restart the service.

Let’s start with the easiest part, the restartintune.exe. It just a simple PowerShell script with 2 commands in it and converted to an exe.  I converted it to an exe because I am blocking PowerShell and the command line. It’s obvious your standard users don’t need PowerShell access.

Net stop IntuneManagementExtension

Net start IntuneManagementExtension

And now the Windows10_restartservice.ps1 part. As you can see, you will need some modules, to begin with. After installing the modules you just assign the proper service permission. (In my example its “iedereen” à everyone.)

After the service permissions are changed, the restartintune.exe and the corresponding icon file are copied to a new folder inside program files (x86). This folder is excluded from my AppLocker policy.

#install and import module
install-packageprovider -name nuget -minimumversion 2.8.5.201 -force | out-null
Install-Module -Name 'Carbon' -AllowClobber -force | out-null
Import-Module 'Carbon'

#grant permission and restart service to take affect
Grant-ServicePermission -Name IntuneManagementExtension -Identity iedereen -QueryStatus -EnumerateDependents -Start -Stop

md "c:\program files (x86)\restartservice"
copy .\restartintune.exe "c:\program files (x86)\restartservice\restartintune.exe"
copy .\intune.ico "c:\program files (x86)\restartservice\intune.ico"

#Create Shortcut Desktops
if (-not (Test-Path "C:\Users\Public\Desktop\Restart-Service.url"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\Restart-Service.url"
$targetpath = "c:\program files (x86)\restartservice\restartintune.exe"
$iconlocation = "c:\program files (x86)\restartservice\intune.ico"
$iconfile = "IconFile=" + $iconlocation
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Save()

Add-Content $path "HotKey=0"
Add-Content $path "$iconfile"
Add-Content $path "IconIndex=0"
}

The only thing left to do is to create the intunewinapp and upload it to Intune and assigning it to the users.

After a while, the App is installed and a new icon appears on the desktop. I opened the event log and services.msc as an admin user to check out if it was working. 

Conclusion:

I guess the puzzle is almost complete now, we have some options to let end-users install apps on their own, install printers on their own and now we can also let end users restart some services if needed. And best of all, these actions can be performed without local admin permissions.

Of course, maybe the Intune management service is not the best example… but you could use it for any service you like.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  43  =  44