2008-11-24 89 views
9

我試圖使用powershell來配置帳戶憑據,但我需要授予帳戶「作爲服務登錄」才能使其正常工作。我如何在PowerShell中做到這一點?使用powershell,我如何授予「登錄爲服務」帳戶?

+0

我試圖做同樣的,在Windows Server 2008 R2的x64 * *的核心,它不出貨與ntrights.exe(在答案的鏈接文章中提到的工具)。還有什麼幫助? – 2012-01-06 16:40:45

+0

另一個選項在這裏:https://code.msdn.microsoft.com/windowsapps/Add-log-on-as-a-service-a64dd63c – Rory 2015-12-07 15:50:27

回答

1

PowerShell沒有這樣做的本地方法,這意味着您可能會在看WMI或ADSI - 您更可能在VBScript中找到示例,儘管它本身已經更長不要以爲我已經想出瞭如何以編程方式分配用戶權限。儘管如此,這並不意味着它無法完成,但您可能會專注於PowerShell領域之外。

10

PowerShell腳本下面將授予SeServiceLogonRight通過COMPUTERNAME指定爲以用戶名指定的用戶的主機上(該腳本是從這裏的摘錄:https://gist.github.com/grenade/8519655):

<# 
.Synopsis 
    Grant logon as a service right to the defined user. 
.Parameter computerName 
    Defines the name of the computer where the user right should be granted. 
    Default is the local computer on which the script is run. 
.Parameter username 
    Defines the username under which the service should run. 
    Use the form: domain\username. 
    Default is the user under which the script is run. 
.Example 
    Usage: 
    .\GrantSeServiceLogonRight.ps1 -computerName hostname.domain.com -username "domain\username" 
#> 
param(
    [string] $computerName = ("{0}.{1}" -f $env:COMPUTERNAME.ToLower(), $env:USERDNSDOMAIN.ToLower()), 
    [string] $username = ("{0}\{1}" -f $env:USERDOMAIN, $env:USERNAME) 
) 
Invoke-Command -ComputerName $computerName -Script { 
    param([string] $username) 
    $tempPath = [System.IO.Path]::GetTempPath() 
    $import = Join-Path -Path $tempPath -ChildPath "import.inf" 
    if(Test-Path $import) { Remove-Item -Path $import -Force } 
    $export = Join-Path -Path $tempPath -ChildPath "export.inf" 
    if(Test-Path $export) { Remove-Item -Path $export -Force } 
    $secedt = Join-Path -Path $tempPath -ChildPath "secedt.sdb" 
    if(Test-Path $secedt) { Remove-Item -Path $secedt -Force } 
    try { 
    Write-Host ("Granting SeServiceLogonRight to user account: {0} on host: {1}." -f $username, $computerName) 
    $sid = ((New-Object System.Security.Principal.NTAccount($username)).Translate([System.Security.Principal.SecurityIdentifier])).Value 
    secedit /export /cfg $export 
    $sids = (Select-String $export -Pattern "SeServiceLogonRight").Line 
    foreach ($line in @("[Unicode]", "Unicode=yes", "[System Access]", "[Event Audit]", "[Registry Values]", "[Version]", "signature=`"`$CHICAGO$`"", "Revision=1", "[Profile Description]", "Description=GrantLogOnAsAService security template", "[Privilege Rights]", "SeServiceLogonRight = *$sids,*$sid")){ 
     Add-Content $import $line 
    } 
    secedit /import /db $secedt /cfg $import 
    secedit /configure /db $secedt 
    gpupdate /force 
    Remove-Item -Path $import -Force 
    Remove-Item -Path $export -Force 
    Remove-Item -Path $secedt -Force 
    } catch { 
    Write-Host ("Failed to grant SeServiceLogonRight to user account: {0} on host: {1}." -f $username, $computerName) 
    $error[0] 
    } 
} -ArgumentList $username 
4

這就是我解決它的方法:

根據:this article

可以按如下方式下載Carbon from here

首次進口碳模塊:

Import-Module -Name $Path_To_Carbon -Global -Prefix CA 

[array]$UserPrivileges = Get-CAPrivileges -Identity $UserName; 
[bool]$LogOnAsAServiceprivilegeFound = $false; 

if ($UserPrivileges.Length > 0) 
{ 
    if ($UserPrivileges -contains "SeServiceLogonRight") 
    { 
     $LogOnAsAServiceprivilegeFound = $true; 
    } 
} 

if ($LogOnAsAServiceprivilegeFound -eq $false) 
{ 
    Grant-CAPrivilege -Identity $UserName "SeServiceLogonRight" 
} 
相關問題