Add Logon As Service Right with PowerShell

talkbubble I saw a comment on Twitter today about a limitation in PowerShell. Specifically the ability to grant the logon as a service right to a user account. Manually, if you use the Services management console and specify the user, Windows will automatically grant that right. But if you are trying to do this from a command line that is a bit more challenging. There has been an old resource kit tool called NTRights which can easily get the job done. And I have no problem calling a command line tool that is designed for a special purpose. But, you first need to get a hold of that utility.

Another option, which I’ve also used in the past, is to use some scripting language to modify the local security policy on the fly. Typically this involves creating a database entry and then calling SECEDIT. I came across a PowerShell script that does this but you could easily do it with VBScript. There’s nothing uniquely PowerShell about it.

Granting this privilege requires some arcane (at least to me) API calls. In my research I found several examples. Then I came across this great link. The author, Morgan, has a number of options for achieving this task. Unfortunately, his PowerShell solution requires a third party DLL. But fortunately, he also has a C# solution.

Why is this fortunate? Because PowerShell is a management engine with great depth. You can run commands interactively, you can create scripts and advanced functions, or you can leverage languages like C#. I can use Morgan’s C# class definition and add it to PowerShell.

Using Add-Type I can load it into my PowerShell session. Once loaded, I can create an object based on the class.

The class name looks a bit funny but it must be because of how the class is defined. I’m not much of a developer type to know if this could be done any differently, but it works. With the class I can now grant an account the necessary privilege.

The method writes a result to the pipeline.

The class has a number of Console.WriteLine commands I could remove if I didn’t want this level of detail. But it is possible to do this in PowerShell, because of how flexible the engine and language can be. I’m not implying this is easy. In fact, if I were to take this to the next step I’d build some advanced functions around it so it would at least be easy to use for other people. This is a great example of why you should learn PowerShell and how it can impact your career.

Based on a comment I’ve revised the original class.

I’ll admit this is beyond what I normally do in PowerShell but I’m willing to learn new things and did with this challenge. With this class it is much easier to add the type and invoke the method.

Friday Fun Get MessageBox

Today’s Friday Fun offers a way for you to graphically interact with your PowerShell scripts and functions without resorting to a lot of complex Winform scripting. I have a function that you can use to display an interactive message box complete with buttons like Yes, No or Cancel. You can either use the message box to display a message to the user or return input. Continue reading