The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

    • RT @lucpluijmen76: Zorgeconoom die meewerkte aan voorbereiden en instandhouden van het zorgstelsel, dat fundamenteel gebaseerd is op wantro… 3 minutes ago
    • RT @JacquelineAvun: KLM had in 2022 helemaal geen gebruik moeten maken van de NOW-regeling, KLM had die NOW-subsidie nl helemaal niet nodig… 12 minutes ago
    • RT @Unusual_Times: There are people on here I've developed a genuine fondness for over time. So i say this from the heart. Try your best no… 13 minutes ago
    • RT @timsneath: Microsoft has created so many UI frameworks: Blazor, Razor, .NET MAUI / Xamarin Native / Xamarin Forms, WinUI3, UWP, Win32,… 18 minutes ago
    • RT @IanColdwater: just reviewed a resume from a very junior dev, and I've been on both sides of this now: it's common for people trying to… 20 minutes ago

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,180 other subscribers
«
»

Easiest way to grant/query “Log on as a service” to a Windows user from the command-line? (my question on Super User)

Posted by jpluimers on 2014/04/28

I want to script an install where a service needs to be run as a user. I want to be able to specify the user.

Creating the user is easy through the [Wayback/Archive] NET USER /ADD command.

Specifying the user for the service can also be done: the [Wayback/ArchiveSC CONFIG command [Wayback/Archiveallows this (thanks [Wayback/Archive] wmz and [Wayback/Archive] ofiris).

Now the missing link: granting the user the [Wayback/Archive] “Log on as a service” privilege as a [Wayback/Archivelogon right (SeServiceLogonRight). Is there a command for this? Or a simple script for PowerShell?

(I know only Local Service can do this out of the box, and [Wayback/Archiveno other accounts by default are, but I want to have control over the account and what other privileges that account has).

Edit: solved. Thanks [Wayback/Archive] Mathias R. Jessen.

Here is the solution, including a few comments.

The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.

ntrights +r SeServiceLogonRight -u jeroen -m \%COMPUTERNAME%

I changed the command-line a bit:

ntrights +r SeServiceLogonRight -u %USERNAME% -m \%COMPUTERNAME%

Note that

whoami /all

doesn’t show any change (not even after a reboot, it does not matter if you run it with or without UAC token).

secpol.msc

does show the change however, and does not require UAC (follow the tree to “Security Settings -> Local Policies -> User Rights Management -> Log on as a service” to see the users having the permission).

–jeroen

via: [Wayback/Archive] Easiest way to grant “Log on as a service” to a Windows user from the command-line? – Super User.

PS: Later I found out it is way easier to query the right:

accesschk.exe /accepteula -q -a SeServiceLogonRight

It will list the users having that right, for instance:

        IIS APPPOOLClassic .NET AppPool
        NT SERVICEALL SERVICES
        VCS-CIContinuaCI

There are similar rights one might want to query:

SeBatchLogonRight
SeDenyBatchLogonRight
SeInteractiveLogonRight
SeDenyInteractiveLogonRight
SeServiceLogonRight
SeDenyServiceLogonRight
SeNetworkLogonRight
SeDenyNetworkLogonRight

Thanks [Wayback/Archivetwasbrillig for explaining that at as answer to [Wayback/Archivepowershell – How to view user privileges using windows cmd? – Stack Overflow

This entry was posted on 2014/04/28 at 14:20 and is filed under Batch-Files, CommandLine, Development, Power User, PowerShell, Scripting, Software Development, Windows, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Vista. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: