Some services on a server or workstation need to have restricted access due to business reasons or security concerns, but an Administration Group needs access to be able to restart some services on the same host.
By default, Active Roles can only delegate access to all services. The following steps will interrupt the operation if a delegated Administration Group attempts to manipulate a restricted service.
Administration Templates related to Services are applied to a computer object, and not a service object. This means that it is not possible to control access to individual services via an Administration Template alone.
It is possible to create a Workflow which listens to changes to objects of edsService and can allow or deny these changes as desired.
We now have a Workflow which listens to changes to these particular attributes and which will trigger if they are modified. The Workflow target is the edsService object.
We can now drag-and-drop an If-Else basic activity into the body of the Workflow above the Operation Execution.
NOTE: If-Else branches are processed left to right.
We can query the Distinguished Name (dn) of the Workflow target in order to determine what we want to allow or deny.
The Distinguished Name of one or more edsService objects will be in the following format:
ex: The IIS Service on the host called WebServer in the Contoso Domain would have a dn of CN=IISADMIN,CN=Services,CN=WEBSERVER$,CN=CONTOSO,CN=Network
Enhancement Request 723151 has been created to integrate this functionality into the product to be controlled via an Access Template.