Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.
Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.
Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.
In the examples below I am going to show you how to enable the “Applications Identification†service that is required to be enabled to make AppLocker work in Windows 7. If you want to learn more about AppLocker then check out my other post
Using Group Policy to configured a Service
Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.
Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.
- You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
- You want to configure the security so that non-administrators can start,stop and pause the service.
Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure
Step 2. Select the services that you want to configure.
Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and
Step 3. From the menu click on Action > Properties then tick “Define this policy setting†and then configured the service startup mode to what you want it configured.
Step 4. If you click on the “Edit Security…†button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick “Start, stop and pause†for INTERACTIVE if you want the logged on user to control the services.
Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.
Using Group Policy Preferences to configure a Service
The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.
The only reasons you would not want to use Group Policy Preference to control services are:
- You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
- You want to be able to configured the security to allow non-admin to start, stop or pause the service.
Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.
Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.
Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services
Step 3. In the menu click on Action > New > Service and now click on the “…†button next to the Service Name field.
Note: From here you can either type in the service name in the “Service Name†field or click on the “…†button to chose the service from a predefined list of services.
Step 4. Select the service name that you want to configured and then click “Selectâ€
Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.
Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.
Step 6. Click on the “Recovery†tab to configure the recovery options of the service as you would configure in the service control panel.
Step 7. As this is a preference you can also configure the standard “Common†options from such as item level targeting which will allow you to granularly control what computer you target this setting.
As you can see with the combination of Group Policy Preferences and the native policies there is nothing you cant configure to your system services… Enjoy
Blog Post: How to use Group Policy to control Services http://bit.ly/aKNrGJ
RT @grouppolicy_biz: Blog Post: How to use Group Policy to control Services http://bit.ly/aKNrGJ
RT @alanburchill How to use Group Policy to control Services http://bit.ly/b5Z47d
Blog Post: How to use Group Policy to control Services http://bit.ly/aKNrGJ
RT @alanburchill Blog Post: How to use Group Policy to control Services http://bit.ly/aKNrGJ
RT @xenappblog: RT @alanburchill How to use Group Policy to control Services http://bit.ly/b5Z47d
RT @alanburchill: Blog Post: How to use Group Policy to control Services http://bit.ly/aKNrGJ
Holy typos, Batman! Wow! Didn’t anybody proofread this before posting?
First sentence: “weather or not” and “there is a users”. It gets worse from there.
Other than the fact that it’s almost unreadable, it’s pretty good. (Other than that, Mrs. Lincoln, how was the play?)
No… Its just me…. I know there is a lot of typo’s in my work that is why i like to have a lot of pictures…
Ok so, I cant find a place to disable the “parental controls” service in group policy. I found a spot that hides the parental controls in a domain but nothing that disables the service. Any ideas?
Please use the method that I’ve listed below to add the service into your policy.
“Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. ”
This is not true. You can use the Security Templates MMC snap-in to create a custom template file from the computer that you wish to get the service from. You then import this INF file into your GPO and voila!
Great tip!
Unfortunately this only works for services that already exist on the server. Services that only exist on the client are ignored with the .INF export/import method.
Correction… it DOES work. I wasn’t looking far enough down the list of services.
They are indeed added to the list on GPO:
Domain Policy>Computer Configuration>Policies>Windows Settings> Security Settings>System Services
Thanks for the tip, Travis. That came in handy.
You cannot use This account any more due to Microsoft removing in for security reason (insecure password storage). Therefore, password fields are disabled and their workaround is a laugh as one cannot change settings that don’t exist in Computer Settings > Policies> Windows Settings > Security Settings> System Services. B**llocks!
Great post. I really helped me out getting AppIDSvc set to automatic by GPO. I can’t believe there are negative posts above. Lame. Thanks so much for posting this up!
Great! Thank You!
Great way to permanently disable Interactive Services Detection which displays an annoying pop up for spoolsv on many of our Windows 7 machines!
I need to turn on Windows Defender via Group Policy
One item this article does not touch on: setting Log On As.
We found that if you inadvertently set a service to log on as Local System Account, but the account requires to be running under one of the other built-in security principals that has Windows managed credentials, example Network Service, it doesn’t seem to work to have the GPO set the account back.
The GPO does set the account, but the password is not reset so the service still won’t run.
Still applicable in 2018! Thank you.
Hi, I am trying to work out how to apply dependencies to a service via Group Policy, Do you know if this is possible? My Googling has come up blank…