SeServiceLogonRight is not getting cleaned up after exiting session
Earl-S opened this issue · 5 comments
My servers are all getting a new entry in SeServiceLogonRight (Log on as a service) for every JEA connection made and they are not getting cleaned up. The SID is S-1-5-94-xxx with the name of "WinRM Virtual Users\WinRM VA_xxx_Domain_UserID" where xxx is the next numeric number, Domain and UserID are for the person connected to the endpoint. I have some servers that have over 100 entries in a few days that only differ by the incremented number (each time an automated process runs it appears to create another entry).
Hi Earl,
Thanks for reporting this. I've confirmed I see the same behavior on my system. This right gets assigned when a session is created to allow the virtual administrator account to execute commands on your behalf, but there is no reason for the right to stick around after the account is deleted.
Can you file an issue on powershell/powershell for this?
Ryan
I have created the issue like you requested.
PowerShell/PowerShell#5296
Great, thank you so much. We'll get that triaged and figure out a plan for it. Please don't hesitate to shoot me an email (ryan dot puffer at microsoft.com) if this is blocking a deployment or requires more urgent attention.
Closing this issue in lieu of the other one in the product repo.
This issue has been fixed in Server 2016 with the November 2018 rollup and Server 2019 with the January 2019 rollup. In addition this right is managed slightly differently - please see the documentation update here: https://github.com/PowerShell/PowerShell-Docs/pull/3446/files
Did this get fixed for Server 2012? I have the same issue, had to write a routine that removed the virtual user to get round the problem.