set user rights assignment command line

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

• PowerShell Forum Directory
• Publications

Managing Privileges using PoshPrivilege

A recent project of mine has been to write a module to manage privileges on a local system. What I came up is a module called PoshPrivilege that allows you to not only look at what user rights are available on a local or remote system, but also provide the ability to Add, Remove, Enable and Disable the privileges as well.

If you are running PowerShell V5, you can download this module from the PowerShell Gallery:

Otherwise, check out my GitHub page where I am maintaining this project:

https://github.com/proxb/PoshPrivilege

I won’t spend time talking about how I wrote this module and my reasons behind it. What I will say is that instead of writing out C# code and then using Add-Type to compile it, I went with the Reflection approach of building out everything from the pinvoke signatures for methods to the Structs and even the Enums.

Let’s get started by looking at what is available in this module. The first function that is available is Get-Privilege and it comes with a few parameters. This function’s purpose is to let you view what privileges are currently available on the system (local or remote) as well as what is currently applied to your current process token.

A quick run through of using this function with various parameters:

If this one looks familiar, then it is probably likely that you have used the following command:

I opted for boolean values instead to determine the state for easier filtering if needed.

Up next are the Enable/Disable-Privilege functions. These work to Enable or Disable the privileges that are currently available on your local system to your process token. This means that if something like SeDebugPrivilege isn’t available on your system (such as being removed via Group Policy), then you cannot use Enable-Privilege to add your process token to this privilege. As in the previous image where we can see what is enabled and disabled, these are the only privileges that are available for me to work with.

To show this point, I am going to enable both SeSecurityPrivilege and SeDebugPrivilege so you can see that while the first privilege will show as Enabled, the other will not appear as it has not been made available.

As you can see from the picture, SeSecurityPrivilege has been enabled as expected, but SeDebugPrivilege is nowhere to be found. If we want SeDebugPrivilege, we will need to go about this another way which will be shown shortly.

Disabling a privilege can be done using Disable-Privilege as shown in the example below.

Now that I have covered Enabling and Disabling of the privileges and their limitations, I will move onto the Add/Remove-Privilege functions which allow you to add a privilege for a user or group or remove them on a local system. Note that this only works up until it gets reverted if set by group policy. This will also note show up if you look at the privileges available on your current process token (you will log off and log back in to see it).

Remember that I do not have SeDebugPrivilege available to use? Well, now we can add it to my own account using Add-Privilege.

We can see it is now available, but as I mentioned before, it doesn’t show up in my current process. A logoff and login now shows that it is not only available, but already enabled.

With this now enabled, we could disable it as well if needed using Disable-Privilege. I added my account for show, but we can also add groups this was as well.

As with Adding a privilege, we can remove privileges as well using Remove-Privilege.

As with Add-Privilege, you will need to log off and log back in to see the change take effect on your account.

Again, you can install this module using Install-Module if running PowerShell V5 and this project is out on GitHub to download (and contribute to as well). Enjoy!

Share this:

4 responses to managing privileges using poshprivilege.

I downloaded the scripts from Github, but getting compile errors.

Specifically the errors are around the WInOS Structures listed below:

Unable to find type [LUID]: make sure that the assembly containing this type is loaded. Unable to find type [LSA_UNICODE_STRING]: make sure that the assembly containing this type is loaded. Unable to find type [LARGE_INTEGER]: make sure that the assembly containing this type is loaded. Unable to find type [LUID_AND_ATTRIBUTES]: make sure that the assembly containing this type is loaded. Unable to find type [TokPriv1Luid]: make sure that the assembly containing this type is loaded.

Unable to find type [TOKEN_INFORMATION_CLASS]: make sure that the assembly containing this type is loaded.

Unable to find type [ProcessAccessFlags]: make sure that the assembly containing this type is loaded.

BTW, I have posted the full error log @ https://docs.google.com/document/d/18boeWSbvlLwpoIAMTJAp0ooNaLxe6kniYrJr_q3ZNMQ/edit?usp=sharing

Just a question, how can I grant the SESecurityPrivilege to the Set-Acl process ? If I do a whoami /priv I can see my useraccount (PS –> run as administrator) I can see the privilege is enabled, but when I try to run the script I have I get the following error :

Set-Acl : The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation. At C:\Scripts\SESOG\ImportACLSEv2.ps1:16 char:16 + $acl | Set-Acl $path + ~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (P:\Common:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

The script looks like this : $par = Import-Csv -Path “c:\scripts\sesog\ImportMainCC.csv” -Delimiter “;”

foreach ( $i in $par ) { $path= $i.Path $IdentityReference= $i.IdentityReference $AccessControlType=$i.AccessControlType $InheritanceFlags= $i.InheritanceFlags $PropagationFlags=$i.PropagationFlags $FileSystemRights=$i.FileSystemRights echo $path $IdentityReference $acl = Get-Acl $path $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $path }

In the import csv a path is set and exported export rights from the original location (I am doing a fileserver migration) but on each of the folders mentioned the inherentance flag has been removed.

Pingback: PowerShell Magazine » The case of potentially broken PackageManagement for Windows 10 Insiders

You are a lifesaver! I have been fretting over how to manage service account rights on remote servers – each OU has a corresponding AD security group and GPO, and doing this manually is both time-consuming and fraught with error. I can’t wait to try this out. First PoshWSUS, then this …you rock.

Leave a comment Cancel reply

Translate this blog.

• Search for:

Recent Posts

• Dealing with Runspacepool Variable Scope Creep in PowerShell
• 2018 PowerShell Resolutions
• Quick Hits: Getting the Local Computer Name
• Recent Articles on MCPMag
• Quick Hits: Finding all Hyperlinks in an Excel Workbook
• Querying UDP Ports with PowerShell
• Changing Ownership of File or Folder Using PowerShell
• PowerShell and Excel: Adding Some Formatting To Your Report
• Avoiding System.Object[] (or Similar Output) when using Export-Csv
• Starting,Stopping and Restarting Remote Services with PowerShell
• Locating Mount Points Using PowerShell
• Quick Hits: Finding Exception Types with PowerShell
• Quick Hits: Ping Sweep One Liner
• Quick Hits: List All Available WMI Namespaces Using PowerShell
• Speedy Ping using PowerShell
• background jobs
• Internet Explorer
• performance
• powerscripting
• Regular Expressions
• scripting games 2012
• scripting games 2013
• scripting guy
• winter scriting games 2014

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Email Address:

Sign me up!

• 5,539,413 Visitors Since August 5, 2010
• Entries feed
• Comments feed
• WordPress.com

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Set Logon As A Service right to User by Powershell, C#, CMD and VBScript

Description.

In this article, I am going to explain about how to set or grant user Logon As A Service permission/privilege using Local Security Policy , VBScript , Powershell , C# and Command Line tool.

Set Logon As A Service right to user using Local Security Policy

• Grant User Logon As A Service privilege via Powershell
• Set User Logon As A Service permission using C#
• Set User Logon As A Service right via Command Line
• Grant Logon As A Service privilege to user via VBScript

Follow the below steps to set Log on As Service right via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Log on as a service.

4. Double-click on the policy Log on as a service, in the opened windows click the button Add User or Group, select the user which you want to set logon as a service right and click OK, and click Apply button to finish.

Set or Grant User Logon As A Service right via Powershell

 We can set the Logon As A Service right to user in Powershell by importing the third party DLL ( Carbon  ).  Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Logon As A Service right via Powershell :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set logon as service right in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to set logon as a service right .

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set or Grant User Logon As A Service right/permission to user using C#

You can use the function GrantUserLogOnAsAService to set Logon as a Service right to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Set Logon As A Service right to user via Command Line

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3.

Refer: http://support.microsoft.com/kb/266280

Set Logon As A Service right

Revoke Logon As A Service right

Set or Grant Logon As Service right/privilege to user via VBScript

1. Copy the below example VBScript code and paste it in notepad or a VBScript editor. 2. Change the value for strUserName if you want to give your own name otherwise simply leave it. 3. Save the file with a .vbs extension, for example: SetLogonAsAServiceRight.vbs 4. Double-click the VBScript file (or Run this file from command window) to Set Logon As Service right/permission to user.

Thanks, Morgan Software Developer ———————

Share this:

Related posts.

• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell
• Change Service Account Password using VBScript
• AD User Logon Audit Events
• Powershell: Set AD User Must Change Password At Next Logon

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell

I've read some documentation on Microsoft and other sites. Some of them suggest GPRegistryValue for registry-based policies and other recommended third-party software.

The full path of the key is: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"

But in my case I cannot use other packages except CMD or PowerShell (UI not available).

• group-policy
• windows-server

• superuser.com/questions/1254253/… and blakedrumm.com/blog/set-and-check-user-rights-assignment might help you for a starting point to play with. –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:25
• This is just local security policy settings. What did you search for as this is a common task? powershell 'Local User Rights Management' –  postanote Nov 25, 2022 at 21:37

Windows provides the secedit.exe tool for this and or custom code, as per the link provided in my comment to you.

Also, did you check the mspowershellgallery.com site for modules that assist with local user security policy?

Update as per '@Vomit IT - Chunky Mess Style', suggestion.

The more succinct/elegant option.

FYI --- Update for '@Vomit IT - Chunky Mess Style'. Using the PS_LSA.Wrapper

• 1 @VomitIT-ChunkyMessStyle... update provided. –  postanote Nov 25, 2022 at 21:43
• Oh yeah, now you're talking!!! I saw github examples of that Indented.SecurityPolicy you suggested listed there. I like it! –  Vomit IT - Chunky Mess Style Nov 25, 2022 at 21:55
• 1 Yeppers, I've got a bunch of these I've collected, refactored, and written over the years in different engagements. Even one using the underlying OS PS_LSA Windows library. –  postanote Nov 25, 2022 at 22:06
• Thanks for helping me.The module of 'SecurityPolicy' is available, but when I try to find its modules "Get-Command -Module 'SecurityPolicy'" nothing is listed. Thus, I can't execute 'Add-UserRightsAssignment'. –  Daniel Teodoro Nov 29, 2022 at 13:38
• If you did this Get-Command -Module 'SecurityPolicy' , and you see nothing? If so, that means it's not installed/in your PSModulePath. Did you install the module as I show in my suggested answer? If not, then you need to. Then you use Get-Module -ListAvailable to validate it's on your system. –  postanote Nov 30, 2022 at 6:37

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell group-policy windows-server ..

• The Overflow Blog
• Would you board a plane safety-tested by GenAI?
• An open-source development paradigm
• Featured on Meta
• Testing a new version of Stack Overflow Jobs
• What deliverables would you like to see out of a working group?

Hot Network Questions

• The Ultimate Battle of two players
• How Can I Relax a Molecule in Mathematica?
• How would a considerably advanced civilization do agriculture?
• Why did deportation of illegal immigrants drop so much under Biden, compared to Obama?
• I would like to understand Michaelis-Menten law
• New bike-vibration in pedals
• How to straighten new coiled Ethernet cord?
• Second opinion on PCB design for relay made in Altium
• Question regarding using singular or plural nouns
• Do moving charges still generate an electrostatic field?
• How can I learn the intuition behind the proofs of theorems in Graph Theory? They all seem like random algorithms that just happen to work
• Is DVI used as an intermediate format by pdfLaTeX and LuaLaTeX?
• Why is "dict[int, int]" incompatible with "dict[int, int | str]"?
• Python secrets command-line tool
• What happened with the Babylonians?
• Top Tips on misleading readers on the motives/true personality of a character
• Writing a comment paper for an already published paper
• Is mindfulness of feeling the middle way?
• R squared in logistic regression adjusted for number of predictors
• Understanding standard basis of the tangent space
• Two values of Rydberg Constant
• What is specifically Dutch about light bulbs?
• Was Jesus ANGRY at the weeping women Luke 23:28
• Is there any evidence to back up David Starkey's claim that infanticide of mixed-race children was integral to the Ottoman slave trade?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.

User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local computer by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see How to Configure Security Policy Settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Additional resources

• About the Authors

Managing “Logon As a Service” Permissions Using Group Policy or PowerShell

“ Log on as a service ” is a security policy in Microsoft Windows operating systems that specifies which user accounts or groups are allowed to start and run Windows services. Services are programs running in the background and performing various tasks without user interaction. They are essential components of the Windows operating system and are used for networking, hardware management, and system monitoring tasks.

When a service starts, it must run under a specific user account, either a built-in system account or a custom user account. The “Log on as a service” policy defines which accounts or groups have the privilege to be assigned as the login credentials for these services. This policy is crucial for maintaining security and preventing unauthorized access to system resources.

Configuring the “Log on as a service” policy involves assigning specific accounts or groups the right to log on as a service. By default, only certain built-in accounts and groups have this privilege. Suppose an application or service requires a specific user account to function correctly. That account needs to be explicitly added to the “Log on as a service” policy to ensure it has the necessary permissions.

“Log on as a service” Rights vs. Privileges User Account

Assigning a specific user account to run Windows services using the “Log on as a service” privilege offers several advantages over using the built-in Local System account or other privileged user accounts:

• Principle of Least Privilege: The principle of least privilege suggests that users, processes, and services should have only the permissions necessary to perform their tasks. Assigning a dedicated user account to run a service allows you to grant precisely the required permissions for that service, reducing the risk of unintended actions or security breaches.
• Isolation of Services: By using individual user accounts for each service, you can isolate the privileges and resources associated with each service. This isolation helps prevent one compromised service from affecting other services or system components.
• Auditability: Using separate user accounts for services makes it easier to track and audit the activities of each service. In the event of security incidents or unauthorized access, it’s simpler to identify the responsible service when services are associated with distinct user accounts.
• Controlled Access: Assigning specific accounts to services allows you to control who has access to run those services. You can restrict the accounts with the “Log on as a service” privilege, reducing the attack surface and improving overall security.
• Password Management: Services associated with dedicated user accounts can manage their passwords separately. This is especially useful in scenarios where password changes are required periodically or when following password management policies.
• Compatibility: Some applications and services are designed to work best under a specific user context rather than the Local System account. Running them as the Local System might lead to compatibility issues or limited functionality.
• Granular Permissions: User accounts assigned to services can have finely tuned permissions. This is particularly important when services interact with specific network resources, databases, or other systems. Assigning the appropriate permissions ensures smooth service operation without granting excessive privileges.
• Debugging and Troubleshooting: When services run under a specific user account, troubleshooting issues becomes easier. You can log in with that account to test and diagnose problems directly, which can be more challenging when using the Local System account.

While there are definite benefits to using dedicated user accounts for services, managing these accounts effectively is essential. Proper management includes maintaining strong passwords, adhering to password policies, and ensuring that the accounts themselves are not susceptible to unauthorized access.

In some cases, certain services may require more extensive privileges, making using the Local System account necessary. But, when possible, using the “Log on as a service” privilege to assign specific user accounts to services is a recommended security practice that enhances control, accountability, and overall system security.

Managing “Log on as a service” Rights Assignments via Group Policy

You can configure the “Log on as a service” rights assignment via the local or domain group policy.

Note . When you deploy the “Log on as a service” policy via Group Policy Object (GPO), the policy settings you define in the GPO will overwrite the existing list of accounts on the target computers. The GPO settings for “Log on as a service” will replace any existing accounts or groups granted the privilege.

• If deploying via GPO, open the Group Policy Management console ( gpmc.msc ) and open the group policy object to modify or create a new one.
• If modifying the local machine’s group policy, open the local group policy editor ( secpol.msc )

Note . The “NT SERVICESERVICES” group is added to the “ Log on as a service ” policy by default on Windows Server 2016, Windows 10, and later.

• THEITBROS\CA IT Ops — domain group
• THEITBROS\jmiller — domain user
• PCX\localadmin01 — local user

Related post . Configure NTP Time Sync Using Group Policy

Managing “Log on as a service” Rights Assignments via PowerShell

Managing the “Log on as a service” rights assignments in the command line is beneficial for systems without a desktop environment, such as Windows Server Core, and when managing computers during remote PowerShell sessions.

There are no native PowerShell cmdlets to manage the “Log on as a service” policy as of this writing. The only native command line tool that can modify the local security policies is the secedit.exe tool.

Download the “Log on as a service” Management Scripts

So, we created three PowerShell script wrappers for secedit.exe that you can download from the following links:

• [ PS-Manage-Log-On-As-A-Service ] — The public GitHub repository.
• [ Get-ServiceLogonRight.ps1 ] — A script to retrieve the local machine’s current “Log on as a service” rights.
• [ Add-ServiceLogonRight.ps1 ] — A script to add a user and group to the “Log on as a service” policy.
• [ Remove-ServiceLogonRight.ps1 ] — A script to remove a user or group from the current “Log on as a service” policy.

Download the above scripts and store them in a folder on your computer. Then open an elevated PowerShell session (run as admin), and change the working directory to where you saved the scripts.

List the Current “Log on as a service” Rights Assignments

To list the current accounts in the “Log on as a service” policy, run the below script.

Add Users and Groups to the “Log on as a service” Policy

To add a user or group to the “Log on as a service” Policy, follow the below example commands.

# Add a local group .\Add-ServiceLogonRight.ps1 -UserOrGroup <local group>

# Add a domain user account .\Add-ServiceLogonRight.ps1 -UserOrGroup <DOMAIN\user>

# Add a domain group .\Add-ServiceLogonRight.ps1 -UserOrGroup <DOMAIN\group>

Confirm that the new users and groups were added to the “Log on as a service” policy.

What happens if you add a non-existing group or user to the “Log on as a service” policy? You’ll get this message.

