5

On Windows Server 2008 R2 Core Edition, how do I assign the "log on as a service" permission to a user, from the command-line?

(ntrights.exe from the Win2003 resource kit is not included in Win2008 R2 Core).

I don't mind whether it's cmd or a powershell cmdlet. I would prefer it to be a command run locally on the box, rather than one invoked remotely.

The server is not, and will not be, part of an active directory.

Peter Mounce
  • 1,243
  • 4
  • 16
  • 28

2 Answers2

6

I ended up grabbing ntrights.exe from the Windows 2003 Resource Kit and placing it on the server, then running ntrights +r SeServiceLogonRight -u <my user>.

I didn't install the resource-kit, because

  • I only needed ntrights.exe
  • Installation threw some OLE-related errors (that seemed to be irrelevant, but still)
Peter Mounce
  • 1,243
  • 4
  • 16
  • 28
1

If you have another computer that can connect a Group Policy Object MMC to the Core Server that is the easiest way to edit the Logon As A Service privildge.

If not, you can on the server create a file with:

[Unicode]
Unicode=yes
[Privilege Rights]
SeServiceLogonRight = *S-1-5-80-0

The List of SIDs is comma separated. They have to be the actual SIDs not the account names. You have to include all the SIDs, this doesn't add or remove, it replaces the current list.

Make a backup of your current configruation:

secedit /export /cfg c:\backup.txt

Once you've got the file you can run:

secedit /configure /db secedit.sdb /cfg filename.txt
Chris S
  • 77,337
  • 11
  • 120
  • 212
  • *"They have to be the actual SIDs not the account names."* I don't believe this is true. After adding the privilege using the SID, I re-exported and saw the username in its place. – Jonathon Reinhart Apr 26 '16 at 13:13