LogOnAsService and other fun rights, and creating a service through PowerShell

So once in a while you run into the issue of having the need to grant some account a special right, like LogOnAsService.
Lets say, you want to make a script, that can create a windows service, and needs to set the user it runs under too.
Lets imaging it’s a Navision 6.0 service
Lets just imaging

ok, installing a service.

That’s easy, we can use SC ( http://support.microsoft.com/kb/251192 )
or we can spend 2 hours goggling ways to download windows 2000 resource kit, and follow this guide http://support.microsoft.com/kb/137890
But that’s not PowerShell and we looooove PowerShell, so lets use WMI

    $computer = "." # this computer
    $class = "Win32_Service"
    $method = "Create"
    $mc = [wmiclass]"\\$computer\ROOT\CIMV2:$class"
    $inparams = $mc.PSBase.GetMethodParameters($method)
    $inparams.DesktopInteract = $false
    $inparams.DisplayName = "Microsoft Dynamics NAV Server ($InstanceName)"
    $inparams.ErrorControl = 0
    $inparams.LoadOrderGroup = $null
    $inparams.LoadOrderGroupDependencies = $null
    $inparams.Name = $InstanceName
    $inparams.PathName = "$servicepath\Microsoft.Dynamics.Nav.Server.exe $InstanceName"
    $inparams.ServiceDependencies = 'NetTcpPortSharing'
    $inparams.ServiceType = 16
    $inparams.StartMode = "Automatic"
    #$inparams.StartName = $null # will start as localsystem builtin if null
    #$inparams.StartPassword = $null
    $inparams.StartName = $NAVAdminUPN
    $inparams.StartPassword = $NAVAdminPassword

    $result = $mc.PSBase.InvokeMethod($method,$inparams,$null)
    #$result | Format-List
    if($result.ReturnValue -ne 0){
        throw [System.Exception]("Failed installing Microsoft Dynamics NAV 6.0 NAS as a service")
    }

But this wont work, unless you cheated and granted the user account LogOnAsService ( through local Policy snapin, or by just trying to set a service to run as this account, the Services MMC snapin will do it for you )

You could Google it, and would probably at some point hit this site
http://support.microsoft.com/?kbid=279664 , great more resource kit stuff

and this one
http://www.powershellcommunity.org/Forums/tabid/54/aft/5949/Default.aspx ok, thumbs up for being creative but I still think it’s a bit messy

http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ I love this one, but its not easy using in several scripts and many machines

http://www.roelvanlisdonk.nl/?p=1151 Now were getting somewhere but it’s C# and no download link for the DLL, and I refuse to compile c# on any of my machines.

So I created a PowerShell module that will do it all ( you could make one without using a DLL using the 3rd link, but … this was easier for me )

So here it is. LSAWrapper.zip contains just the PowerShell module and a .bat file to install it. LSAWrapper.srv.zip contains the source code.

The module have 2 PowerShell commands. Set-UserRightsAssignment just give it a username and domain and press – and <tab> to see the list of rights
Set-Autologin will give you a SLIGHTLY more secure way of storing a username and password on a machine you want to automat logon after reboot, besides just adding it all to the registry ( see http://support.microsoft.com/kb/310584 ) this command will add the 2 keys, but save the password in the LSA store. not pretty but slight more secure that having it in plaintext in registry.