Why is using ntrights.exe in Windows Server 2008 R2 giving error openpolicy -1073741790

windows-server-2008 security uac
8,273

With UAC enabled elevation is always required however the built in Administrator account (the single account with SID S-1-5-21-xxxxxxx-500) and members of the "Domain Admins" group ( SID: S-1-5-21-domain-512) get automatically elevated, without the need for a human to respond to a prompt interactively. Accounts that are "merely" members of the local Administrators group will not (normally) auto-elevate, leading to the problem that you see.

This default behaviour can be modified by GPO to include other accounts\groups - the details of how to do that are in this technet article

Share:
8,273

Related videos on Youtube

softveda
Author by

softveda

Updated on September 17, 2022

Comments

  • softveda
    softveda almost 2 years

    I am local admin on a windows server 2003 R2 machine in our domain. This machine was built about 3 years back and I am not sure what privilges I might have. If I use ntrights.exe (from resource kit tools) it is succesful as shown below: 

    ntrights.exe +r SeServiceLogonRight -u domain\accountname
 Granting SeServiceLogonRight to domain\accountname   ... successful

    Recently we have build a new windows server 2008 R2 machine and I am local admin on it. But now the same ntrights.exe fails as below:

    ntrights.exe +r SeServiceLogonRight -u domain\accountname
Granting SeServiceLogonRight to domain\accountname   OpenPolicy:

***Error*** OpenPolicy -1073741790

    It seems I am missing some privileges despite being local admin. What privileges do I require so that I can ask our system administrator for helping me to grant those privileges ?

    Edit: The problem is solved by changing the UAC settings to Never Notify using the slider from control panel -> user accounts settings. But I think this is not the best way to solve this issue. Other answers still welcome.

  • softveda
    softveda almost 14 years
    Using 'Run as administrator' is not an option in this case. This command is actually run as part of automated cruisecontrol.net build. The ccservice is running with a domain service account and that has been granted local admin as well. But we still have to turn UAC off. There must be a way to grant the specific security privilege for to have "grant logon as service" permission to other users.
  • N73k
    N73k almost 5 years
    Even running cmd.exe as admin doesn't help me. I still get the error.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can't I drag/drop a file for editing in notepad in Windows Server 2008?
Run .NET application as administrator
IIS7 give ApplicationPoolIdentity access to a network location
Disable UAC and XP Pro 32 Bit
How can I get around "error 0x80070522" when creating files in the root of the C drive (C:\)?
How do I disable administrator prompt in Windows 8?
Win Server Security: Why do members of a group not get access when the Group has permission?
Problems accessing shared folder in Windows Server 2008
Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced
Logging in user in Windows 2008 server using LogonUser fails on LogonType LOGON32_LOGON_SERVICE