Remove Users and Groups from the “Log on as a service” Policy

When a group or user is no longer viable for the “Log on as a service” policy, you can remove it using the Remove-ServiceLogonRight.ps1 script.

# Remove a local group .\Remove-ServiceLogonRight.ps1 -UserOrGroup localadmingroup02

# Remove a domain user .\Remove-ServiceLogonRight.ps1 -UserOrGroup ‘THEITBROS\ebrown’

# Remove a domain group .\Remove-ServiceLogonRight.ps1 -UserOrGroup ‘THEITBROS\CA Server Admins’

Run the .\Get-ServiceLogonRight.ps1 script to confirm that the users and groups have been removed.

What happens if you remove a user or group not existing in the “Log on as a service” policy? You’ll get the following message.

While there are scenarios where services necessitate greater privileges and the use of the Local System account, assigning specific user accounts through the “Log on as a service” policy is recommended to enhance control, accountability, and overall system security.

This article has also covered methods for managing “Log on as a service” rights assignments via Group Policy and PowerShell.

For PowerShell users, the article introduced scripts using the secedit.exe tool to manage these rights assignments. These scripts include Get-ServiceLogonRight.ps1 to retrieve current rights, Add-ServiceLogonRight.ps1 to add users or groups, and Remove-ServiceLogonRight.ps1 to remove them.

Lastly, minimizing the number of user accounts to which you grant the “Log on as a service” permissions is advisable. To reduce security risks, you should turn off interactive and remote interactive sessions for service accounts.

Our newsletter is full of great content!

Subscribe TheITBros.com newsletter to get the latest content via email.

Cyril Kardashevsky

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Understanding ProxyAddresses Attribute in Active Directory

How to use get-acl and set-acl cmdlets when managing ntfs permissions for a file or folder with powershell.

Thank you. Literally NO ONE in Enterprise IT understands this about most of the stuff in the USer Rights Assignment of Group Policy. I’ve fixed so many outages due to admins settings this via GPO across many servers and overwriting what’s already set in there by x, y, z application that was installed who put accounts in there. Admins just blindly follow along application documentation or posts like this. I’m so tired of it.

– Angry Sr. Systems Admin LOL

Been like this for 20 years now.

Microsoft really needs to add switches for append, remove and replace for setting group policy objects, or just remove these from GPO management altogether as it’s half baked.

Please follow this up with how to set Logon As a Service for a user or group policy on Windows Server 2016 Core – there is no GUI, no control panel, no gpedit.msc, no gpmc.msc, no services.msc, etc etc.

For example, to setup Jenkins requires a user account with Logon As a Service enabled. Thank you

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Mac keyboard shortcuts

By pressing certain key combinations, you can do things that normally need a mouse, trackpad, or other input device.

Using keyboard shortcuts

Common shorcuts like cut, copy, paste

Sleep, log out, and shut down shortcuts

Finder and system shortcuts, document shortcuts, accessibility shortcuts, other shortcuts.

To use a keyboard shortcut, press and hold one or more modifier keys and then press the last key of the shortcut. For example, to use Command-C (copy), press and hold the Command key, then the C key, then release both keys. Mac menus and keyboards often use symbols for certain keys , including modifier keys:

Command (or Cmd) ⌘

Option (or Alt) ⌥

Control (or Ctrl) ⌃

Caps Lock ⇪

On keyboards made for Windows PCs, use the Alt key instead of Option, and the Ctrl key or Windows logo key instead of Command.

Cut, copy, paste, and other common shortcuts

Command-X : Cut the selected item and copy it to the Clipboard.

Command-C : Copy the selected item to the Clipboard. This also works for files in the Finder.

Command-V : Paste the contents of the Clipboard into the current document or app. This also works for files in the Finder.

Command-Z : Undo the previous command. You can then press Shift-Command-Z to Redo, reversing the undo command. In some apps, you can undo and redo multiple commands.

Command-A : Select All items.

Command-F : Find items in a document or open a Find window.

Command-G : Find Again: Find the next occurrence of the item previously found. To find the previous occurrence, press Shift-Command-G.

Command-H : Hide the windows of the front app. To view the front app but hide all other apps, press Option-Command-H.

Command-M : Minimize the front window to the Dock. To minimize all windows of the front app, press Option-Command-M.

Command-O: Open the selected item, or open a dialog to select a file to open.

Command-P : Print the current document.

Command-S : Save the current document.

Command-T : Open a new tab.

Command-W : Close the front window. To close all windows of the app, press Option-Command-W.

