Wednesday, January 09, 2008

Programmatically give Logon as Batch Right

ntrights.exe is nice and all, but sometimes you want to do things on your own. The code below will allow you to programmatically assign the Logon as Batch Right (SeBatchLogonRight) to a user. This can be applied to any other rights assignment you want to give a user on Windows. For instance:
SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeLockMemoryPrivilege, SeIncreaseQuotaPrivilege, SeUnsolicitedInputPrivilege, SeMachineAccountPrivilege, TcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege,
SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege,
SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeChangeNotifyPrivilege, or SeRemoteShutdownPrivilege. This technique, in python, can be carried over easy enough to C++ if desired.


import win32security

user = "Administrator"
system = "Some computer name" # or None for local

handle = win32security.LsaOpenPolicy(
system,
win32security.POLICY_ALL_ACCESS )


sid, domain, tmp = win32security.LookupAccountName(system, user)

if not 'SeBatchLogonRight' in \
win32security.LsaEnumerateAccountRights(handle, sid):

win32security.LsaAddAccountRights(
handle,
sid,
('SeBatchLogonRight',) )


win32security.LsaClose(handle)

1 comment:

Anonymous said...

Thanks. This information will come in very handy. Glad I don't need to search further.