Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 7, 2013 8:16 AM
Hello,
How can I add one AD Account to the Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a Batch Job Policy.
Thanks for your answers,
Thanks Horst MOSS 2007 Farm; MOSS 2010 Farm; TFS 2010; IIS 7.5
All replies (3)
Thursday, November 7, 2013 8:57 AM ✅Answered | 2 votes
## < Configure here$accountToAdd = "domain\user"## > End of Config$sidstr = $nulltry { $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd" $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier]) $sidstr = $sid.Value.ToString()} catch { $sidstr = $null}Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyanif( [string]::IsNullOrEmpty($sidstr) ) { Write-Host "Account not found!" -ForegroundColor Red exit -1}Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan$tmp = ""$tmp = [System.IO.Path]::GetTempFileName()Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyansecedit.exe /export /cfg "$($tmp)" $c = ""$c = Get-Content -Path $tmp$currentSetting = ""foreach($s in $c) { if( $s -like "SeBatchLogonRight*") { $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries) $currentSetting = $x[1].Trim() }}if( $currentSetting -notlike "*$($sidstr)*" ) { Write-Host "Modify Setting ""Log on as a Batch Job""" -ForegroundColor DarkCyan if( [string]::IsNullOrEmpty($currentSetting) ) { $currentSetting = "*$($sidstr)" } else { $currentSetting = "*$($sidstr),$($currentSetting)" } Write-Host "$currentSetting" $outfile = @"[Unicode]Unicode=yes[Version]signature="`$CHICAGO`$"Revision=1[Privilege Rights]SeBatchLogonRight = $($currentSetting)"@ $tmp2 = "" $tmp2 = [System.IO.Path]::GetTempFileName() Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force #notepad.exe $tmp2 Push-Location (Split-Path $tmp2) try { secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS " } finally { Pop-Location }} else { Write-Host "NO ACTIONS REQUIRED! Account already in ""Log on as a Batch Job""" -ForegroundColor DarkCyan}Write-Host "Done." -ForegroundColor DarkCyan
Thanks Horst MOSS 2007 Farm; MOSS 2010 Farm; TFS 2010; IIS 7.5
Thursday, November 7, 2013 8:49 AM | 1 vote
Hi,
You can take a reference computer and perform these steps manually on it using secpol.msc and then export the policy ..later apply the policy to all the machines you want it to:
On reference computer
1. Click Start -> Run, type “secpol.msc”
2. Configure the "Log on as Batch Job" policy as required.
3. Right click “Security Settings”, and click “Export Policy…” to export the settings to a .inf file.
4. Save this .ini file to a share location or Copy to the Target Computers.
On Target computers
Run the following command to import the policy file from a share location:
Secedit /configure /db secedit.sdb /cfg <Shared Path to the exported .inf file>
You can go ahead and use PsExec to execute the above commands remotely on target computers too.
Knowledge is Power{Shell}.
Thursday, November 7, 2013 9:06 AM
I was about to give you link to this Script here
http://gallery.technet.microsoft.com/PowerShell-script-to-add-b005e0f6
This does something very similar and you could tailor it to meet your needs...but it seems you already got it :)
Knowledge is Power{Shell}.