Option-Command-Esc : Force quit an app.

Command–Space bar : Show or hide the Spotlight search field. To perform a Spotlight search from a Finder window, press Command–Option–Space bar. (If you use multiple input sources to type in different languages, these shortcuts change input sources instead of showing Spotlight. Learn how to change a conflicting keyboard shortcut .)

Control–Command–Space bar : Show the Character Viewer, from which you can choose emoji and other symbols .

Control-Command-F : Use the app in full screen, if supported by the app.

Space bar : Use Quick Look to preview the selected item.

Command-Tab : Switch to the next most recently used app among your open apps.

Command–Grave accent (`): Switch between the windows of the app you're using. (The character on the second key varies by keyboard. It's generally the key above the Tab key and to the left of the number 1.)

Shift-Command-5 : In macOS Mojave or later , take a screenshot or make a screen recording. Or use Shift-Command-3 or Shift-Command-4 for screenshots. Learn more about screenshots .

Shift-Command-N: Create a new folder in the Finder.

Command-Comma (,) : Open preferences for the front app.

You might need to press and hold some of these shortcuts for slightly longer than other shortcuts. This helps you to avoid using them unintentionally.

Power button : Press to turn on your Mac or wake it from sleep. Press and hold for 1.5 seconds to put your Mac to sleep.* Continue holding to force your Mac to turn off.

Control–Command–Power button :* Force your Mac to restart, without prompting to save any open and unsaved documents.

Control-Command-Q : Immediately lock your screen.

Shift-Command-Q : Log out of your macOS user account. You will be asked to confirm. To log out immediately without confirming, press Option-Shift-Command-Q.

* Does not apply to the Touch ID sensor .

Command-D : Duplicate the selected files.

Command-E : Eject the selected disk or volume.

Command-F : Start a Spotlight search in the Finder window.

Command-I : Show the Get Info window for a selected file.

Command-R : (1) When an alias is selected in the Finder: show the original file for the selected alias. (2) In some apps, such as Calendar or Safari, refresh or reload the page. (3) In Software Update, check for software updates again.

Shift-Command-C : Open the Computer window.

Shift-Command-D : Open the desktop folder.

Shift-Command-F : Open the Recents window, showing all of the files you viewed or changed recently.

Shift-Command-G : Open a Go to Folder window.

Shift-Command-H : Open the Home folder of the current macOS user account.

Shift-Command-I : Open iCloud Drive.

Shift-Command-K : Open the Network window.

Option-Command-L : Open the Downloads folder.

Shift-Command-N: Create a new folder.

Shift-Command-O : Open the Documents folder.

Shift-Command-P : Show or hide the Preview pane in Finder windows.

Shift-Command-R : Open the AirDrop window.

Shift-Command-T : Show or hide the tab bar in Finder windows.

Control-Shift-Command-T : Add selected Finder item to the Dock (OS X Mavericks or later)

Shift-Command-U : Open the Utilities folder.

Option-Command-D : Show or hide the Dock.

Control-Command-T : Add the selected item to the sidebar (OS X Mavericks or later).

Option-Command-P : Hide or show the path bar in Finder windows.

Option-Command-S : Hide or show the Sidebar in Finder windows.

Command–Slash (/) : Hide or show the status bar in Finder windows.

Command-J : Show View Options.

Command-K : Open the Connect to Server window.

Control-Command-A : Make an alias of the selected item.

Command-N : Open a new Finder window.

Option-Command-N : Create a new Smart Folder.

Command-T : Show or hide the tab bar when a single tab is open in the current Finder window.

Option-Command-T : Show or hide the toolbar when a single tab is open in the current Finder window.

Option-Command-V : Move the files in the Clipboard from their original location to the current location.

Command-Y : Use Quick Look to preview the selected files.

Option-Command-Y : View a Quick Look slideshow of the selected files.

Command-1 : View the items in the Finder window as icons.

Command-2 : View the items in a Finder window as a list.

Command-3 : View the items in a Finder window in columns.

Command-4 : View the items in a Finder window in a gallery.

Command–Left Bracket ([) : Go to the previous folder.

Command–Right Bracket (]) : Go to the next folder.

Command–Up Arrow : Open the folder that contains the current folder.

Command–Control–Up Arrow : Open the folder that contains the current folder in a new window.

Command–Down Arrow : Open the selected item.

Right Arrow : Open the selected folder. This works only when in list view.

Left Arrow : Close the selected folder. This works only when in list view.

Command-Delete : Move the selected item to the Trash.

Shift-Command-Delete : Empty the Trash.

Option-Shift-Command-Delete : Empty the Trash without confirmation dialog.

Command–Brightness Down : Turn video mirroring on or off when your Mac is connected to more than one display.

Option–Brightness Up : Open Displays preferences. This works with either Brightness key.

Control–Brightness Up or Control–Brightness Down : Change the brightness of your external display, if supported by your display.

Option–Shift–Brightness Up or Option–Shift–Brightness Down : Adjust the display brightness in smaller steps. Add the Control key to this shortcut to make the adjustment on your external display, if supported by your display.

Option–Mission Control : Open Mission Control preferences.

Command–Mission Control : Show the desktop.

Control–Down Arrow : Show all windows of the front app.

Option–Volume Up : Open Sound preferences. This works with any of the volume keys.

Option–Shift–Volume Up or Option–Shift–Volume Down : Adjust the sound volume in smaller steps.

Option–Keyboard Brightness Up : Open Keyboard preferences. This works with either Keyboard Brightness key.

Option–Shift–Keyboard Brightness Up or Option–Shift–Keyboard Brightness Down : Adjust the keyboard brightness in smaller steps.

Option key while double-clicking : Open the item in a separate window, then close the original window.

Command key while double-clicking : Open a folder in a separate tab or window.

Command key while dragging to another volume : Move the dragged item to the other volume, instead of copying it.

Option key while dragging : Copy the dragged item. The pointer changes while you drag the item.

Option-Command while dragging : Make an alias of the dragged item. The pointer changes while you drag the item.

Option-click a disclosure triangle : Open all folders within the selected folder. This works only when in list view.

Command-click a window title : See the folders that contain the current folder.

Learn how to use Command or Shift to select multiple items in the Finder .

Click the Go menu in the Finder menu bar to see shortcuts for opening many commonly used folders, such as Applications, Documents, Downloads, Utilities, and iCloud Drive.

The behavior of these shortcuts may vary with the app you're using.

Command-B : Boldface the selected text, or turn boldfacing on or off.

Command-I : Italicize the selected text, or turn italics on or off.

Command-K : Add a web link.

Command-U : Underline the selected text, or turn underlining on or off.

Command-T : Show or hide the Fonts window.

Command-D : Select the Desktop folder from within an Open dialog or Save dialog.

Control-Command-D : Show or hide the definition of the selected word.

Shift-Command-Colon (:) : Display the Spelling and Grammar window.

Command-Semicolon (;) : Find misspelled words in the document.

Option-Delete : Delete the word to the left of the insertion point.

Control-H : Delete the character to the left of the insertion point. Or use Delete.

Control-D : Delete the character to the right of the insertion point. Or use Fn-Delete.

Fn-Delete : Forward delete on keyboards that don't have a Forward Delete key. Or use Control-D.

Control-K : Delete the text between the insertion point and the end of the line or paragraph.

Fn–Up Arrow : Page Up: Scroll up one page.

Fn–Down Arrow : Page Down: Scroll down one page.

Fn–Left Arrow: Home: Scroll to the beginning of a document.

Fn–Right Arrow : End: Scroll to the end of a document.

Command–Up Arrow : Move the insertion point to the beginning of the document.

Command–Down Arrow : Move the insertion point to the end of the document.

Command–Left Arrow : Move the insertion point to the beginning of the current line.

Command–Right Arrow : Move the insertion point to the end of the current line.

Option–Left Arrow : Move the insertion point to the beginning of the previous word.

Option–Right Arrow : Move the insertion point to the end of the next word.

Shift–Command–Up Arrow : Select the text between the insertion point and the beginning of the document.

Shift–Command–Down Arrow : Select the text between the insertion point and the end of the document.

Shift–Command–Left Arrow : Select the text between the insertion point and the beginning of the current line.

Shift–Command–Right Arrow : Select the text between the insertion point and the end of the current line.

Shift–Up Arrow : Extend text selection to the nearest character at the same horizontal location on the line above.

Shift–Down Arrow : Extend text selection to the nearest character at the same horizontal location on the line below.

Shift–Left Arrow : Extend text selection one character to the left.

Shift–Right Arrow : Extend text selection one character to the right.

Option–Shift–Up Arrow : Extend text selection to the beginning of the current paragraph, then to the beginning of the following paragraph if pressed again.

Option–Shift–Down Arrow : Extend text selection to the end of the current paragraph, then to the end of the following paragraph if pressed again.

Option–Shift–Left Arrow : Extend text selection to the beginning of the current word, then to the beginning of the following word if pressed again.

Option–Shift–Right Arrow : Extend text selection to the end of the current word, then to the end of the following word if pressed again.

Control-A : Move to the beginning of the line or paragraph.

Control-E : Move to the end of a line or paragraph.

Control-F : Move one character forward.

Control-B : Move one character backward.

Control-L : Center the cursor or selection in the visible area.

Control-P : Move up one line.

Control-N : Move down one line.

Control-O : Insert a new line after the insertion point.

Control-T : Swap the character behind the insertion point with the character in front of the insertion point.

Command–Left Curly Bracket ({) : Left align.

Command–Right Curly Bracket (}) : Right align.

Shift–Command–Vertical bar (|) : Center align.

Option-Command-F : Go to the search field.

Option-Command-T : Show or hide a toolbar in the app.

Option-Command-C : Copy Style: Copy the formatting settings of the selected item to the Clipboard.

Option-Command-V : Paste Style: Apply the copied style to the selected item.

Option-Shift-Command-V : Paste and Match Style: Apply the style of the surrounding content to the item pasted within that content.

Option-Command-I : Show or hide the inspector window.

Shift-Command-P : Page setup: Display a window for selecting document settings.

Shift-Command-S : Display the Save As dialog, or duplicate the current document.

Shift–Command–Minus sign (-) : Decrease the size of the selected item.

Shift–Command–Plus sign (+) : Increase the size of the selected item. Command–Equal sign (=) performs the same function.

Shift–Command–Question mark (?) : Open the Help menu.

To use these vision shortcuts, first choose Apple menu  > System Settings (or System Preferences), then click Keyboard. Click Keyboard Shortcuts, select Accessibility on the left, then select “Invert colors” and "Contrast" on the right.

Control-Option-Command-8 : Invert colors.

Control-Option-Command-Comma (,) and Control-Option-Command-Period (.) : Reduce contrast and increase contrast.

Use these shortcuts to change keyboard focus. To use some of these shortcuts, first choose Apple menu  > System Settings (or System Preferences), then click Keyboard. Click Keyboard Shortcuts, select Keyboard on the left, then select the shortcut's setting on the right.

Control-F2 or Fn-Control-F2: Move focus to the menu bar. You can then use the arrow keys to navigate the menu, press Return to open a selected menu or choose a selected menu item, or type the menu item's name to jump to that item in the selected menu.

Control-F3 or Fn-Control-F3 : Move focus to the Dock.

Control-F4 or Fn-Control-F4 : Move focus to the active window or next window.

Control-F5 or Fn-Control-F5 : Move focus to the window toolbar.

Control-F6 or Fn-Control-F6: Move focus to the floating window.

Control-Shift-F6 : Move focus to the previous panel.

Control-F7 or Fn-Control-F7 : Change the way Tab moves focus—between navigation of all controls on the screen, or only text boxes and lists.

Control-F8 or Fn-Control-F8 : Move focus to the status menu in the menu bar

Command–Grave accent (`) : Activate the next open window in the front app.

Shift–Command–Grave accent (`) : Activate the previous open window in the front app

Option–Command–Grave accent (`) : Move the focus to the window drawer.

Tab and Shift-Tab : Move to next control, move to previous control.

Control-Tab : Move to the next control when a text field is selected.

Control-Shift-Tab : Move to the previous grouping of controls.

Arrow keys : Move to the adjacent item in a list, tab group, or menu, or move sliders and adjusters (Up Arrow to increase values, Down Arrow to decrease values)

Control–Arrow keys : Move to a control adjacent to the text field.

Other accessibility shortcuts:

Option-Command-F5 or triple-press Touch ID : Show the Accessibility Shortcuts panel .

VoiceOver commands

Zoom in or out

Use Mouse Keys to control the pointer with your keyboard

If you're using VoiceOver, you might need to make VoiceOver ignore the next key press before you can use some of the shortcuts in this article.

Safari shortcuts

Spotlight shortcuts

Mail shortcuts

Photos shortcuts

Disk Utility shortcuts

Preview shortcuts

Apple Music shortcuts

Startup shortcuts

For more shortcuts, check the shortcut abbreviations shown in the menus of your apps. Every app can have its own shortcuts, and shortcuts that work in one app might not work in another.

Use emoji and symbols

Create your own shortcuts and resolve conflicts between shortcuts

Change the behavior of the function keys or modifier keys

Use a spoken command for a keyboard shortcut

Explore Apple Support Community

Find what’s been asked and answered by Apple customers.