When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.
To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.
Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !
Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.
Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.
However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!
Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..
Leave a Reply