set user rights assignment command line

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

How to get it

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to Set Logon User Rights with the Ntrights.exe in windows 10(64 bit) [duplicate]

I need to know whether ntrights.exe 64 bit version exists?

If not, which is the 64 bit equivalent of ntrights.exe?

Thanks in advance.

• command-line

What is an equivalent for ntrights.exe on Windows 10?

Set and Check User Rights Assignment via Powershell You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts.

Read the blakedrumm page for detailed instructions, and download the script .

I just tested it successfully on Windows 2022 Standard.

• 1 This look really useful but all of the links are broken. –  user2871239 Jan 26, 2023 at 13:35

Not the answer you're looking for? Browse other questions tagged windows-10 command-line 64-bit .

• The Overflow Blog
• Want to be a great software engineer? Don’t be a jerk.
• Climbing the GenAI decision tree sponsored post
• Featured on Meta
• New Focus Styles & Updated Styling for Button Groups
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network
• Google Cloud will be Sponsoring Super User SE

Hot Network Questions

• When discharging a capacitor, why would a resistor make a difference if it is situated after ground?
• How do we measure the position of a body?
• Differences Between `/dev/null` and Devices Under `null_blk` Driver
• Do you say "my car is high on fuel" as a counterpart of "my car is low on fuel"?
• What bike should i buy if i want to fit a child seat and live in area with a lot of hills and
• Novella about man reminiscing about his girlfriend/wife while standing by her dead body
• Is it possible to stop weeping between threaded copper joint on sprinkler system?
• She got her bag caught vs. She had her bag caught
• Security implications of increasing sudo timeout in terminal
• How do I snap an object permanently to another object in animation?
• Consequences of imposing conditions on the restricted Yoneda embedding of a functor
• Is this self-plagiarism?
• Is it possible to find sum of x^x from a to b without using summation but rather a less computationally heavy method?
• A nightmarish short story where a man finds that all the people he knew do not exist anymore
• "Pure Imaginary" or "Purely Imaginary"?
• Far future robot historian or archeologist. There are no longer humans in the known universe. He describes meeting one of the last humans
• Humourous television series. An arrogant man seems to be giving a blow by blow count of a dangerous battle. He was describing a game of Risk
• Can I mark a local variable as safe for a single file only?
• Almost sure probability in convergence, versus 0 probability in reality
• How to stop an AirTag from beeping when not near iPhone?
• How to write a paper with word count limit?
• 2D tile map game: Calculate room tiles a furniture item was placed at
• Has anyone ever made a quiet floppy drive?
• Tried to use cig lighter in my 12 volt plug now charger won’t work

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

• Logon rights
• Admin equivalent rights
• Tracking user rights with the security log
• User rights in-depth
• Access this computer from the network
• Act as part of the operating system
• Add workstations to domain
• Adjust memory quotas for a process
• Allow log on locally
• Allow logon through Terminal Services
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create global objects
• Create permanent shared objects
• Debug programs
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Deny logon through Terminal Services
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify firmware environment values
• Perform volume maintenance tasks
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files and other objects

Child articles:

• Logon Rights
• Admin Equivalent Rights
• Tracking User Rights with the Security Log
• User Rights In-Depth

Back to top

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

• Outlook – General Tab
• Outlook – Phone Tab
• ADUC – General Tab
• ADUC – Address Tab
• ADUC – Account Tab
• ISA/TMG Scripts
• Active Directory on Fixed Ports
• RPC Internet Ports in Windows 2008
• DNS High Memory Utilization Issue
• WP – Cookies for Comments
• PHPBB HTTP 403 Forbidden Issue
• Shift Key and RDP Woes
• Domain Controller crash – memory leaking process
• Associate MP3 files to MPG123.EXE with parameters
• Privacy Policy

• Active Directory

Powershell GPO Deep Dive – Part 1

Creating a GPO in order to set User Rights Assignment completely in PowerShell: Can it be done?

This series of posts aims to share some interesting things learned about how GPOs are structured and things discovered about what backup-gpo and import-gpo routines are doing within the Powershell GPO module . The research was limited to User Rights Assignments and scripting up such a GPO – with absolutely no warranties what so ever!

Remember that changing security settings and user rights assignments can cause issues.

It turnns out that there is another way that this can be done by creating a blank GPO and creating the relevant files directly in SYSVOL in around 10 lines of code but this does feel even more dangerous / hacky to me.

Create a GPO for User Rights Assignment in Powershell

One of my colleagues asked me if we could script up an end-to-end GPO that would add in some Deny elements within the User Rights Assignments section. I immediately replied with “yeah sure, no worries” with a vague recollection that there was now a bunch of GPO commands like New-GPO that could create a GPO and command-lets that let you set registry values ( Set-GPRegistryValue ).

Some time later I discovered that actually…. NO.. No it is not possible to script up a full GPO to do what we wanted. It is possible to make a new empty GPO, Link it, add registry settings but if there is a need to add Deny Logon type elements to the Security node under User Rights Assignment, this is not currently possible.

This discovery disappointed me to say the least. What other options are available? Before moving any further let’s talk about what our given scenario was:

We would like to script up a GPO that will allow us to dynamically inject the usernames and groups that we want to be denied access to various User Rights Assignment elements in a GPO.

Of course, you could make a GPO through the GUI and then export it as a Backup using the Backup-GPO command and then save that somewhere and you could just import that GPO using Import-GPO . In our scenario, this just won’t cut it. We need to be able to inject our own account and group names – If we just blindly import, we’ll just get a bunch of stuff that may or may not be valid based on some statically exported values.

This got me thinking: what if we could Back up a GPO, get the resultant files prepared in such a way that we can replace the relevant values in the files that it creates with the user and group names of the things we want inside the GPO, and THEN run the Import-GPO command?

Before we jump down that rabbit hole, let us consider what gets created by the backup-gpo command-let in the specific scenario we are looking at.

What’s in an Empty GPO?

In order to back up a GPO, we first need a GPO to back up.  In our example, we will create a GPO called “NewGPO”

Looking at this GPO, we can see that it is empty. The only thing of note for us is the Unique ID (GUID) of {28AA0345-4804-4CE9-A41D-F7C89D5D5BD3}

We will find this policy “{28AA0345-4804-4CE9-A41D-F7C89D5D5BD3}” under sysvol. In the filesystem, it looks like this:

The first folder “Machine” is the structure for Computer related elements. The second folder “User” is for User related Policy Elements.

Since our GPO is empty, both folders will also be empty. However there is a file called “GPT.INI” in the root of this folder (note that the filename is in capital letters – strangely, capitals only when created not restored). At this point the GPT.INI contains the GPO Version (how many times the policy has been modified and saved) and displayName of the policy as shown in the console. The encoding for this file is “UTF-8” (see screenshot below as an example):

A GPO with one User Rights Assignment value set

Lets go back into our GPO and create a single element for Deny Access to this computer from the network and set it for Administrators as pictured below:

If we walk the filesystem under SYSVOL as we did earlier, we will find that everything is the same, except that the “Machine” folder tree now has a subfolder \Machine\Microsoft\Windows NT\SecEdit containing a single file called GptTmpl.inf

Looking at the file, we can see it is like any old school .inf file with sections in square brackets. The last section is where the actual Logon Rights are stored. In this case; we asked for Deny Access to this computer from the network to be set for administrators. The system translated that to DenyNetworkLogonRight = *S-1-5-32-544.

The system has converted our plain text request into this instruction. The SID shown here is simply a translation from the list of well known SIDs for Administrator.

What’s inside a Backup-GPO?

Let’s back up our example GPO using the Backup-GPO command in powershell:

This creates a file structure within the Administrator’s temp folder. It creates a folder with a newly created random guid (referred to as the Backup ID). The original GPO’s GUID {28AA0345-4804-4CE9-A41D-F7C89D5D5BD3} is stored in the backup as “GpoID” and can be seen in  the results of the command above (and in some of the GPO’s backed up files – more on that in a moment).

The backed up GPO has been saved under the new ID Folder name of {43E048D3-ECC6-4F29-AF9D-CF464EEF4CD5}.

Be aware that there are two extra hidden XML files that get created after running a Backup-GPO command. The first file is outside the GUID folder at the folder where the command ran, The file is called Manifest.xml and is very important if you wish to import the GPO somewhere else.

The manifest.xml file is quite ugly. It is in XML, but it will probably show as one big long line of unbroken text. Here’s a version of our manifest.xml (encoding is UTF-8) with wordwrap turned on in Notepad:

In short, the Manifest.xml file is used by the import-gpo routine to provide instructions on where GPOs that have been backed up can be found. It also contains information on the domain and domain controller it was backed up from. You will also find the time and the display name of the original GPO. Each GPO backed up will be found inside a <BackupInst> tag set.

As mentioned earlier, there is another hidden file. This file is in the GUID folder and called bkupinfo.xml. It looks remarkably similar to the Manifest file with one less tag. The first tag <backups> is not present – The Backups tag is only found in the manifest file and is used to encapsulate each GPO that can be found at the backed up folder location along with its associated GUID/ID pair. In our case, we only have one GPO, so the file looks almost identical (without the <Backups> tag).

NOTE: For this file to be able to be imported, you must not break some tags over new lines or the import command will completely crash the powershell session; eg; The file formatted as below would cause the client to crash. You can remove the empty lines without a problem.

The purpose of the SecuritGroups section is so that if you have custom user/group names inside your policy, they can be transformed if imported into a new domain. Be aware that the entire SecurityGroups section MUST be on a single unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

The purpose of the GroupPolicyCoreSettings is to capture some of the basic GPO settings, Domain, original GPO GUID (stored as ID) and any machine policies that are in use. In our example, we are only using the one policy for the Security section of our GPO – {827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}. This section MUST all be on a single unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

In our example, we are actually only using the Extension highlighted in blue, so we really don’t need the other extensions for import-gpo to work. In our scenario, we could safely remove the other extensions below the extension highlighted in blue. Be aware that the entire GPO Extension lines MUST be in a continuous unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

Finally, we have the gpttmpl.inf file that is stored in the same subfolder location as the live GPO. The file also is identical to what was present in SYSVOL. Be aware that this file MUST be encoded as UTF-16LE (Unicode).

To build our GPO to set just our User Rights assignment, the minimum number of files is 4 (2 hidden):

Manifest.xml in the root of the folder where the backup was created (outside the GUID folder) – hidden. backup.xml inside the root of the GUID folder bkupinfo.xml inside the root of the GUID folder – hidden. GptTmpl.inf in the same subfolder structure as the oriignal real live GPO (<Guid>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit)

The structure looks like this:

The Backup.inf file

What if I told you… we could build this all out and remove most of the values present in the backup.inf and still import fine with import-gpo ? Tune in next week for the next part in this series to learn more. I’ll put together some example template files.

In the mean time, here’s a sneak peak at the script that will be discussed: https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1

Happy GPOing.

A full list of User Rights Assignment

The table below lists all the User Rights Assignments and their translated constant values. Each Policy setting is linked to a page over at Microsoft (***except one – there seems to be an error over there).

Notes: *You MUST specify at least Administrator for this right ** Administrators and SERVICE MUST be granted this right *** The associated description for this right is missing over at Microsoft at time of writing.

The featured photo in this post: Part of a photo by Francisco Jesús Navarro Hernández on Unsplash

RELATED ARTICLES MORE FROM AUTHOR

Domain join – minimum permissions, domain rejoin or prestaging – minimum permissions, install rsat tools via powershell, scheduled tasks: on event triggers with variables, protecting rpc, leave a reply cancel reply.

Save my name, email, and website in this browser for the next time I comment.

Pete Hinchley : Override User Rights set via Group Policy using SecEdit

You are a local administrator on a server, and you are about to install an application. The installation package requires a specific user right, and guess what, you don't have it. To make matters worse, the required user right is managed via group policy, and you don't have the permissions needed to change it. Wouldn't it be great if you could define a local override for the user right set via group policy? Unfortunately, this isn't possible using the Local Security Policy editor (secpol.msc). Fear not. There is a quick solution. Open an elevated command prompt and run the following command to export the currently configured user rights:

Now edit policy.inf and grant yourself the required rights. For example, let's say the Debug Programs user right is cleared via group policy (i.e. not assigned to anyone). To grant the right to the local administrators group, add the following line to the policy file:

Where SeDebugPrivilege is the identifier for the Debug Programs user right, and S-1-5-32-544 is the SID of the local administrators group.

After you have made the required changes, you can use the following command to apply the new user rights:

And that's it. If you now run secpol.msc you will see the Debug Programs user right has been assigned to the local administrators group.

Note: While this approach is useful for temporarily overriding the user rights set via group policy, the changes made via secedit will not be permanent; the user rights will be restored to their previous values during the next group policy refresh cycle.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User rights assignment in Group Policy Object using powershell?

Not able to grant user rights assignment in group policy object using PowerShell Is there any way or command to add user rights in group policy?

Manual steps:

• Open Group Policy Management
• Navigate to the following path in the Group Policy Object
• Select Policy
• Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
• Add/remove the necessary users.

Active Directory A set of directory-based technologies included in Windows Server. 5,795 questions Sign in to follow

Windows Server PowerShell Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language. 5,341 questions Sign in to follow

I realise this post is quite old, but there is a post that talks about a way you could do this by building up a GPO, the same way the export/import GPO works in Powershell: https://jigsolving.com/gpo-deep-dive-part-1/ Within that article, there's a bare bones example of this on Github: https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1

It definitely works, and this is just one way it can be done. The article focuses on basically building up the raw bones of a GPO that resembles what an exported GPO looks like, and then imports it.

Give this a try.

https://learn-powershell.net/2015/06/03/managing-privileges-using-poshprivilege

Thanks @MotoX80 for sharing this module Tried this module but it didn't work as per my expectations I am looking to add user rights in group policy in group policy management of domain controller but this module gives user rights in local policy. If you have another module or command please share I also tried Set-GPPermission but it is giving user permission to edit settings, delete, modify security.

I no longer have access to an AD environment, so I am not able to test. Perhaps another forum user can provide assistance.

Have you seen this page?

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759177(v=ws.11)?redirectedfrom=MSDN

https://www.ntweekly.com/2020/08/07/configure-a-group-policy-with-powershell/

Yes, already seen these pages And as per https://www.microsoft.com/en-au/download/details.aspx?id=25250 this link/sheet user rights assignment don't have registry keys.

Random thoughts from a retired sysadmin....

Well it has to be stored somewhere on the DC.

https://techgenix.com/group-policy-settings-part1/

Make a change to one policy and then search the sysvol folder and see if you can find the file that contains your update. If that's a text based file (not in binary format) then you might be able to update the policy just like you would update the content of any other text file.

I assume that you have already done the "Import-Module GroupPolicy" and searched for "GP" related commands as that page described. If you haven't, then you should start there.

Hi @ArpitShivhare-6858

I've had to do something similar in the past with automatic GPO generation, and the below was the only way I could find to do so. It basically creates the GPO manually, but it should work for your purposes

To add additional fields or users to the Local User Rights Assignments, I would recommend creating the GPO manually, then taking a look at the GptTmpl.inf file to see what format, values and syntax of the fields required. From my testing it uses SIDs, not the SamAccountName value, so you will have to pull the SID for each user that you need to add

• PowerShell Forum Directory
• Publications

Managing Privileges using PoshPrivilege

A recent project of mine has been to write a module to manage privileges on a local system. What I came up is a module called PoshPrivilege that allows you to not only look at what user rights are available on a local or remote system, but also provide the ability to Add, Remove, Enable and Disable the privileges as well.

If you are running PowerShell V5, you can download this module from the PowerShell Gallery:

Otherwise, check out my GitHub page where I am maintaining this project:

https://github.com/proxb/PoshPrivilege

I won’t spend time talking about how I wrote this module and my reasons behind it. What I will say is that instead of writing out C# code and then using Add-Type to compile it, I went with the Reflection approach of building out everything from the pinvoke signatures for methods to the Structs and even the Enums.

Let’s get started by looking at what is available in this module. The first function that is available is Get-Privilege and it comes with a few parameters. This function’s purpose is to let you view what privileges are currently available on the system (local or remote) as well as what is currently applied to your current process token.

A quick run through of using this function with various parameters:

If this one looks familiar, then it is probably likely that you have used the following command:

I opted for boolean values instead to determine the state for easier filtering if needed.

Up next are the Enable/Disable-Privilege functions. These work to Enable or Disable the privileges that are currently available on your local system to your process token. This means that if something like SeDebugPrivilege isn’t available on your system (such as being removed via Group Policy), then you cannot use Enable-Privilege to add your process token to this privilege. As in the previous image where we can see what is enabled and disabled, these are the only privileges that are available for me to work with.

To show this point, I am going to enable both SeSecurityPrivilege and SeDebugPrivilege so you can see that while the first privilege will show as Enabled, the other will not appear as it has not been made available.

As you can see from the picture, SeSecurityPrivilege has been enabled as expected, but SeDebugPrivilege is nowhere to be found. If we want SeDebugPrivilege, we will need to go about this another way which will be shown shortly.

Disabling a privilege can be done using Disable-Privilege as shown in the example below.

Now that I have covered Enabling and Disabling of the privileges and their limitations, I will move onto the Add/Remove-Privilege functions which allow you to add a privilege for a user or group or remove them on a local system. Note that this only works up until it gets reverted if set by group policy. This will also note show up if you look at the privileges available on your current process token (you will log off and log back in to see it).

