csih_create_privileged_user - use of SeDenyInteractiveLogonRight

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

csih_create_privileged_user - use of SeDenyInteractiveLogonRight

Bill Stewart
Greetings,

/usr/share/doc/csih/ChangeLog has the following note for 2015-04-02:

* cygwin-service-installation-helper.sh
(csih_create_privileged_user): Also add SeDenyInteractiveLogonRight to the
service user. otherwise it will be shown on the logon screen in some
versions of Windows.

From this comment, it would seem that the only purpose of adding this user
right ("Deny log on locally") is to hide the user from the logon screen.

Is this correct? In other words, is preventing the account from showing in
the logon screen the _only_ reason for adding SeDenyInteractiveLogonRight?

Thanks,

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply | Threaded
Open this post in threaded view
|

Re: csih_create_privileged_user - use of SeDenyInteractiveLogonRight

Andrey Repin
Greetings, Bill Stewart!

> Is this correct? In other words, is preventing the account from showing in
> the logon screen the _only_ reason for adding SeDenyInteractiveLogonRight?

No, SeDenyInteractiveLogon prevents user from creating console sessions, local
or remote. This is what service accounts are never supposed to be doing.
Yes, by the extension, it will hide the user from welcome screen.


--
With best regards,
Andrey Repin
Thursday, January 10, 2019 3:02:28

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple