Easiest way to grant/query “Log on as a service” to a Windows user from the command-line? (my question on Super User)
Posted by jpluimers on 2014/04/28
I want to script an install where a service needs to be run as a user. I want to be able to specify the user.
Creating the user is easy through the
NET USER /ADD command.
(I know only Local Service can do this out of the box, and no other accounts by default are, but I want to have control over the account and what other privileges that account has).
Edit: solved. Thanks Mathias R. Jessen.
Here is the solution, including a few comments.
The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.ntrights +r SeServiceLogonRight -u jeroen -m \\%COMPUTERNAME%
I changed the command-line a bit:
ntrights +r SeServiceLogonRight -u %USERNAME% -m \\%COMPUTERNAME%
doesn’t show any change (not even after a reboot, it does not matter if you run it with or without UAC token).
does show the change however, and does not require UAC (follow the tree to “Security Settings -> Local Policies -> User Rights Management -> Log on as a service” to see the users having the permission).
PS: Later I found out it is way easier to query the right:
accesschk.exe /accepteula -q -a SeServiceLogonRight
It will list the users having that right, for instance:
IIS APPPOOL\Classic .NET AppPool NT SERVICE\ALL SERVICES VCS-CI\ContinuaCI>/pre>
Thanks twasbrillig for explaining that at as answer to powershell – How to view user privileges using windows cmd? – Stack Overflow