Remember that I do not have SeDebugPrivilege available to use? Well, now we can add it to my own account using Add-Privilege.

We can see it is now available, but as I mentioned before, it doesn’t show up in my current process. A logoff and login now shows that it is not only available, but already enabled.

With this now enabled, we could disable it as well if needed using Disable-Privilege. I added my account for show, but we can also add groups this was as well.

As with Adding a privilege, we can remove privileges as well using Remove-Privilege.

As with Add-Privilege, you will need to log off and log back in to see the change take effect on your account.

Again, you can install this module using Install-Module if running PowerShell V5 and this project is out on GitHub to download (and contribute to as well). Enjoy!

Share this:

4 responses to managing privileges using poshprivilege.

I downloaded the scripts from Github, but getting compile errors.

Specifically the errors are around the WInOS Structures listed below:

Unable to find type [LUID]: make sure that the assembly containing this type is loaded. Unable to find type [LSA_UNICODE_STRING]: make sure that the assembly containing this type is loaded. Unable to find type [LARGE_INTEGER]: make sure that the assembly containing this type is loaded. Unable to find type [LUID_AND_ATTRIBUTES]: make sure that the assembly containing this type is loaded. Unable to find type [TokPriv1Luid]: make sure that the assembly containing this type is loaded.

Unable to find type [TOKEN_INFORMATION_CLASS]: make sure that the assembly containing this type is loaded.

Unable to find type [ProcessAccessFlags]: make sure that the assembly containing this type is loaded.

BTW, I have posted the full error log @ https://docs.google.com/document/d/18boeWSbvlLwpoIAMTJAp0ooNaLxe6kniYrJr_q3ZNMQ/edit?usp=sharing

Just a question, how can I grant the SESecurityPrivilege to the Set-Acl process ? If I do a whoami /priv I can see my useraccount (PS –> run as administrator) I can see the privilege is enabled, but when I try to run the script I have I get the following error :

Set-Acl : The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation. At C:\Scripts\SESOG\ImportACLSEv2.ps1:16 char:16 + $acl | Set-Acl $path + ~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (P:\Common:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

The script looks like this : $par = Import-Csv -Path “c:\scripts\sesog\ImportMainCC.csv” -Delimiter “;”

foreach ( $i in $par ) { $path= $i.Path $IdentityReference= $i.IdentityReference $AccessControlType=$i.AccessControlType $InheritanceFlags= $i.InheritanceFlags $PropagationFlags=$i.PropagationFlags $FileSystemRights=$i.FileSystemRights echo $path $IdentityReference $acl = Get-Acl $path $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $path }

In the import csv a path is set and exported export rights from the original location (I am doing a fileserver migration) but on each of the folders mentioned the inherentance flag has been removed.

Pingback: PowerShell Magazine » The case of potentially broken PackageManagement for Windows 10 Insiders

You are a lifesaver! I have been fretting over how to manage service account rights on remote servers – each OU has a corresponding AD security group and GPO, and doing this manually is both time-consuming and fraught with error. I can’t wait to try this out. First PoshWSUS, then this …you rock.

Leave a comment Cancel reply

Translate this blog.

• Search for:

Recent Posts

• Dealing with Runspacepool Variable Scope Creep in PowerShell
• 2018 PowerShell Resolutions
• Quick Hits: Getting the Local Computer Name
• Recent Articles on MCPMag
• Quick Hits: Finding all Hyperlinks in an Excel Workbook
• Querying UDP Ports with PowerShell
• Changing Ownership of File or Folder Using PowerShell
• Quick Hits: Ping Sweep One Liner
• Locating Mount Points Using PowerShell
• Starting,Stopping and Restarting Remote Services with PowerShell
• Avoiding System.Object[] (or Similar Output) when using Export-Csv
• Building a Chart Using PowerShell and Chart Controls
• PowerShell and Excel: Adding Some Formatting To Your Report
• Quick Hits: Finding Exception Types with PowerShell
• Find When a User Was Added or Removed to a Domain Group Using PowerShell and Repadmin
• background jobs
• Internet Explorer
• performance
• powerscripting
• Regular Expressions
• scripting games 2012
• scripting games 2013
• scripting guy
• winter scriting games 2014

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Email Address:

Sign me up!

• 5,516,781 Visitors Since August 5, 2010
• Entries feed
• Comments feed
• WordPress.com

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar