User Rights assignment - Automation?
I want to be able to automate the task of setting a User Rights assignment to
any user. I'd like to do this in a batch file.
For example: set user "testUser" to "Act as the operating system."
I've seen ways using secedit, but I don't understand how to use it. Can
anyone lay out for me how I could do this?
# 1 Re: User Rights assignment - Automation?
Refer to this link (http://support.microsoft.com/?kbid=267553).
You will see the relevant lines that set user rights for use with secedit and an associated .inf file.
Here is a legend for the groups:
[Privilege Rights]
;*S-1-1-0 Everyone
;*S-1-5-32-544 Administrators
;*S-1-5-32-545 Users
;*S-1-5-32-546 Guests
;*S-1-5-32-547 Power Users
;*S-1-5-32-551 Backup Operators
;*S-1-5-32-555 Remote Desktop Users
You will need the complete identifier for "testuser" to assign that ID specific rights.
Of course, you can forget doing all of that, if you implement user rights the "correct way" by using Active Directory and assigning user rights through Group Policy Objects.
# 2 Re: User Rights assignment - Automation?
Of course, you can forget doing all of that, if you implement user rights the "correct way" by using Active Directory and assigning user rights through Group Policy Objects.
So you know a better way than using secedit? Ultimately I'm asking this because I want to do this in an Installshield (which I'm a newbie at as well). Using secedit doesn't seem to look pretty. Since my script has just created "testuser" I won't be able to get that "complete identifier" you speak of.
Here's what I want to do:
Problem: I want to create a user.
Solution: I'm using "net user /add..."
Problem: I want to create a group
Solution: I'm using "net localgroups /add..."
Problem: I want to set Access Rights for users and groups.
Solution: NONE
# 3 Re: User Rights assignment - Automation?
I thought you wanted management of user rights. You are trying to fix your install for your application.
It appears you want your application to run under the SYSTEM security context. Adding a local user account and modifying the system security is probably not a good implementation. You never know into what environment the desktop is running or how it's managed. In domain environments, it is typical that user rights and domain accounts are centrally managed. Local accounts are usually severely restricted.
It sounds as if you are really in need of making your application run as a service or as a device driver.
It really depends on the purpose of the application. More information would be helpful.
# 4 Re: User Rights assignment - Automation?
You're correct! It's 3rd Party software I'm implementing this for though.
It requires a local administrator called "swpro" with the Advanced user Rights: "Act as Part of the Operating System" and "Log On As Service"
It also requires a specific User Group name that has the right "Logon as a Batch Job"
An assinine implementation, and makes for a headache installing. This is why I'm trying to dumb down the installation of this 3rd party install so it's customer installable.
# 5 Re: User Rights assignment - Automation?
Then you are going to have to do this programmatically with a WMI, VBScript or something else of your choice where you can use APIs.
I can't help you on that. Batch files and secedit aren't going to cut it.
