Managing Windows Services with Remote PowerShell on Windows Server 2019

Learn how to manage Windows services like SQL Browser remotely using PowerShell 7 in a .NET Core application running on IIS. This guide provides step-by-step instructions and troubleshooting tips.
---
This video is based on the question https://stackoverflow.com/q/77115683/ asked by the user 'Jack McCauley' ( https://stackoverflow.com/u/7049520/ ) and on the answer https://stackoverflow.com/a/77169135/ provided by the user 'halfer' ( https://stackoverflow.com/u/472495/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Managing Windows Services with Remote powershell - Windows Server 2019 Datacenter Edition

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/licensing
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/by-sa/4.0/ ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/by-sa/4.0/ ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Managing Windows Services with Remote PowerShell on Windows Server 2019

If you are working with Windows Server configurations, you might find yourself needing to manage services on a remote server. Particularly, users running .NET applications via IIS may encounter challenges in accessing and controlling necessary services, such as SQL Browser, due to permission restrictions. In this guide, we will explore a common issue related to managing Windows services with remote PowerShell, specifically focusing on managing the SQL Browser service using a domain user account.

The Problem

Context

You are running a .NET Core 6 application hosted on IIS, where the application pool uses a specific domain user account (domain.local\service-mgr-svc) to operate. The challenge arises when attempting to remotely start, stop, or restart the SQLBrowser service on a remote SQL Server instance using PowerShell commands.

The Challenge

When the user account is made a member of the local administrators group on the remote server, everything works fine. However, removing this elevated permission leads to an error indicating that the service cannot be found. The frequent errors encountered are:

Cannot find any service with the service name "SQL Browser"

Might need elevated permissions when using the Get-Service command

Despite various troubleshooting efforts, including Group Policy Object (GPO) adjustments and WMI permissions settings, the issue persisted, calling for a more robust solution.

The Solution: Utilizing SubInACL and SC.exe

After exploring various options, the solution involved using SubInACL.exe, a powerful utility that simplifies management of permissions for services, user accounts, and more. Below, we will guide you through the steps taken to resolve the permission issue effectively.

Step 1: Grant Permissions on SQLBrowser Service

Using SubInACL.exe, permissions were granted to the service as follows:

[[See Video to Reveal this Text or Code Snippet]]

This command allowed the specified user account the necessary permissions to manipulate the SQL Browser service.

Step 2: Automating Permissions with PowerShell

To streamline the process and ensure that correct permissions are set every time, a script was created using sc.exe. This script not only checks current permissions but also appends necessary permissions for the user. Here’s a simplified version of the script:

[[See Video to Reveal this Text or Code Snippet]]

Step 3: Set Permissions for Service Control Manager (SCM)

Similarly, permissions for the Service Control Manager were modified, allowing the user account to manage services successfully:

[[See Video to Reveal this Text or Code Snippet]]

Final Considerations

While this solution has proven effective, it’s important to note that there may be limitations if the existing permissions do not match expected values. Therefore, enhancing your script with additional logic might be advisable, potentially using the ConvertFrom-SddlString cmdlet in PowerShell to accurately assess permissions.

Conclusion

Managing Windows services with remote PowerShell can be challenging, especially when dealing with service permissions. By utilizing tools like SubInACL and sc.exe, you can effectively manage service permissions, ensuring your applications can interact with necessary services without exceptions. Remember to test any scripts in a controlled environment before deploying them to production servers.

This comprehensive guide should help you address similar challenges in your own environment, streamlining the process of managing Windows services remotely.

Видео Managing Windows Services with Remote PowerShell on Windows Server 2019 канала vlogize