0
I'm working with a service that creates AD accounts. This service is not an administrator (and I don't want it to be) - but it needs to be able to give the newly created accounts the Log in as a Batch Job user right assignment (SeBatchLogonRight).
How might I give an unprivileged account permission to alter local security policy?
NTDLS
Posted 2019-06-13T16:37:03.250
Reputation: 121
3
You can't.
Modifiing the local security policy can only be done by members of the local Administrators group. This restriction is implemented internally within Windows and there are no settings exposed by which to change it.
but [the service] needs to be able to give the newly created accounts permission to log in as a batch job.
Code that is creating or modifying permissions for other user accounts needs to be at least as privileged as the permissions being assigned. It's illogical to imagine a process that can grant privileges greater than the code itself has, because in fact the code already has said privileges by virtue of the fact it can grant them.
Due to the restrictions on editing the local security policy, it will be necessary to give your service administrative level permissions.
I say Reinstate Monica
Posted 2019-06-13T16:37:03.250
Reputation: 21 477