Skip to main content

PowerShell script to grant Logon as a Service privileges in Windows.

function Grant-LogonAsService {
    param($accountToAdd)
    # written by Ingo Karstein, https://blog.kenaro.com/2012/10/12/powershell-script-to-add-account-to-allow-logon-locally-privilege-on-local-security-policy/
    # Original: https://gallery.technet.microsoft.com/PowerShell-script-to-add-b005e0f6
    # v1.0, 01/03/2014

    ## <--- Configure here

    if( [string]::IsNullOrEmpty($accountToAdd) ) {
        Write-Host "no account specified"
        exit
    }

    ## ---> End of Config

    $sidstr = $null
    try {
        $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
        $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
        $sidstr = $sid.Value.ToString()
    } catch {
        $sidstr = $null
    }

    Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

    if( [string]::IsNullOrEmpty($sidstr) ) {
        Write-Host "Account not found!" -ForegroundColor Red
        exit -1
    }

    Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

    $tmp = [System.IO.Path]::GetTempFileName()

    Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
    secedit.exe /export /cfg "$($tmp)"

    $c = Get-Content -Path $tmp

    $currentSetting = ""

    foreach($s in $c) {
        if( $s -like "SeServiceLogonRight*") {
            $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
            $currentSetting = $x[1].Trim()
        }
    }

    if( $currentSetting -notlike "*$($sidstr)*" ) {
        # Write-Host "Modify Setting ""Allow Logon Locally""" -ForegroundColor DarkCyan
        Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan

        if( [string]::IsNullOrEmpty($currentSetting) ) {
            $currentSetting = "*$($sidstr)"
        } else {
            $currentSetting = "*$($sidstr),$($currentSetting)"
        }

        Write-Host "$currentSetting"

        $outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@

        $tmp2 = [System.IO.Path]::GetTempFileName()


        Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
        $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

        #notepad.exe $tmp2
        Push-Location (Split-Path $tmp2)

        try {
            secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS
            #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
        } finally {
            Pop-Location
        }
    } else {
        # Write-Host "NO ACTIONS REQUIRED! Account already in ""Allow Logon Locally""" -ForegroundColor DarkCyan
        Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan
    }

    Write-Host "Done." -ForegroundColor DarkCyan
}

Grant-LogonAsService "$env:COMPUTERNAME\$env:USERNAME"