Solved

VB Script to list of users for “Log on as a service” on PCs

Posted on 2014-01-19
5
681 Views
Last Modified: 2014-01-29
Hi Everybody,

I need to write a VB script which would check and create report with member of users or groups for “Log on as a Service” policy on local PCs. Company I work for would like to know who has access to “Log on as a Service” policy on each PCs?

Is anybody will able to give me some idea or sample VB script?

Thanks,
0
Comment
Question by:Szuromi
  • 4
5 Comments
 
LVL 32

Expert Comment

by:Robberbaron (robr)
Comment Utility
the AccessChk sysinternals should do it
http://blogs.technet.com/b/secguide/archive/2008/07/21/how-to-use-accesschk-exe-for-security-compliance-management.aspx

C:\tools>accesschk -a  SeBatchLogonRight

Accesschk v5.11 - Reports effective permissions for securable objects
Copyright (C) 2006-2012 Mark Russinovich
Sysinternals - www.sysinternals.com

        BUILTIN\Performance Log Users
        BUILTIN\Backup Operators
        BUILTIN\Administrators
        DOMAIN\user
        BATH\SQLServer2005MSSQLUser$BATH$VEEAM

C:\tools>


if you want to run this on every pc, i would add it as a Logon script that echos to a log file.
0
 
LVL 32

Expert Comment

by:Robberbaron (robr)
Comment Utility
may need to run this at startup (not logon) so it runs as System user, with full access.

rem '-------------------------------------------------	
rem ' robberbaron
rem needs accesschk.exe in local folder or search path
rem '----------------------


@echo off
rem '--- set up files & log ---------
set LogFldr="AccessList.log" 

for /F "tokens=2*" %%i in ('date /t') do set datex=%%i
for /F "tokens=1*" %%i in ('time /t') do set timex=%%i

VER | findstr /i "5.0." > nul
IF %ERRORLEVEL% EQU 0 set version=2000

VER | findstr /i "5.1." > nul
IF %ERRORLEVEL% EQU 0 set version=XP

VER | findstr /i "5.2." > nul
IF %ERRORLEVEL% EQU 0 set version=2003

VER | findstr /i "6.0." > nul
IF %ERRORLEVEL% EQU 0 set version=Vista

VER | findstr /i "6.1." > nul
IF %ERRORLEVEL% EQU 0 set version=Win7

VER | findstr /i "6.2." > nul
IF %ERRORLEVEL% EQU 0 set version=Win8

VER | findstr /i "6.3." > nul
IF %ERRORLEVEL% EQU 0 set version=Win8

if %version%==Vista goto ok
if %version%==XP goto ok
if %version%==Win7 goto ok
if %version%==Win8 goto ok

echo %datex% %timex% FAILED -- %USERNAME% : %COMPUTERNAME% >> %LogFldr%
goto end

:OK
echo %datex% %timex% -- %USERNAME% : %COMPUTERNAME% >> %LogFldr%
accesschk -a -q SeBatchLogonRight >> %LogFldr%
if errorlevel 0 echo "---ok---" >> %LogFldr%
:end

Open in new window

0
 
LVL 32

Expert Comment

by:Robberbaron (robr)
Comment Utility
also can use the psExec  tool to run remotely on a list of computers provided you have the access rights.
0
 
LVL 32

Accepted Solution

by:
Robberbaron (robr) earned 500 total points
Comment Utility
actually  it should be   SeServiceLogonRight  that you check,

C:\tools>accesschk -a  SeServiceLogonRight -q
        NT SERVICE\ALL SERVICES
        BORN\Administrator
        BATH\SQLServer2005MSSQLUser$BATH$VEEAM
        BATH\SQLServer2005SQLBrowserUser$BATH

C:\tools>

where BORN is my domainname, and BATH is the local PC name.
0
 

Author Closing Comment

by:Szuromi
Comment Utility
Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello again, all.  For those of you that have been following along, you'll know that this is my third article on this topic (though it is not Part III).  This article is sort of remedial, and probably the topic with which I should have started the s…
This article is the result of a quest to better understand Task Scheduler 2.0 and all the newer objects available in vbscript in this version over  the limited options we had scripting in Task Scheduler 1.0.  As I started my journey of knowledge I f…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now