How to assign a service account to Local Security Policy - Lock Pages in Memory policy?

pgaddam 151 Reputation points
2023-05-05T20:02:25.81+00:00

Hi

I am trying to add a service account to Lock Pages in Memory policy of Local Security Policy - User Rights Assignment.

I am trying to do this with a script from the below thread https://learn.microsoft.com/en-us/answers/questions/349374/how-to-update-security-group-policy-allow-log-on-l, the script here works just fine with the modification from "SeInteractiveLogonRight" to "SeLockMemoryPrivilege" and setting up the user. One problem I face is on the SQL VM when the 'security setting' of a policy is empty the script wouldn't work, so I have added

/areas USER_RIGHTS SECURITYPOLICY

in the secedit command (line 3) of the script to forcefully show it in the temp file so that the script can apply necessary modifications.

However, the script still fails to execute and add the user to the policy.

Any reason as to what I am missing here? Could you please help me with any suggestions?

Thanks!

@Ian Xue (Shanghai Wicresoft Co., Ltd.) I am reaching out to you since you've already helped another user with a similar request. Any thoughts please?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,931 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 4,780 Reputation points
    2023-05-06T19:01:55.2566667+00:00

    To assign a service account to the Lock Pages in Memory policy in Local Security Policy, you can use the following steps:

    Open Local Security Policy by typing "secpol.msc" in the Run dialog box or the Start menu search box and then press Enter.

    Expand the Local Policies node and then click on the User Rights Assignment node.

    Double-click the "Lock pages in memory" policy to open its properties.

    Click the Add User or Group button to add the service account you want to assign this policy to.

    Enter the name of the service account, and then click the Check Names button to verify the account name.

    Click OK to close the dialog box and save the changes.

    Close Local Security Policy.

    If you prefer to use a script to do this, you can modify the script from the thread you mentioned in your question as follows:

    Replace the string "SeInteractiveLogonRight" with "SeLockMemoryPrivilege" in the script.

    Replace the string "GrantLogOnLocally" with "LockMemory" in the script.

    Modify the secedit command to include the "/areas USER_RIGHTS SECURITYPOLICY" option as follows:

    Copy secedit /export /cfg $cfgFile /areas USER_RIGHTS SECURITYPOLICY

    1. Replace the string "GrantLogOnLocally" with "LockMemory" in the script.

    After making these changes, you should be able to run the script to assign the Lock Pages in Memory policy to the service account.