Setting SeTcbPrivilege (act as part of OS) is not working.


I am trying to use the below script to set SeTcbPrivilege (Act as part of operating system), but it is not working. No error message is thrown, it runs as it worked, but nothing changes and the account does not get the permission.

Other permissions, like Logon as a batch job (SeBatchLogonRight), are working fine using the same logic.

Any ideas?


<hr />


<— Configure here

if( [string]::IsNullOrEmpty($accountToAdd) ) {
Write-Host “no account specified”

—> End of Config

$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount “$accountToAdd”
$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
Write-Host “Account: $($accountToAdd)” -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($sidstr) ) {
Write-Host “Account not found!” -ForegroundColor Red
exit -1
Write-Host “Account SID: $($sidstr)” -ForegroundColor DarkCyan
$tmp = [System.IO.Path]::GetTempFileName()
Write-Host “Export current Local Security Policy” -ForegroundColor DarkCyan
secedit.exe /export /cfg “$($tmp)”
$c = Get-Content -Path $tmp
$currentSetting = “”
foreach($s in $c) {

Act as part of operating system

if( $s -like “SeTcbPrivilege*”) {
$x = $s.split(“=”,[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
if( $currentSetting -notlike “$($sidstr)” ) {
Write-Host “Modify Setting ““Act as part of operating system””” -ForegroundColor DarkCyan
if( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = “$($sidstr)"
} else {
$currentSetting = "
Write-Host “$currentSetting”
$outfile = @"
[Privilege Rights]
SeTcbPrivilege = $($currentSetting)
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Host “Import new settings to Local Security Policy” -ForegroundColor DarkCyan
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
#notepad.exe $tmp2
Push-Location (Split-Path $tmp2)
Write-Host “Security: "
Write-Host $tmp2
try {
secedit.exe /configure /db “secedit.sdb” /cfg “$($tmp2)” /areas USER_RIGHTS
#write-host “secedit.exe /configure /db ““secedit.sdb”” /cfg “”$($tmp2)”” /areas USER_RIGHTS "
} finally {
} else {
Write-Host “NO ACTIONS REQUIRED! Account already in ““Act as part of operating system””” -ForegroundColor DarkCyan
Write-Host “Done.” -ForegroundColor DarkCyan

Depending on what you are doing, there are some better options or minimally simplified scripts. This thread has 2 options to elevate a user:

But if you are doing an installation and just trying to temporarily elevate a process thread to do a one-time operation, this is a much better option than giving the user eternal rights:

There is a GitHub link to a script showing a full example of the above link.