none
"Act as part of the operating system" user right is not granted on Windows Server 2019 Datacenter RRS feed

  • Question

  • Hello,

    I'm currently working on an issue with a customer were privileges are not assigned to a given user on Server 2019.

    Scenario:

    1) We created a domain user, which is allowed to logon on the server. The use is NOT a member of the Administrators group

    2) We used GPEDIT to assign "act as part of the operating system" user rights to the aforementioned user

    3) We enabled advanced auditing for privilege use

    When the user logs on to the server, the user right is not assigned. In a command prompt, with command whoami /priv I also don't see this user right assigned. In the Security Eventlog we get an "Audit Fail" Event with ID 4673 with the following info:

    A privileged service was called.
    Subject:
     Security ID:  DOMAIN\User
     Account Name:  User
     Account Domain:  DOMAIN
     Logon ID:  0x1485744
    Service:
     Server: Security
     Service Name: -
    Process:
     Process ID: 0x78c
     Process Name: C:\Windows\System32\svchost.exe
    Service Request Information:
     Privileges:  SeTcbPrivilege

    For testing purposes I tried the above steps also on Server 2012R2 and 2016 - with the same outcome. However, when I tried this on Server 2008R2 it worked!

    So the question is: what do I have to do, to get this working on Server 2019? Obviously there has been some changes in the security subsystem that prevents one from assigning this user right.

    I know that the best practice is to use LOCAL SYSTEM if such a user right is required. Thing is, there's a 3rd party application that requires service accounts and these require those user rights.

    Any help, hints, tips, etc. welcome.

    Appreciate your help.

    Regards

    Christian Schindler

    Monday, August 19, 2019 11:23 AM

Answers

  • Hello,

    after further investigation I found the culprint:

    All the servers had UAC turned off!

    After turning on UAC, everything started working.

    Thanks for pointing me in the correct direction!

    Regards

    Christian

    Thursday, August 22, 2019 6:50 PM

All replies

  • Hi,

    I tried to assign “act as part of the operating system” privilege to t1(account name) in my lab.

    First, added account t1 in the list, I tried to run CMD as administrator but still use t1 account, it’s failed. Command whoami /priv also cannot list SeTcbPrivilege privilege.

    Second, I log off account t1 and login again. And now SeTcbPrivilege privilege is assigned to t1.

    I can use t1 to run CMD as administrator, and SeTcbPrivilege is listed when run whoami /priv.

    For further test, I will suggest you try to logoff the current user and login again.

    Some screenshots for your reference:

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 20, 2019 8:19 AM
  • Thanks for your reply!

    That is very interesting - I installed a fresh copy of Windows Server 2019 and had the same issues.

    Of course I logged off and on again to test rights assingment.

    Did you add your account to local administrators?

    Any other ideas?

    Thanks!

    Tuesday, August 20, 2019 2:50 PM
  • I tried it in a completely different environment - with the same (negative) result:

    If a normal user is assigned "act as part of the operating system" user rights, it doesn't work.

    Any ideas?

    Maybe this was changed in a CU or so?

    Tuesday, August 20, 2019 6:23 PM
  • Hi,

    Did you add your account to local administrators?

    No, just a standard account.

    If a normal user is assigned "act as part of the operating system" user rights, it doesn't work.

    Due to UAC, we should run some application as administrator by the standard account, SeTcbPrivilege privilege should be assigned at this moment, have you performed this operation?

    Maybe this was changed in a CU or so?

    It’s also a possible reason, for further test, could you please let me know the current OS version in your environment? OS version in my lab is 17763.615, sorry that I have shared a windows server 2016 screenshot with you last day.

    In my lab, PC1 is windows server 2019 and PC2 is windows server 2016.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, August 21, 2019 1:47 AM
  • Hello,

    after further investigation I found the culprint:

    All the servers had UAC turned off!

    After turning on UAC, everything started working.

    Thanks for pointing me in the correct direction!

    Regards

    Christian

    Thursday, August 22, 2019 6:50 PM
  • Hi,

    I’m glad to hear the issue was resolved.

    In addition, I would appreciate you could mark my reply as answer, it would be helpful for others who has similar issue.

    If there is anything else we can do for you, please feel free to post in our forum.

    Have a nice day!

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 23, 2019 1:23 AM
  • Hi,

     

    Please remember mark all the useful replies as answer, it would be helpful to anyone who encounters similar issues.

     

    Best Regards,

     

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 3, 2019 9:25 AM