none
vbscript to give user logon as service right

    Question

  • I want to create a script for particular user to have the right to logon as a service.

     

    Any ideas?

    Tuesday, January 17, 2012 4:46 PM

Answers

  • I want to create a script for particular user to have the right to logon as a service.

     

    Any ideas?


    We generally don't do this with a script.  There are no facilites in scripting to grant rights to accounts.  We usually use Group Policy nd assign the right to a group.  Users placed in the group will have advanced rights.

    There is also a utility that can alter a user directly.

    This set of rights can be granted per-machine only and has to be repearted for every machine that runs a service under this user account.

    For the utility see: http://support.microsoft.com/kb/279664

    Post any issues with this to the Windows Server Forum.

     


    jv
    Tuesday, January 17, 2012 7:27 PM

All replies

  • Hi,

    Why?

    Bill

    Tuesday, January 17, 2012 4:52 PM
  • I want to create a script for particular user to have the right to logon as a service.

     

    Any ideas?


    We generally don't do this with a script.  There are no facilites in scripting to grant rights to accounts.  We usually use Group Policy nd assign the right to a group.  Users placed in the group will have advanced rights.

    There is also a utility that can alter a user directly.

    This set of rights can be granted per-machine only and has to be repearted for every machine that runs a service under this user account.

    For the utility see: http://support.microsoft.com/kb/279664

    Post any issues with this to the Windows Server Forum.

     


    jv
    Tuesday, January 17, 2012 7:27 PM
  • You can script Secedit to do what you need.

    The following shows how to assign a user the SeDenyInteractiveLogonRight user right.  I made this since the NTRights utility didn't support that particular user right.  Feel free to adapt it for the SeServiceLogonRight user right.

    @ECHO OFF
    IF "%1"=="" GOTO Help
    
    IF EXIST UserRights.inf DEL UserRights.inf
    IF EXIST DenyLogon.inf DEL DenyLogon.inf
    IF EXIST UserRights.inf DEL UserRights.inf
    secedit.exe /export /cfg UserRights.inf /areas USER_RIGHTS /log UserSec.log
    FOR /F "tokens=*" %%A IN ('TYPE UserRights.inf 2^>NUL ^| FINDSTR.EXE /C:"SeDenyInteractiveLogonRight"') DO (
      SET val=%%A,%1
    )
    IF EXIST UserRights.inf DEL UserRights.inf
    
    ECHO %val%
    ECHO [Unicode] > DenyLogon.inf
    ECHO Unicode=yes >> DenyLogon.inf
    ECHO [Version] >> DenyLogon.inf
    ECHO signature="$CHICAGO$" >> DenyLogon.inf
    ECHO Revision=1 >> DenyLogon.inf
    ECHO [Privilege Rights] >> DenyLogon.inf
    ECHO %val% >> DenyLogon.inf
    ECHO [Profile Description] >> DenyLogon.inf
    ECHO Description=Deny %1 account local logon right >> DenyLogon.inf
    
    echo Y| Secedit.exe /configure /cfg DenyLogon.inf /areas USER_RIGHTS /DB UserTemp.sdb /overwrite /log UserSec.log
    GOTO :EOF
    
    :HELP
    ECHO Pass the logon name that you would like to Deny Logon priveleges.
    

    • Proposed as answer by Keith Hess Friday, May 11, 2012 12:11 AM
    Friday, May 11, 2012 12:10 AM
  • Guys Here is vbscript solution , just replace username in script , works fine as vbscript CA in installshield .

    Username = <domain\username>  'modify with your username
    Dim oShell 
    Set oShell = CreateObject ("WScript.Shell")
      oShell.Run "secedit /export /cfg config.inf", 0, true 
      oShell.Run "secedit /import /cfg config.inf /db database.sdb", 0, true
    FileName = "config.inf"
    OrgStr = "SeServiceLogonRight ="
    RepStr = "SeServiceLogonRight = " & Username & ","
    Set inputFile = CreateObject("Scripting.FileSystemObject").OpenTextFile("config.inf", 1,1,-1)
        strInputFile = inputFile.ReadAll
    inputFile.Close
    Set inputFile = Nothing
        
    Set outputFile = CreateObject("Scripting.FileSystemObject").OpenTextFile("config.inf",2,1,-1)
    outputFile.Write (Replace(strInputFile,OrgStr,RepStr))
    outputFile.Close
        Set outputFile = Nothing
        
    oShell.Run "secedit /configure /db database.sdb /cfg config.inf",0,true
    set oShell= Nothing

    Set obj = CreateObject("Scripting.FileSystemObject")
    obj.DeleteFile("config.inf") 
    obj.DeleteFile("database.sdb")

    Monday, October 07, 2013 9:13 PM