lørdag den 26. maj 2012

LogOnAsService and other fun rights, and creating a service through PowerShell

So once in a while you run into the issue of having the need to grant some account a special right, like LogOnAsService.
Lets say, you want to make a script, that can create a windows service, and needs to set the user it runs under too.
Lets imaging it’s a Navision 6.0 service
Lets just imaging

ok, installing a service.

That’s easy, we can use SC ( http://support.microsoft.com/kb/251192 )
or we can spend 2 hours goggling ways to download windows 2000 resource kit, and follow this guide http://support.microsoft.com/kb/137890
But that’s not PowerShell and we looooove PowerShell, so lets use WMI

$computer = "." # this computer
$class = "Win32_Service"
$method = "Create"
$mc = [wmiclass]"\\$computer\ROOT\CIMV2:$class"
$inparams = $mc.PSBase.GetMethodParameters($method)
$inparams.DesktopInteract = $false
$inparams.DisplayName = "Microsoft Dynamics NAV Server ($InstanceName)"
$inparams.ErrorControl = 0
$inparams.LoadOrderGroup = $null
$inparams.LoadOrderGroupDependencies = $null
$inparams.Name = $InstanceName
$inparams.PathName = "$servicepath\Microsoft.Dynamics.Nav.Server.exe $InstanceName"
$inparams.ServiceDependencies = 'NetTcpPortSharing'
$inparams.ServiceType = 16
$inparams.StartMode = "Automatic"
#$inparams.StartName = $null # will start as localsystem builtin if null
#$inparams.StartPassword = $null
$inparams.StartName = $NAVAdminUPN
$inparams.StartPassword = $NAVAdminPassword

$result = $mc.PSBase.InvokeMethod($method,$inparams,$null)
#$result | Format-List
if($result.ReturnValue -ne 0){
throw [System.Exception]("Failed installing Microsoft Dynamics NAV 6.0 NAS as a service")

But this wont work, unless you cheated and granted the user account LogOnAsService ( through local Policy snapin, or by just trying to set a service to run as this account, the Services MMC snapin will do it for you )

You could Google it, and would probably at some point hit this site
http://support.microsoft.com/?kbid=279664 , great more resource kit stuff

and this one
http://www.powershellcommunity.org/Forums/tabid/54/aft/5949/Default.aspx ok, thumbs up for being creative but I still think it’s a bit messy

http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/ I love this one, but its not easy using in several scripts and many machines

http://www.roelvanlisdonk.nl/?p=1151 Now were getting somewhere but it’s C# and no download link for the DLL, and I refuse to compile c# on any of my machines.

So I created a PowerShell module that will do it all ( you could make one without using a DLL using the 3rd link, but … this was easier for me )

So here it is. LSAWrapper.zip contains just the PowerShell module and a .bat file to install it. LSAWrapper.srv.zip contains the source code.

The module have 2 PowerShell commands. Set-UserRightsAssignment just give it a username and domain and press – and <tab> to see the list of rights
Set-Autologin will give you a SLIGHTLY more secure way of storing a username and password on a machine you want to automat logon after reboot, besides just adding it all to the registry ( see http://support.microsoft.com/kb/310584 ) this command will add the 2 keys, but save the password in the LSA store. not pretty but slight more secure that having it in plaintext in registry.

Ingen kommentarer:

Send en kommentar