Monday, April 16, 2018

How can I give a non-administrator permission to alter local security policy on Windows?


I'm working with a service that creates AD accounts. This service is not an administrator (and I don't want it to be) - but it needs to be able to give the newly created accounts the Log in as a Batch Job user right assignment (SeBatchLogonRight).


How might I give an unprivileged account permission to alter local security policy?


Answer



You can't.


Modifiing the local security policy can only be done by members of the local Administrators group. This restriction is implemented internally within Windows and there are no settings exposed by which to change it.



but [the service] needs to be able to give the newly created accounts permission to log in as a batch job.



Code that is creating or modifying permissions for other user accounts needs to be at least as privileged as the permissions being assigned. It's illogical to imagine a process that can grant privileges greater than the code itself has, because in fact the code already has said privileges by virtue of the fact it can grant them.


Due to the restrictions on editing the local security policy, it will be necessary to give your service administrative level permissions.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...