PDA

View Full Version : How to detect if user has logon rights for starting services



rguggisberg
04-26-2017, 01:56 PM
Hi,
I have an installer that starts a number of our custom services. Is there a way (check registry key, etc) that I can detect if the user has permission to do that (local group policy). Would like to do that in an InstallScript.msi or Suite project or both before proceeding with the install.
Thanks

chad.petersen
04-27-2017, 10:04 AM
They are always wanting me to do things like grab the current users password from the registry to use for Services. I say "No problem"...."just tell me what the HKLM\Security node says". About then they shut the **** up."

If that setting is also stored in the Security hive then no chance.

Take a system before that user setting is set - do a full registry export - then change the setting by setting the user account to start some service - and take another registry export - then compare the two exports and see if you can see a change that was made for this. If not it is likely in the HKLM\Security area.

Chad

chad.petersen
04-27-2017, 10:14 AM
I realized that my own user on my own computer was not yet set to "Logon As A Service" so I performed these steps myself and the registry says "No Difference" between before and after using Beyond Compare so I think the registry is not going to let you know.

One other article says to use this, but I don't see anything change in the output between the before and after, either.

whoami /priv |findstr ".Enabled"

Chad

rguggisberg
04-27-2017, 10:41 AM
Thanks Chad. And BTW... thank you for all the other answers you provide on this forum!

I think I may have found a way. A bit of work, but should be doable.
I will do a custom action that launches GPRESULT... something like this:
GPRESUlt.EXE /V >"%Temp%\GPResult.txt"
Then I can parse GPResult.txt looking for the desired user in text that looks something like this:

GPO: Default Domain Policy
Policy: ServiceLogonRight
Computer Setting: *******\Domain Users
<SomeDomain>\<SomeUser>
<SomeDomain>\<SomeOtherUser>
<SomeUser>
<SomeOtherUser>

I think "<Domain>\Domain Users" will accommodate users on the specified domain provided they have not been explicitly denied that right.