[SOLVED] Controlling Windows services via group policy, maybe?

whuppins

Help me be a mini-network admin here for a second. I want to enable a certain Windows service on all machines on our Server 2003 network. It appears on the list of services for all machines, but its startup type is Manual or Disabled (I can't remember which and I can't check at the moment). All I want to do is change it to Automatic so the service starts automatically when Windows boots up. I want to do this without physically going around to each machine and changing the setting myself. Is this the kind of thing that can be changed via group policy or otherwise 'pushed' down to all the machines on the network? I apologize for knowing basically nothing about how Server 2003 works.

PirateJon

You can't do it via GP without some serious tweaking. Basically you can either setup a login script that makes the change in the regstry, or use a remote tool like PsServices or SC.

PsServices is probably the friendlier of the two. http://technet.microsoft.com/en-us/sysinternals/bb897542.aspx

As long as you have admin credentials on the remote box, run this line:
psservice \\computer setconfig service auto


Also - you can manage services on remote machines with either the computer managment or services MMC. No need to get up from your comfy chair.

embrik

Which service? I think a few have corresponding GPO entries. Otherwise, you'll just need to craft an adm file to enable it (it's gonna be a HKLM regkey change).

Here's an ADM I use to forcefully enable the Windows Firewall service:

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameDomainfirewallsvc
KEYNAME "SYSTEM\CurrentControlSet\Services\SharedAccess"
EXPLAIN !!explaintextDomainfirewallsvc
PART !!labeltextDomainfirewallsvc DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Enabled VALUE NUMERIC 2 DEFAULT
NAME !!Disabled VALUE NUMERIC 3
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Windows Domain Firewall Settings"
categoryname="Domain Firewall State"
policynameDomainfirewallsvc="Enable the Domain Firewall Service"
explaintextDomainfirewallsvc="Enables the Domain firewall service in the registry. \n\nSelect the ENABLED radiobox, then select Start in the drop-down list to enable."
labeltextDomainfirewallsvc="Domain Firewall Service status"
Enabled="Started"
Disabled="Stopped"

Basically, you create a text file, name it whatever.adm, and import it into your policy. This is a machine policy, not a user policy, so right-click on Administrative Templates under "Computer Configuration", and choose Add/Remove templates. After importing it, if you're not running Vista, you'll need to change the filter to show "policies that are not fully managed".

3lwap0

whuppins wrote: »

Help me be a mini-network admin here for a second. I want to enable a certain Windows service on all machines on our Server 2003 network. It appears on the list of services for all machines, but its startup type is Manual or Disabled (I can't remember which and I can't check at the moment). All I want to do is change it to Automatic so the service starts automatically when Windows boots up. I want to do this without physically going around to each machine and changing the setting myself. Is this the kind of thing that can be changed via group policy or otherwise 'pushed' down to all the machines on the network? I apologize for knowing basically nothing about how Server 2003 works.

I think embrik, and PirateJon hit on some good ways, but to throw in my two cents, you should be able to control any service on any machine on your network via GPO. With a Group Policy, you can configure the Startup Type and the ACL of the service in question. When at the GPO MMC, just go under Security>Services - and edit. It's easy if every machine has to have the policy, but you might find it more beneficial to link to to your domain client level, least you catch your servers inadvertently - that is, group your clients into one OU, and assign that GPO to that OU, as opposed to your domain. I often find that servers and clients need different services, and it's easy to catch some up accidentally. Also, a thought - create a new GPO, rather than modify an existing one - if you by any chance mess up, and it's service related, then you know what GPO is the culprit. You can diagnose these things easier these days with RSoP and such, but for me at least, it makes things a smidge bit easier.

embrik

3lwap0 wrote: »

whuppins wrote: »

Help me be a mini-network admin here for a second. I want to enable a certain Windows service on all machines on our Server 2003 network. It appears on the list of services for all machines, but its startup type is Manual or Disabled (I can't remember which and I can't check at the moment). All I want to do is change it to Automatic so the service starts automatically when Windows boots up. I want to do this without physically going around to each machine and changing the setting myself. Is this the kind of thing that can be changed via group policy or otherwise 'pushed' down to all the machines on the network? I apologize for knowing basically nothing about how Server 2003 works.

I think embrik, and PirateJon hit on some good ways, but to throw in my two cents, you should be able to control any service on any machine on your network via GPO. With a Group Policy, you can configure the Startup Type and the ACL of the service in question. When at the GPO MMC, just go under Security>Services - and edit. It's easy if every machine has to have the policy, but you might find it more beneficial to link to to your domain client level, least you catch your servers inadvertently - that is, group your clients into one OU, and assign that GPO to that OU, as opposed to your domain. I often find that servers and clients need different services, and it's easy to catch some up accidentally. Also, a thought - create a new GPO, rather than modify an existing one - if you by any chance mess up, and it's service related, then you know what GPO is the culprit. You can diagnose these things easier these days with RSoP and such, but for me at least, it makes things a smidge bit easier.

Holy crap, how on earth did I miss that one? I've been working w/ GPOs for quite a while now, and I never ventured that far in?! Anyway, this works for almost every case. The only time it wouldn't is if it's a service installed by an application, etc, that isn't part of a standard Windows build. In that case, my solution would work fine, otherwise, try it out 3lwap0's way.

It's also a good suggestion to start a new policy object for this. You can also test it by removing the "Authenticated Users" from the security filtering and adding individual computers until you're sure it works like you want.

3lwap0

embrik wrote: »

3lwap0 wrote: »

whuppins wrote: »

Help me be a mini-network admin here for a second. I want to enable a certain Windows service on all machines on our Server 2003 network. It appears on the list of services for all machines, but its startup type is Manual or Disabled (I can't remember which and I can't check at the moment). All I want to do is change it to Automatic so the service starts automatically when Windows boots up. I want to do this without physically going around to each machine and changing the setting myself. Is this the kind of thing that can be changed via group policy or otherwise 'pushed' down to all the machines on the network? I apologize for knowing basically nothing about how Server 2003 works.

I think embrik, and PirateJon hit on some good ways, but to throw in my two cents, you should be able to control any service on any machine on your network via GPO. With a Group Policy, you can configure the Startup Type and the ACL of the service in question. When at the GPO MMC, just go under Security>Services - and edit. It's easy if every machine has to have the policy, but you might find it more beneficial to link to to your domain client level, least you catch your servers inadvertently - that is, group your clients into one OU, and assign that GPO to that OU, as opposed to your domain. I often find that servers and clients need different services, and it's easy to catch some up accidentally. Also, a thought - create a new GPO, rather than modify an existing one - if you by any chance mess up, and it's service related, then you know what GPO is the culprit. You can diagnose these things easier these days with RSoP and such, but for me at least, it makes things a smidge bit easier.

Holy crap, how on earth did I miss that one? I've been working w/ GPOs for quite a while now, and I never ventured that far in?! Anyway, this works for almost every case. The only time it wouldn't is if it's a service installed by an application, etc, that isn't part of a standard Windows build. In that case, my solution would work fine, otherwise, try it out 3lwap0's way.

It's also a good suggestion to start a new policy object for this. You can also test it by removing the "Authenticated Users" from the security filtering and adding individual computers until you're sure it works like you want.

Actually, if you want to specify certain services to run at certain levels (Applications for instance), you can use PolicyMaker Standard Edition - it lets you configure the service account for the services, something you can't do with a standard GPO. I know the guys who made PolicyMaker got bought out by MS, and they incorporated a lot of that stuff in '08, but I think it's still around.

whuppins

Thanks for the abundance of useful info, all. Problem solved.