PDA

View Full Version : Re: Adding "Log on as a service" rights to a user programmatically?



NewsArchive
11-06-2017, 08:25 AM
Hi Jeff,

(also continued this thread in the SB ng)

I have made a Setup with SB with the excellent help of Friedrich.
This Setup installs the SV AppBroker as a service, not under SYSTEM, but
with a user account and user password (I need this because of printing
capabilities).

Today I had a problem at a client's Windows 10 pc.
My client is logged on with a full admin account on his local Win10 pc.
The setup installer did create the service "Clarion Application Broker"
ok, so Create Service worked.
But the Start Service after that, didn't work, it returned error 1. At
first I thought that my client had entered a wrong password during the
setup process. We tried everything and made a new admin account +
password on his Win10 pc. But even with this new admin account, only the
Create Service worked ok, but the Start Service failed over and over.
So we ended up by starting the Services window manually: the user
account name and password were filled in already (by the SB installer).
After that, we manually typed over the password field (with of course
the same password we entered during the install), we pressed "Apply" and
after that we got a message (translated from Dutch into English),
something like:
"The rights to this service have been applied".
After that, we started our setup again, and this time, also the Start
Service was working ok.

This has cost me some hours!

I read here some info:
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/log-on-as-a-service

So how can we *automate* this under Windows 10 with SetupBuilder? My
customer blamed me about the difficult installation.

I hope that Friedrich has some tricks? I need to start the service
automatically.

Best regards,
Jeffrey

Op 26-10-2017 om 23:22 schreef Jeff Slarve:
> I sure would love to be able to do that.
>
> Are there examples or code available for purchase?
>
> Not sure my sleeves roll up that high.<g>
>
> Thanks
>
> Jeff Slarve
> www.jssoftware.com
>
> you know what happens when you assuage
>

NewsArchive
11-06-2017, 08:26 AM
See also some other product that needs the "Log on as a service" rights:

https://support.pdq.com/hc/en-us/articles/220534287-Enable-Credentials-to-Log-on-as-a-Service-

Best regards,
Jeffrey

NewsArchive
11-06-2017, 08:27 AM
Hi Jeffrey -

That is one of the ways outlined by Self Service's docs, in the
"Ground Rules" section. As is the opening of Group Policy Editor.

http://www.capesoft.com/docs/SelfService/selfservice.htm

I know those two ways, but I want to do this programmatically.

For now, I'll just open up gpedit.msc and let the admin do their
thing. But it's a chore I'd like to be able to help them with a bit
more.

Thank you.

On 6 Nov 2017 06:58:51 -0500, Jeffrey Kuijt
wrote:

>So we ended up by starting the Services window manually: the user
>account name and password were filled in already (by the SB installer).
>After that, we manually typed over the password field (with of course
>the same password we entered during the install), we pressed "Apply" and
>after that we got a message (translated from Dutch into English),
>something like:
>"The rights to this service have been applied".
>After that, we started our setup again, and this time, also the Start
>Service was working ok.
>
>This has cost me some hours!

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-06-2017, 08:28 AM
Hi Jeff,

Then perhaps, this could work(?):

See OPTION THREE of:
https://www.tenforums.com/tutorials/88118-change-user-rights-assignment-security-policy-settings-windows-10-a.html

(Log on as a service = SeServiceLogonRight)

ntrights +r SeServiceLogonRight -u "User or Group"

Best regards,
Jeffrey

NewsArchive
11-06-2017, 08:30 AM
Hi Jeffrey -

As Jane suggested, that could be an option.

I'm guessing you'd need to have a special setup that would download
the ntrights file for you, kind of like Friedrich wrote for
downloading signtool. Or download the resource toolkit directly to
your client from MS.

My preliminary assumption is that you wouldn't be able to distribute
that Microsoft file in your app setup. Plus, the download on that page
is only for 32 bit OS. So we have to get that part right too.

I wonder if running procmon would help figure out what ntrights does.

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-06-2017, 08:37 AM
Hi Jeffrey,

the first question is, how would you do it programmatically *without*
SetupBuilder through a command line tool or something like that.

As far as I can see, it can be done via a PowerShell Script, a VBScript,
group policy manipulation via advapi32.dll APIs -or- using the ntrights.exe
Windows Resource Kit tool.

Not sure if you can use this method, but I have developed a small demo
project. See attached screenshot. I am using the "ntrights.exe" from the
Win2003 Windows Resource Toolkit and it seemed to work fine on Windows 10
Fall Creators Update.

Command line should look like this:
%TMPDIR%\ntrights.exe +r SeServiceLogonRight -u "Domain\Administrator"

What do you think?

Friedrich

--
Friedrich Linder
Lindersoft | SetupBuilder | www.lindersoft.com
954.252.3910 (within US) | +1.954.252.3910 (outside US)

--SetupBuilder "point. click. ship"
--Helping You Build Better Installations
--Create Windows 10 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
11-06-2017, 08:38 AM
BTW, the first command line box screenhot was just a test. Of course, the
SetupBuilder linker embeds the "ntrights.exe" tool as a support file into
the setup.exe and executes it silently behind-the-scenes.

Friedrich

NewsArchive
11-06-2017, 08:38 AM
Hi Friedrich,

Yes, this is what I'm looking for, thank you very much!!

Best regards,
Jeffrey

NewsArchive
11-06-2017, 08:39 AM
Hi Jeff,

See Friedrich's reply, I will go this (and Jane's) route. ;-)

Best regards,
Jeffrey

NewsArchive
11-06-2017, 11:40 AM
Is ntrights.exe a binary that we can distribute with our software?

Does it work on both 64/32 bit, or do we need to distribute 2
different executables?

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-07-2017, 02:41 AM
> Is ntrights.exe a binary that we can distribute with our software?
Yes.

> Does it work on both 64/32 bit?
Yes.

Best regards,
Jeffrey

NewsArchive
11-07-2017, 02:42 AM
Where can I find this information? Is there a license agreement?

Thanks.

>
> > Is ntrights.exe a binary that we can distribute with our software?
>Yes.

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-07-2017, 02:42 AM
Good question, I spoke too soon.
Perhaps Friedrich knows...

Best regards
Jeffrey

NewsArchive
11-07-2017, 02:43 AM
Well, the one in the 2003 resource kit is not codesigned, but it's
written by Georg Zanzen and it's a beta.<g>

NTRights.Exe - Beta Version by Georg Zanzen
Grants/Revokes NT-Rights to a user/group

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-28-2017, 04:36 AM
Found this "scratch pad". Looks interesting, whether or not it
actually works.

https://github.com/zippy1981/ntrights

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

NewsArchive
11-28-2017, 11:07 AM
Hi Jeff,

Thank you.
I have included ntrights in my SB project some weeks ago and ntrights is
doing the job perfectly well.

Best regards,
Jeffrey

NewsArchive
11-28-2017, 11:08 AM
I can dig that it works and that you're happy with it.

But I can also dig that desipite the apparent effectiveness, this
solution involves introducing an un-vouched, un-documented, and
un-maintained black box executable to twiddle around with a computers
most private parts in an elevated and vulnerable state.

I'd feel better about it if MS actually took ownership of it and moved
it out of "beta" or at least codesigned it.

The customer executes and elevates your setup that's signed with your
company name. So the one that they're basically trusting with their
security is you.

The water is fine until it isn't.<g>

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage