In Access Denied, "Setting Permissions on Win2K Services," February 2002, InstantDoc ID 23963, you explained how to use Group Policy to control system services (e.g., disable a service or specify who has start or stop permission for a specific service) for a set of computers. I'm trying to do something a little different. I want to specify permissions for the print spooler service on one of my two domain controllers (DCs). I don't want to modify the Default Domain Controller Policy because my other DC doesn't run the print spooler service. Instead, I'd like to manually specify permissions for the print spooler service on just one DC. Is that possible?
There are two ways to solve your problem. You can create either a Group Policy Object (GPO) or a security template and apply it to just the DC that runs the print spooler. I'll describe the latter approach first.
To start, open the Microsoft Management Console (MMC) Security Templates snap-in and create a new security template named PrintSpooler.inf. Select the System Services folder in your new template and find the Print Spooler service. (You must edit the template on a computer on which the service is installed.) Double-click Print Spooler and select the Define this policy setting in the template check box, then specify the startup mode—for Print Spooler, you'll probably want to select the Automatic startup mode so that print services are always available. Next, click Edit Security to view the permissions for the Print Spooler service and adjust them so that the appropriate users can start and stop the service and perform other necessary operations. Click OK twice to close the dialog boxes. Right-click the PrintSpooler template in the treeview pane of the Security Templates snap-in and select Save. Make sure the PrintSpooler.inf file is in a folder that's accessible from your DC.
Now, log on to your DC and open the MMC Security Configuration and Analysis snap-in. The first step in applying this template is kind of quirky—you must create a new security database, then import the template. (The database lets you import multiple templates in sequence, then apply a composite of their settings.) Right-click the Security Configuration and Analysis snap-in in the treeview pane and select Open. Enter a name for the new database, such as PrintSpooler, and click Open. You'll be prompted for a security template to import. Specify the PrintSpooler.inf file you created earlier and click Open. After the snap-in imports the template, you can right-click the Security Configuration and Analysis folder in the treeview pane and select Configure system now. Because the template defined only one setting, the snap-in will quickly process your database, and you'll be finished. Because you're using a security template to modify the system's local configuration, be aware that if for some reason the permissions on the Print Spooler service are ever changed, you'll have to reapply the template.
Alternatively, you can use Group Policy so that the permissions you specify will remain in effect and be reapplied each time the system refreshes Group Policy. Create a GPO and link it to the Domain Controllers organizational unit (OU). To apply the GPO to just one DC, open the GPO's properties and select the Security tab. Remove the Apply Group Policy permission from Authenticated Users. Then, add an entry that grants Read and Apply Group Policy permissions to the DC that runs the Print Spooler service. The settings you define in the GPO will apply to just that DC. Finally, edit the GPO and configure the PrintSpooler service as I described earlier.