Easiest way to grant "Log on as a service" to a Windows user from the command-line?

Question

I want to script an install where a service needs to be run as a user. I want to be able to specify the user.

Creating the user is easy through the NET USER /ADD command.

Specifying the user for the service can also be done: the SC CONFIG command allows this.

Now the missing link: granting the user the "Log on as a service" privilege as a logon right (SeServiceLogonRight). Is there a command for this? Or a simple script for PowerShell?

score 16 · Accepted Answer · answered Apr 28 '14 at 13:34

16

The easiest way to do this from a command line is definitely using NTRights.exe from the Windows Server 2003 Resource Toolkit.

ntrights +r SeServiceLogonRight -u jeroen -m \\%COMPUTERNAME%

answered Apr 28 '14 at 13:34

Mathias R. Jessen

462

2

An answer to this question - http://superuser.com/questions/309360/windows-7-equivalent-for-ntrights-exe - has a Powershell example. – LawrenceC Apr 28 '14 at 14:36
@ultrasawblade thanks both of you; I'm going the NtRights route, but I'm glad there is a Plan-B when NtRights might become unavailable for one reason or another. – Jeroen Wiert Pluimers Apr 28 '14 at 19:26
ntrights +r SeServiceLogonRight -u %USERNAME% -m \\%COMPUTERNAME% works, but whoami /all doesn't show any change. secpol.msc does show the change however, so I have accepted your answer. – Jeroen Wiert Pluimers Apr 28 '14 at 19:43
Log out and log back in and whoami will list the new privilege – Mathias R. Jessen Apr 28 '14 at 19:44
@MathiasR.Jessen even after a reboot, whomai /all (with and without UAC token) list the right, but secpol.msc does. – Jeroen Wiert Pluimers May 08 '14 at 19:10
Resource toolkit link is borked so this answer should either be updated with a good link or deleted (no shade to the answer, it's just outdated without a working link) – ryvantage Jun 25 '23 at 17:07

score 8 · Answer 2 · edited May 23 '17 at 12:41

8

I use Carbon and Chocolatey.

cinst carbon -y

Grant-Privilege -Identity $username -Privilege SeServiceLogonRight

Based on this answer: https://stackoverflow.com/a/22155390/991267

edited May 23 '17 at 12:41

Community

1

answered Jun 07 '16 at 02:04

Der_Meister

585

1

Please elaborate why adding two dependencies would be better than one. – Jeroen Wiert Pluimers Jun 07 '16 at 06:42
1

Chocolatey is a package manager, it simplifies install process. It's one of providers for OneGet. You can use PowerShell Gallery (https://www.powershellgallery.com/packages/Carbon) instead. – Der_Meister Jun 07 '16 at 07:02
2

Reminds me too much of http://xkcd.com/1654/ and http://www.commitstrip.com/en/2016/05/10/a-moment-of-nostalgia/ – Jeroen Wiert Pluimers Jun 07 '16 at 07:31
@Der_Meister - I can contest that this is a much more elegant solution. Cheers. – Bronumski Jun 23 '16 at 14:39
2

Although it should be SeServiceLogonRight instead of SeBatchLogonRight – Bronumski Jun 23 '16 at 14:50
If you don't mind installing Carbon it's way more elegant. You don't need choco, just use Install-Module Carbon – Conrad Jones Dec 08 '19 at 23:57

Easiest way to grant "Log on as a service" to a Windows user from the command-line?

2 Answers2

Linked