The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,749 other followers

Easiest way to grant/query “Log on as a service” to a Windows user from the command-line? (my question on Super User)

Posted by jpluimers on 2014/04/28

I want to script an install where a service needs to be run as a user. I want to be able to specify the user.

Creating the user is easy through the NET USER /ADD command.

Specifying the user for the service can also be done: the SC CONFIG command allows this.

Now the missing link: granting the user the “Log on as a service” privilege as a logon right (SeServiceLogonRight). Is there a command for this? Or a simple script for PowerShell?

(I know only Local Service can do this out of the box, and no other accounts by default are, but I want to have control over the account and what other privileges that account has).

Edit: solved. Thanks Mathias R. Jessen.

Here is the solution, including a few comments.

The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.

ntrights +r SeServiceLogonRight -u jeroen -m \\%COMPUTERNAME%

I changed the command-line a bit:

ntrights +r SeServiceLogonRight -u %USERNAME% -m \\%COMPUTERNAME%

Note that

whoami /all

doesn’t show any change (not even after a reboot, it does not matter if you run it with or without UAC token).

secpol.msc

does show the change however, and does not require UAC (follow the tree to “Security Settings -> Local Policies -> User Rights Management -> Log on as a service” to see the users having the permission).

–jeroen

via: Easiest way to grant “Log on as a service” to a Windows user from the command-line? – Super User.

PS: Later I found out it is way easier to query the right:

accesschk.exe /accepteula -q -a SeServiceLogonRight

It will list the users having that right, for instance:

        IIS APPPOOL\Classic .NET AppPool
        NT SERVICE\ALL SERVICES
        VCS-CI\ContinuaCI>/pre>

Thanks twasbrillig for explaining that at as answer to powershell – How to view user privileges using windows cmd? – Stack Overflow

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: