I've been modifying my Advanced Installer script to offer an alternative to installing our service with the highly-privileged LocalSystem account.
I've successfully gotten the installer to install the service with an existing local/domain account as well as a new local account (created by the installer).
The problem is that the SeServiceLogonRight privilege is not revoked from the account after uninstalling my product.
This is especially ugly in the case of a new account. After persisting new local user account, the uninstall process successfully removes the local account, but the Local Security Policy / Local Policies / User Rights Assignment / Log on as a service displays the removed account's SID
At what point in the uninstall should this privilege be removed?
Must I do something else to clean this up properly?