The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

    • RT @lucpluijmen76: Zorgeconoom die meewerkte aan voorbereiden en instandhouden van het zorgstelsel, dat fundamenteel gebaseerd is op wantro… 3 minutes ago
    • RT @JacquelineAvun: KLM had in 2022 helemaal geen gebruik moeten maken van de NOW-regeling, KLM had die NOW-subsidie nl helemaal niet nodig… 12 minutes ago
    • RT @Unusual_Times: There are people on here I've developed a genuine fondness for over time. So i say this from the heart. Try your best no… 13 minutes ago
    • RT @timsneath: Microsoft has created so many UI frameworks: Blazor, Razor, .NET MAUI / Xamarin Native / Xamarin Forms, WinUI3, UWP, Win32,… 18 minutes ago
    • RT @IanColdwater: just reviewed a resume from a very junior dev, and I've been on both sides of this now: it's common for people trying to… 20 minutes ago
  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,180 other subscribers

Easiest way to grant/query “Log on as a service” to a Windows user from the command-line? (my question on Super User)

Posted by jpluimers on 2014/04/28

I want to script an install where a service needs to be run as a user. I want to be able to specify the user.

Creating the user is easy through the [Wayback/Archive] NET USER /ADD command.

Specifying the user for the service can also be done: the [Wayback/ArchiveSC CONFIG command [Wayback/Archiveallows this (thanks [Wayback/Archive] wmz and [Wayback/Archive] ofiris).

Now the missing link: granting the user the [Wayback/Archive] “Log on as a service” privilege as a [Wayback/Archivelogon right (SeServiceLogonRight). Is there a command for this? Or a simple script for PowerShell?

(I know only Local Service can do this out of the box, and [Wayback/Archiveno other accounts by default are, but I want to have control over the account and what other privileges that account has).

Edit: solved. Thanks [Wayback/Archive] Mathias R. Jessen.

Here is the solution, including a few comments.

The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.

ntrights +r SeServiceLogonRight -u jeroen -m \%COMPUTERNAME%

I changed the command-line a bit:

ntrights +r SeServiceLogonRight -u %USERNAME% -m \%COMPUTERNAME%

Note that

whoami /all

doesn’t show any change (not even after a reboot, it does not matter if you run it with or without UAC token).


does show the change however, and does not require UAC (follow the tree to “Security Settings -> Local Policies -> User Rights Management -> Log on as a service” to see the users having the permission).


via: [Wayback/Archive] Easiest way to grant “Log on as a service” to a Windows user from the command-line? – Super User.

PS: Later I found out it is way easier to query the right:

accesschk.exe /accepteula -q -a SeServiceLogonRight

It will list the users having that right, for instance:

        IIS APPPOOLClassic .NET AppPool

There are similar rights one might want to query:


Thanks [Wayback/Archivetwasbrillig for explaining that at as answer to [Wayback/Archivepowershell – How to view user privileges using windows cmd? – Stack Overflow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: