Setting SeTcbPrivilege (act as part of OS) is not working.

Welcome Forums General PowerShell Q&A Setting SeTcbPrivilege (act as part of OS) is not working.

Viewing 1 reply thread
  • Author
    Posts
    • #193910
      Participant
      Topics: 10
      Replies: 17
      Points: 42
      Rank: Member

      Hi,

      I am trying to use the below script to set SeTcbPrivilege (Act as part of operating system), but it is not working.  No error message is thrown, it runs as it worked, but nothing changes and the account does not get the permission.

      Other permissions, like Logon as a batch job (SeBatchLogonRight), are working fine using the same logic.

      Any ideas?

      Thanks.

      <hr />

      param($accountToAdd)
      ## <— Configure here
      if( [string]::IsNullOrEmpty($accountToAdd) ) {
      Write-Host “no account specified”
      exit
      }
      ## —> End of Config
      $sidstr = $null
      try {
      $ntprincipal = new-object System.Security.Principal.NTAccount “$accountToAdd”
      $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
      $sidstr = $sid.Value.ToString()
      } catch {
      $sidstr = $null
      }
      Write-Host “Account: $($accountToAdd)” -ForegroundColor DarkCyan
      if( [string]::IsNullOrEmpty($sidstr) ) {
      Write-Host “Account not found!” -ForegroundColor Red
      exit -1
      }
      Write-Host “Account SID: $($sidstr)” -ForegroundColor DarkCyan
      $tmp = [System.IO.Path]::GetTempFileName()
      Write-Host “Export current Local Security Policy” -ForegroundColor DarkCyan
      secedit.exe /export /cfg “$($tmp)”
      $c = Get-Content -Path $tmp
      $currentSetting = “”
      foreach($s in $c) {
      ## Act as part of operating system
      if( $s -like “SeTcbPrivilege*”) {
      $x = $s.split(“=”,[System.StringSplitOptions]::RemoveEmptyEntries)
      $currentSetting = $x[1].Trim()
      if( $currentSetting -notlike “*$($sidstr)*” ) {
      Write-Host “Modify Setting “”Act as part of operating system””” -ForegroundColor DarkCyan
      if( [string]::IsNullOrEmpty($currentSetting) ) {
      $currentSetting = “*$($sidstr)”
      } else {
      $currentSetting = “*$($sidstr),$($currentSetting)”
      }
      Write-Host “$currentSetting”
      $outfile = @”
      [Unicode]
      Unicode=yes
      [Version]
      signature=”$CHICAGO$”
      Revision=1
      [Privilege Rights]
      SeTcbPrivilege = $($currentSetting)
      “@
      $tmp2 = [System.IO.Path]::GetTempFileName()
      Write-Host “Import new settings to Local Security Policy” -ForegroundColor DarkCyan
      $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
      #notepad.exe $tmp2
      Push-Location (Split-Path $tmp2)
      Write-Host “Security: ”
      Write-Host  $tmp2
      try {
      secedit.exe /configure /db “secedit.sdb” /cfg “$($tmp2)” /areas USER_RIGHTS
      #write-host “secedit.exe /configure /db “”secedit.sdb”” /cfg “”$($tmp2)”” /areas USER_RIGHTS ”
      } finally {
      Pop-Location
      }
      } else {
      Write-Host “NO ACTIONS REQUIRED! Account already in “”Act as part of operating system””” -ForegroundColor DarkCyan
      }
      }
      }
      Write-Host “Done.” -ForegroundColor DarkCyan

    • #193991
      Participant
      Topics: 15
      Replies: 1761
      Points: 3,167
      Helping Hand
      Rank: Community Hero

      Depending on what you are doing, there are some better options or minimally simplified scripts. This thread has 2 options to elevate a user:

      https://stackoverflow.com/questions/10187837/granting-seservicelogonright-to-a-user-from-powershell

      But if you are doing an installation and just trying to temporarily elevate a process thread to do a one-time operation, this is a much better option than giving the user eternal rights:

      Adjusting Token Privileges in PowerShell

      There is a GitHub link to a script showing a full example of the above link.

Viewing 1 reply thread
  • The topic ‘Setting SeTcbPrivilege (act as part of OS) is not working.’ is closed to new replies.