Skip to main content

windows - Why can a user grant themselves the Log On As A Service right?

itemprop="text">

href="http://technet.microsoft.com/en-us/library/cc739424%28WS.10%29.aspx"
rel="noreferrer">This article describes the (relatively laborious) steps
you should go through to grant an Active Directory user the Log On As A Service right.
However, if I install a service and manually specify my AD account's logon credentials
(service properties | Log On), Windows tells me that 'The account [myaccount] has been
granted the Log On As A Service right.' I can then run the service under my account
credentials. However, on a subsequent reinstall of the service (or sometimes on reboot),
the service is once again unable to start because of a login failure... until I go in
and manually enter my credentials again, and the account is magically 'granted the Log
On As A Service right.' After this, the service can once again start under my account's
credentials.




What's going on here?
Why do I apparently have the permission to grant this right to myself on-the-fly? If I
can grant it on-the-fly, why doesn't it stay granted and I have to keep re-granting it?
Bear in mind I'm not asking how to grant someone this right through Active Directory -
I'm talking about the fact that this right appears to be 'auto-granted' by Windows upon
your entering your credentials in the Log On window.



Answer




It sounds like there is a group policy that defines the accounts that are
granted Log on as a Service. Because you are an administrator you have permission to
grant this privilege, but when the group policy re-applies the privilege will get
removed. The next time the service stops it won't be able to
start.



You should either change the scope /
filtering of the policy so this machine is exempt from it or use the policy to grant the
necessary privilege.



INFO FROM
COMMENTS:
To check if a group policy is applying the setting use the resultant
set of policy wizard (rsop.msc)
If you want to apply this setting to many
computers or can't remove an existing policy that defines this setting then use group
policy to define it. There is a href="http://technet.microsoft.com/en-us/library/dd277404.aspx" rel="nofollow
noreferrer">technet article that explains how to do this.
To
check the current local security settings use secpol.msc - expand Local Policies then
select User Rights Assignments. This will show the currently applied settings. If you
have sufficient access and there is no group policy in effect then this will allow you
to edit the current policy. If the add / remove buttons are diabled then a policy
currently defines this setting.




If
there is no policy in effect, then allowing windows to grant the user the right is
perfectly fine and is just a convience feature provided by windows. As Jez discovered,
if a policy IS in effect then it is pointless fighting it. Policy generally re-applies
every few hours and will keep zapping any changes you have managed to make. (Although
the service will carry on working until it stops for some other reason). Jez mentioned
that he things a service is identified by a LUID generated at install time. I don't know
if this is the case or not, but the Log On As A Service user right is not restricted to
any particular service. So it won't make any difference WHAT service you want to log on
as. One danger of letting windows assign the right for you is that you may forget to
remove previous accounts and end up with a huge list of accounts that have the log on as
a service privilege and no need for it.



So to
answer Jez's comment a little more directly, if there is a policy in effect, there is no
point finding ways round the disabled secpol.msc UI. The UI is disabled as a warning to
you that any changes you manage to make will not be retained. In this case, editing the
policy is the way forward, either to grant the privilege or to stop making that setting
so that it can then be assigned
locally.



EDIT:
You seem to think that
granting a domain user this priviege is somehow different to granting it to a local
user. It isn't. If the PC/Server in question doesn't have any group policy applied then
you open secpol.msc, go the privilege in question, double click, click add and then
select the account you want. I've just tried this on a domain joined laptop and the add
user dialog actually defaulted to the domain. If I wanted to pick a local group then I'd
have to change the location.



If you double click
the privilege then I assume you see the list and the add / remove buttons but the
buttons are diasabled so you can't edit the list. This can't be becuase you are adding a
domain account becuase you haven't yet selected whether to add a local or domain
account.



I've run into exactly this problem at
work, the service I was installing was only going on one PC so changing policy was not
an option. We moved the PC in question to an OU where no policy applied, then I could
grant the privilege without
issue.




The reason you can grant the
privilege the round-about way is that policy just disables the UI, it doesn't actually
change the permissions you have. It does however re-apply itself periodically, which is
why the setting gets overwritten.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more