Granting "Logon As Service Rights"
-
Anyone know how to grant a user account "Logon As Service" rights through VB/VBScript? I'm trying to pre-install a couple of services, and although I have managed to get the WMI scripts working to create and run the services as the account in question, I cannot figure out how to grant the account logon rights without having to revert to using the old NTRIGHTS util. Target OS are XP/2K, they are running both Stand-alone, on NT Domain or an Active Directory. Meanwhile ... i will have to wsshell ntrights :-< Cheers Alun Boyd
-
Anyone know how to grant a user account "Logon As Service" rights through VB/VBScript? I'm trying to pre-install a couple of services, and although I have managed to get the WMI scripts working to create and run the services as the account in question, I cannot figure out how to grant the account logon rights without having to revert to using the old NTRIGHTS util. Target OS are XP/2K, they are running both Stand-alone, on NT Domain or an Active Directory. Meanwhile ... i will have to wsshell ntrights :-< Cheers Alun Boyd
I don't know how to do it off the top of my head, but the first question I have is: Is the .MSI being elevated to Admin level when it's run? Without this, you can't modify any use to Logon As Service. RageInTheMachine9532
-
I don't know how to do it off the top of my head, but the first question I have is: Is the .MSI being elevated to Admin level when it's run? Without this, you can't modify any use to Logon As Service. RageInTheMachine9532
My mistake, I should of mentioned that this is a straight VBS task (to be VBE'd later), and will be run from an Local Admin account. Being a bit of a newbie to VB, I don't particually want to start fiddling with MSI just yet, it seems to be a bit OTT for the current purpose. I have sort of found 2 ways around this. The first is to use NTRIGHTS.EXE but this means ensuring it's avaliable and that it can lookup the SID of the account that will require the rights. Unfotunatly this is not always possiable as it's a domian account that needs rights, and the service may need installing off-network (and NTRIGHTS won't take a SID as an argument). The other method is to create on-the-fly a simplified Security Template then run "secedit /config /areas USER_RIGHTS ....." to apply the template. The only problem is if other user's have been given rights, the template wipes them out :-<
-
My mistake, I should of mentioned that this is a straight VBS task (to be VBE'd later), and will be run from an Local Admin account. Being a bit of a newbie to VB, I don't particually want to start fiddling with MSI just yet, it seems to be a bit OTT for the current purpose. I have sort of found 2 ways around this. The first is to use NTRIGHTS.EXE but this means ensuring it's avaliable and that it can lookup the SID of the account that will require the rights. Unfotunatly this is not always possiable as it's a domian account that needs rights, and the service may need installing off-network (and NTRIGHTS won't take a SID as an argument). The other method is to create on-the-fly a simplified Security Template then run "secedit /config /areas USER_RIGHTS ....." to apply the template. The only problem is if other user's have been given rights, the template wipes them out :-<
I haven't been able to find any scripting that will modify the Rights of a User Account. But, I can tell you that it is possible to do and it WILL require WMI to do it. Lucky for you W2K and XP both come with it native. 95/98/NT4 doesn't support WMI without first installing it seperately. I'm still looking for a scripting solution... RageInTheMachine9532
-
I haven't been able to find any scripting that will modify the Rights of a User Account. But, I can tell you that it is possible to do and it WILL require WMI to do it. Lucky for you W2K and XP both come with it native. 95/98/NT4 doesn't support WMI without first installing it seperately. I'm still looking for a scripting solution... RageInTheMachine9532
Thanks for looking Rage, I can only assume you too are flummoxed! I'm probably going to have to fall back on the security template method, assuming i can get 'secedit /export' to work so that I incorporate any previous security rights in the newly modified ones.