Why is using ntrights.exe in Windows Server 2008 R2 giving error openpolicy -1073741790
With UAC enabled elevation is always required however the built in Administrator account (the single account with SID S-1-5-21-xxxxxxx-500) and members of the "Domain Admins" group ( SID: S-1-5-21-domain-512) get automatically elevated, without the need for a human to respond to a prompt interactively. Accounts that are "merely" members of the local Administrators group will not (normally) auto-elevate, leading to the problem that you see.
This default behaviour can be modified by GPO to include other accounts\groups - the details of how to do that are in this technet article
Related videos on Youtube
![softveda](https://i.stack.imgur.com/L6wmF.jpg?s=256&g=1)
softveda
Updated on September 17, 2022Comments
-
softveda almost 2 years
I am local admin on a windows server 2003 R2 machine in our domain. This machine was built about 3 years back and I am not sure what privilges I might have. If I use ntrights.exe (from resource kit tools) it is succesful as shown below:
ntrights.exe +r SeServiceLogonRight -u domain\accountname Granting SeServiceLogonRight to domain\accountname ... successful
Recently we have build a new windows server 2008 R2 machine and I am local admin on it. But now the same ntrights.exe fails as below:
ntrights.exe +r SeServiceLogonRight -u domain\accountname Granting SeServiceLogonRight to domain\accountname OpenPolicy: ***Error*** OpenPolicy -1073741790
It seems I am missing some privileges despite being local admin. What privileges do I require so that I can ask our system administrator for helping me to grant those privileges ?
Edit: The problem is solved by changing the UAC settings to Never Notify using the slider from control panel -> user accounts settings. But I think this is not the best way to solve this issue. Other answers still welcome.
-
softveda almost 14 yearsUsing 'Run as administrator' is not an option in this case. This command is actually run as part of automated cruisecontrol.net build. The ccservice is running with a domain service account and that has been granted local admin as well. But we still have to turn UAC off. There must be a way to grant the specific security privilege for to have "grant logon as service" permission to other users.
-
N73k almost 5 yearsEven running cmd.exe as admin doesn't help me. I still get the error.