How do I grant "log on as a service" permission to a (local) from the command-line?

Solution 1:

I ended up grabbing ntrights.exe from the Windows 2003 Resource Kit and placing it on the server, then running ntrights +r SeServiceLogonRight -u <my user>.

I didn't install the resource-kit, because

  • I only needed ntrights.exe
  • Installation threw some OLE-related errors (that seemed to be irrelevant, but still)

Solution 2:

If you have another computer that can connect a Group Policy Object MMC to the Core Server that is the easiest way to edit the Logon As A Service privildge.

If not, you can on the server create a file with:

[Unicode]
Unicode=yes
[Privilege Rights]
SeServiceLogonRight = *S-1-5-80-0

The List of SIDs is comma separated. They have to be the actual SIDs not the account names. You have to include all the SIDs, this doesn't add or remove, it replaces the current list.

Make a backup of your current configruation:

secedit /export /cfg c:\backup.txt

Once you've got the file you can run:

secedit /configure /db secedit.sdb /cfg filename.txt