SeServiceLogonRight not revoked from user on uninstall

[vdrake]

I've been modifying my Advanced Installer script to offer an alternative to installing our service with the highly-privileged LocalSystem account.
I've successfully gotten the installer to install the service with an existing local/domain account as well as a new local account (created by the installer).

The problem is that the SeServiceLogonRight privilege is not revoked from the account after uninstalling my product.
This is especially ugly in the case of a new account. After persisting new local user account, the uninstall process successfully removes the local account, but the Local Security Policy / Local Policies / User Rights Assignment / Log on as a service displays the removed account's SID

At what point in the uninstall should this privilege be removed?
Must I do something else to clean this up properly?

[Liviu]

Hi,

I'm afraid that this is the default implementation, we just don't remove it on uninstall.

You can try using a custom action configured to run under "Install Execution Stage" on uninstall to remove this privilege.

This custom action could, for example, launch a batch file that deletes the privilege.
Have a look on this article: How can I edit local security policy from a batch file?
SeDenyServiceLogonRight may be what you need.


Hope this helps! If you have any other questions please don't hesitate to contact us.

Best regards,
Liviu

[vdrake]

Thanks liviu! I'll check out the script option you've linked.

[Liviu]

You are always welcome!

Please let us know if there is anything else we could help you with and we will gladly assist.

Best regards,
Liviu