The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,466 other followers

Easiest way to grant/query “Log on as a service” to a Windows user from the command-line? (my question on Super User)

Posted by jpluimers on 2014/04/28

I want to script an install where a service needs to be run as a user. I want to be able to specify the user.

Creating the user is easy through the NET USER /ADD command.

Specifying the user for the service can also be done: the SC CONFIG command allows this.

Now the missing link: granting the user the “Log on as a service” privilege as a logon right (SeServiceLogonRight). Is there a command for this? Or a simple script for PowerShell?

(I know only Local Service can do this out of the box, and no other accounts by default are, but I want to have control over the account and what other privileges that account has).

Edit: solved. Thanks Mathias R. Jessen.

Here is the solution, including a few comments.

The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.

ntrights +r SeServiceLogonRight -u jeroen -m \\%COMPUTERNAME%

I changed the command-line a bit:

ntrights +r SeServiceLogonRight -u %USERNAME% -m \\%COMPUTERNAME%

Note that

whoami /all

doesn’t show any change (not even after a reboot, it does not matter if you run it with or without UAC token).


does show the change however, and does not require UAC (follow the tree to “Security Settings -> Local Policies -> User Rights Management -> Log on as a service” to see the users having the permission).


via: Easiest way to grant “Log on as a service” to a Windows user from the command-line? – Super User.

PS: Later I found out it is way easier to query the right:

accesschk.exe /accepteula -q -a SeServiceLogonRight

It will list the users having that right, for instance:

        IIS APPPOOL\Classic .NET AppPool

Thanks twasbrillig for explaining that at as answer to powershell – How to view user privileges using windows cmd? – Stack Overflow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: