Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

windows user rights assignment powershell

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

:arrow_left:

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

:v:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

  • operationsManager
  • troubleshooting
  • certificates

windows user rights assignment powershell

Managing User Rights in Powershell

' src=

Managing User Rights Assignments in Powershell

Windows User Rights, also known as Windows Privileges, are traditionally managed via GPO or in the simplest of cases via the server’s Local Security Policy. These assignments control special permissions that are often needed by IIS applications or other application hosting on Windows Servers.

So how can we manage these assignments in Powershell? There’s no obvious solution provided in Powershell, but there are several options are available. None of which are a pure Powershell solution, but some are close.

  • Wrap the ntrights.exe process in Powershell. This is relatively simple, but the downside is having an external dependency on the ntrights.exe file.
  • Embed a wrapper class to the LSA API in your script. This is a pretty good solution but certainly bloats your script.
  • Load and Reference the Carbon DLL (If you haven’t already checked out this Powershell library, you should it is very powerful and regularly updated. I choose this approach because it keeps the script clean and compact, it returns an array of strings for easy interrogation. It does require a dependency on carbon.dll, but this library provides a ton of functionality beyond just this.

I like the 3rd option, its very clean, and I like working with the Carbon library.

Now lets take this script to the next level and wrap it into a DSC Script implementation. We can use this same logic in a DSC configuration to make sure our desired User Rights Assignments are kept in place.

What else can we do? We could also create a Custom DSC Resource to have a cleaner DSC Configuration.

Related Posts

windows user rights assignment powershell

Local Administrator Audit Script

windows user rights assignment powershell

Powershell Log Archival Script

My new stories.

windows user rights assignment powershell

windows user rights assignment powershell

  • PowerShell Forum Directory
  • Publications

Managing Privileges using PoshPrivilege

A recent project of mine has been to write a module to manage privileges on a local system. What I came up is a module called PoshPrivilege that allows you to not only look at what user rights are available on a local or remote system, but also provide the ability to Add, Remove, Enable and Disable the privileges as well.

If you are running PowerShell V5, you can download this module from the PowerShell Gallery:

Otherwise, check out my GitHub page where I am maintaining this project:

https://github.com/proxb/PoshPrivilege

I won’t spend time talking about how I wrote this module and my reasons behind it. What I will say is that instead of writing out C# code and then using Add-Type to compile it, I went with the Reflection approach of building out everything from the pinvoke signatures for methods to the Structs and even the Enums.

Let’s get started by looking at what is available in this module. The first function that is available is Get-Privilege and it comes with a few parameters. This function’s purpose is to let you view what privileges are currently available on the system (local or remote) as well as what is currently applied to your current process token.

image

A quick run through of using this function with various parameters:

image

If this one looks familiar, then it is probably likely that you have used the following command:

image

I opted for boolean values instead to determine the state for easier filtering if needed.

Up next are the Enable/Disable-Privilege functions. These work to Enable or Disable the privileges that are currently available on your local system to your process token. This means that if something like SeDebugPrivilege isn’t available on your system (such as being removed via Group Policy), then you cannot use Enable-Privilege to add your process token to this privilege. As in the previous image where we can see what is enabled and disabled, these are the only privileges that are available for me to work with.

To show this point, I am going to enable both SeSecurityPrivilege and SeDebugPrivilege so you can see that while the first privilege will show as Enabled, the other will not appear as it has not been made available.

SNAGHTMLd2422

As you can see from the picture, SeSecurityPrivilege has been enabled as expected, but SeDebugPrivilege is nowhere to be found. If we want SeDebugPrivilege, we will need to go about this another way which will be shown shortly.

Disabling a privilege can be done using Disable-Privilege as shown in the example below.

SNAGHTMLfdf1c

Now that I have covered Enabling and Disabling of the privileges and their limitations, I will move onto the Add/Remove-Privilege functions which allow you to add a privilege for a user or group or remove them on a local system. Note that this only works up until it gets reverted if set by group policy. This will also note show up if you look at the privileges available on your current process token (you will log off and log back in to see it).

Remember that I do not have SeDebugPrivilege available to use? Well, now we can add it to my own account using Add-Privilege.

image

We can see it is now available, but as I mentioned before, it doesn’t show up in my current process. A logoff and login now shows that it is not only available, but already enabled.

image

With this now enabled, we could disable it as well if needed using Disable-Privilege. I added my account for show, but we can also add groups this was as well.

As with Adding a privilege, we can remove privileges as well using Remove-Privilege.

image

As with Add-Privilege, you will need to log off and log back in to see the change take effect on your account.

Again, you can install this module using Install-Module if running PowerShell V5 and this project is out on GitHub to download (and contribute to as well). Enjoy!

Share this:

4 responses to managing privileges using poshprivilege.

' src=

I downloaded the scripts from Github, but getting compile errors.

Specifically the errors are around the WInOS Structures listed below:

Unable to find type [LUID]: make sure that the assembly containing this type is loaded. Unable to find type [LSA_UNICODE_STRING]: make sure that the assembly containing this type is loaded. Unable to find type [LARGE_INTEGER]: make sure that the assembly containing this type is loaded. Unable to find type [LUID_AND_ATTRIBUTES]: make sure that the assembly containing this type is loaded. Unable to find type [TokPriv1Luid]: make sure that the assembly containing this type is loaded.

Unable to find type [TOKEN_INFORMATION_CLASS]: make sure that the assembly containing this type is loaded.

Unable to find type [ProcessAccessFlags]: make sure that the assembly containing this type is loaded.

BTW, I have posted the full error log @ https://docs.google.com/document/d/18boeWSbvlLwpoIAMTJAp0ooNaLxe6kniYrJr_q3ZNMQ/edit?usp=sharing

' src=

Just a question, how can I grant the SESecurityPrivilege to the Set-Acl process ? If I do a whoami /priv I can see my useraccount (PS –> run as administrator) I can see the privilege is enabled, but when I try to run the script I have I get the following error :

Set-Acl : The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation. At C:\Scripts\SESOG\ImportACLSEv2.ps1:16 char:16 + $acl | Set-Acl $path + ~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (P:\Common:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

The script looks like this : $par = Import-Csv -Path “c:\scripts\sesog\ImportMainCC.csv” -Delimiter “;”

foreach ( $i in $par ) { $path= $i.Path $IdentityReference= $i.IdentityReference $AccessControlType=$i.AccessControlType $InheritanceFlags= $i.InheritanceFlags $PropagationFlags=$i.PropagationFlags $FileSystemRights=$i.FileSystemRights echo $path $IdentityReference $acl = Get-Acl $path $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $path }

In the import csv a path is set and exported export rights from the original location (I am doing a fileserver migration) but on each of the folders mentioned the inherentance flag has been removed.

Pingback: PowerShell Magazine » The case of potentially broken PackageManagement for Windows 10 Insiders

' src=

You are a lifesaver! I have been fretting over how to manage service account rights on remote servers – each OU has a corresponding AD security group and GPO, and doing this manually is both time-consuming and fraught with error. I can’t wait to try this out. First PoshWSUS, then this …you rock.

Leave a comment Cancel reply

Translate this blog.

  • Search for:

Recent Posts

  • Dealing with Runspacepool Variable Scope Creep in PowerShell
  • 2018 PowerShell Resolutions
  • Quick Hits: Getting the Local Computer Name
  • Recent Articles on MCPMag
  • Quick Hits: Finding all Hyperlinks in an Excel Workbook
  • Querying UDP Ports with PowerShell
  • Changing Ownership of File or Folder Using PowerShell
  • Quick Hits: Ping Sweep One Liner
  • Starting,Stopping and Restarting Remote Services with PowerShell
  • Setting up Local Administrator Password Solution (LAPS)
  • Building a Chart Using PowerShell and Chart Controls
  • Quick Hits: Finding Exception Types with PowerShell
  • Locating Mount Points Using PowerShell
  • Using PowerShell to Query Web Site Information
  • PowerShell and Excel: Adding Some Formatting To Your Report
  • background jobs
  • Internet Explorer
  • performance
  • powerscripting
  • Regular Expressions
  • scripting games 2012
  • scripting games 2013
  • scripting guy
  • winter scriting games 2014

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Email Address:

Sign me up!

  • 5,533,051 Visitors Since August 5, 2010
  • Entries feed
  • Comments feed
  • WordPress.com

' src=

  • Already have a WordPress.com account? Log in now.
  • Subscribe Subscribed
  • Copy shortlink
  • Report this content
  • View post in Reader
  • Manage subscriptions
  • Collapse this bar

windows user rights assignment powershell

  • Outlook – General Tab
  • Outlook – Phone Tab
  • ADUC – General Tab
  • ADUC – Address Tab
  • ADUC – Account Tab
  • ISA/TMG Scripts
  • Active Directory on Fixed Ports
  • RPC Internet Ports in Windows 2008
  • DNS High Memory Utilization Issue
  • WP – Cookies for Comments
  • PHPBB HTTP 403 Forbidden Issue
  • Shift Key and RDP Woes
  • Domain Controller crash – memory leaking process
  • Associate MP3 files to MPG123.EXE with parameters
  • Privacy Policy

windows user rights assignment powershell

  • Active Directory

Powershell GPO Deep Dive – Part 1

windows user rights assignment powershell

Creating a GPO in order to set User Rights Assignment completely in PowerShell: Can it be done?

This series of posts aims to share some interesting things learned about how GPOs are structured and things discovered about what backup-gpo and import-gpo routines are doing within the Powershell GPO module . The research was limited to User Rights Assignments and scripting up such a GPO – with absolutely no warranties what so ever!

Remember that changing security settings and user rights assignments can cause issues.

It turnns out that there is another way that this can be done by creating a blank GPO and creating the relevant files directly in SYSVOL in around 10 lines of code but this does feel even more dangerous / hacky to me.

Create a GPO for User Rights Assignment in Powershell

One of my colleagues asked me if we could script up an end-to-end GPO that would add in some Deny elements within the User Rights Assignments section. I immediately replied with “yeah sure, no worries” with a vague recollection that there was now a bunch of GPO commands like New-GPO that could create a GPO and command-lets that let you set registry values ( Set-GPRegistryValue ).

Some time later I discovered that actually…. NO.. No it is not possible to script up a full GPO to do what we wanted. It is possible to make a new empty GPO, Link it, add registry settings but if there is a need to add Deny Logon type elements to the Security node under User Rights Assignment, this is not currently possible.

This discovery disappointed me to say the least. What other options are available? Before moving any further let’s talk about what our given scenario was:

We would like to script up a GPO that will allow us to dynamically inject the usernames and groups that we want to be denied access to various User Rights Assignment elements in a GPO.

An image depicting the User Rights Assignment Section of an empty GPO

Of course, you could make a GPO through the GUI and then export it as a Backup using the Backup-GPO command and then save that somewhere and you could just import that GPO using Import-GPO . In our scenario, this just won’t cut it. We need to be able to inject our own account and group names – If we just blindly import, we’ll just get a bunch of stuff that may or may not be valid based on some statically exported values.

This got me thinking: what if we could Back up a GPO, get the resultant files prepared in such a way that we can replace the relevant values in the files that it creates with the user and group names of the things we want inside the GPO, and THEN run the Import-GPO command?

Before we jump down that rabbit hole, let us consider what gets created by the backup-gpo command-let in the specific scenario we are looking at.

What’s in an Empty GPO?

In order to back up a GPO, we first need a GPO to back up.  In our example, we will create a GPO called “NewGPO”

A screenshot showing the Group Policy Management Console

Looking at this GPO, we can see that it is empty. The only thing of note for us is the Unique ID (GUID) of {28AA0345-4804-4CE9-A41D-F7C89D5D5BD3}

A screenshot of an empty GPO with nothing configured except the Unique ID

We will find this policy “{28AA0345-4804-4CE9-A41D-F7C89D5D5BD3}” under sysvol. In the filesystem, it looks like this:

A screenshot showing an example GPO under SYSVOL

The first folder “Machine” is the structure for Computer related elements. The second folder “User” is for User related Policy Elements.

Since our GPO is empty, both folders will also be empty. However there is a file called “GPT.INI” in the root of this folder (note that the filename is in capital letters – strangely, capitals only when created not restored). At this point the GPT.INI contains the GPO Version (how many times the policy has been modified and saved) and displayName of the policy as shown in the console. The encoding for this file is “UTF-8” (see screenshot below as an example):

Contents of a brand new GPO's GPT.INI file

A GPO with one User Rights Assignment value set

Lets go back into our GPO and create a single element for Deny Access to this computer from the network and set it for Administrators as pictured below:

A screenshot of a GPO where Deny access to this computer from the network has been set for Administrators

If we walk the filesystem under SYSVOL as we did earlier, we will find that everything is the same, except that the “Machine” folder tree now has a subfolder \Machine\Microsoft\Windows NT\SecEdit containing a single file called GptTmpl.inf

windows user rights assignment powershell

Looking at the file, we can see it is like any old school .inf file with sections in square brackets. The last section is where the actual Logon Rights are stored. In this case; we asked for Deny Access to this computer from the network to be set for administrators. The system translated that to DenyNetworkLogonRight = *S-1-5-32-544.

The system has converted our plain text request into this instruction. The SID shown here is simply a translation from the list of well known SIDs for Administrator.

What’s inside a Backup-GPO?

Let’s back up our example GPO using the Backup-GPO command in powershell:

windows user rights assignment powershell

This creates a file structure within the Administrator’s temp folder. It creates a folder with a newly created random guid (referred to as the Backup ID). The original GPO’s GUID {28AA0345-4804-4CE9-A41D-F7C89D5D5BD3} is stored in the backup as “GpoID” and can be seen in  the results of the command above (and in some of the GPO’s backed up files – more on that in a moment).

The backed up GPO has been saved under the new ID Folder name of {43E048D3-ECC6-4F29-AF9D-CF464EEF4CD5}.

Be aware that there are two extra hidden XML files that get created after running a Backup-GPO command. The first file is outside the GUID folder at the folder where the command ran, The file is called Manifest.xml and is very important if you wish to import the GPO somewhere else.

A screenshot of the top level folder of a backed up GPO

The manifest.xml file is quite ugly. It is in XML, but it will probably show as one big long line of unbroken text. Here’s a version of our manifest.xml (encoding is UTF-8) with wordwrap turned on in Notepad:

windows user rights assignment powershell

In short, the Manifest.xml file is used by the import-gpo routine to provide instructions on where GPOs that have been backed up can be found. It also contains information on the domain and domain controller it was backed up from. You will also find the time and the display name of the original GPO. Each GPO backed up will be found inside a <BackupInst> tag set.

As mentioned earlier, there is another hidden file. This file is in the GUID folder and called bkupinfo.xml. It looks remarkably similar to the Manifest file with one less tag. The first tag <backups> is not present – The Backups tag is only found in the manifest file and is used to encapsulate each GPO that can be found at the backed up folder location along with its associated GUID/ID pair. In our case, we only have one GPO, so the file looks almost identical (without the <Backups> tag).

windows user rights assignment powershell

NOTE: For this file to be able to be imported, you must not break some tags over new lines or the import command will completely crash the powershell session; eg; The file formatted as below would cause the client to crash. You can remove the empty lines without a problem.

windows user rights assignment powershell

The purpose of the SecuritGroups section is so that if you have custom user/group names inside your policy, they can be transformed if imported into a new domain. Be aware that the entire SecurityGroups section MUST be on a single unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

The purpose of the GroupPolicyCoreSettings is to capture some of the basic GPO settings, Domain, original GPO GUID (stored as ID) and any machine policies that are in use. In our example, we are only using the one policy for the Security section of our GPO – {827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}. This section MUST all be on a single unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

In our example, we are actually only using the Extension highlighted in blue, so we really don’t need the other extensions for import-gpo to work. In our scenario, we could safely remove the other extensions below the extension highlighted in blue. Be aware that the entire GPO Extension lines MUST be in a continuous unbroken line otherwise Import-GPO will crash and terminate the current powershell session.

Finally, we have the gpttmpl.inf file that is stored in the same subfolder location as the live GPO. The file also is identical to what was present in SYSVOL. Be aware that this file MUST be encoded as UTF-16LE (Unicode).

To build our GPO to set just our User Rights assignment, the minimum number of files is 4 (2 hidden):

Manifest.xml in the root of the folder where the backup was created (outside the GUID folder) – hidden. backup.xml inside the root of the GUID folder bkupinfo.xml inside the root of the GUID folder – hidden. GptTmpl.inf in the same subfolder structure as the oriignal real live GPO (<Guid>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit)

The structure looks like this:

windows user rights assignment powershell

The Backup.inf file

What if I told you… we could build this all out and remove most of the values present in the backup.inf and still import fine with import-gpo ? Tune in next week for the next part in this series to learn more. I’ll put together some example template files.

In the mean time, here’s a sneak peak at the script that will be discussed: https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1

Happy GPOing.

A full list of User Rights Assignment

The table below lists all the User Rights Assignments and their translated constant values. Each Policy setting is linked to a page over at Microsoft (***except one – there seems to be an error over there).

Notes: *You MUST specify at least Administrator for this right ** Administrators and SERVICE MUST be granted this right *** The associated description for this right is missing over at Microsoft at time of writing.

The featured photo in this post: Part of a photo by Francisco Jesús Navarro Hernández on Unsplash

RELATED ARTICLES MORE FROM AUTHOR

Install rsat tools via powershell, scheduled tasks: on event triggers with variables, protecting rpc, dhcp client stuck with 5 minute lease time, adcs web enrollment page takes a long time to load, leave a reply cancel reply.

Save my name, email, and website in this browser for the next time I comment.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How can I get an overview of all users with a specific user right in Windows?

I need to check that only the administrators group (sid: S-1-5-32-544) has the privilege to take ownership of files or folders (SeTakeOwnershipPrivilege).

How can I get an overview of all users/groups that have this privilege?

What I already found and tried is the following command:

The output in the file looks pretty useful:

[Unicode] Unicode=yes [Privilege Rights] SeNetworkLogonRight = *S-1-5-32-544 ... SeTakeOwnershipPrivilege = *S-1-5-32-544 ... [Version] signature="$CHICAGO$" Revision=1

With this method above I would have to read the file into my Powershell script, search for the privilege and delete the file afterwards.

Is there any other method to do this in Powershell without external modules or executables?

Thanks for your supply.

  • user-accounts

dwettstein's user avatar

5 Answers 5

There is another way using the LsaEnumerateAccountsWithUserRight Win32 API function. This has to be coded in C# ( PInvoke ) in your script and the code definition would be very long and messy.

I would avoid the above and wrap the executable instead. Why reinvent the wheel?

MFT's user avatar

  • Thanks for your reply. I assume, I will have to go this way, since I cannot use other modules or executables. Nice hint with wrapping the executable. –  dwettstein Sep 9, 2014 at 9:14

Not a pure PS solution, but an option none the less. :)

You could use Microsoft's AccessChk utility ( download it here ) instead of SecEdit.

Unlike SecEdit, AccessChk outputs to the stdout, so you can easily capture its output into a PS variable, and then check that variable (with no need for an intermediate file).

Something like:

Ƭᴇcʜιᴇ007's user avatar

  • Thanks for your hint. I also found this utility. Is it preinstalled on Windows Server 2008 and 2012 machines? Unfortunately, I cannot install external modules or executables. –  dwettstein Sep 9, 2014 at 9:19

Shameless promotion: check out the Carbon module (I'm the creater/maintainer). It has a Get-Privilege function that will return all a principal's privileges.

splattered bits's user avatar

  • Thanks for your reply. Nice module! Unfortunately, I can only use the "standard" modules. :( –  dwettstein Sep 9, 2014 at 9:08

Maybe this command will be helpful

sanyam jain's user avatar

Here's the solution:

Francis's user avatar

  • 1 Can you please add some explanations? –  Romeo Ninov Apr 19, 2016 at 6:44
  • It is questioning an instance of Wmi and extracting the requested parameter from the resultant set of policies. Pretty simple and straight forward. You could also specify a remote computer with -computername –  Francis Apr 20, 2016 at 19:59

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows powershell user-accounts privileges ..

  • The Overflow Blog
  • Reshaping the future of API platforms
  • Between hyper-focus and burnout: Developing with ADHD
  • Featured on Meta
  • Our Partnership with OpenAI
  • Imgur image URL migration: Coming soon to a Stack Exchange site near you!

Hot Network Questions

  • Compute R Squared by Fixing Betas for Multi Linear Regression without Intercept results in a large R Square
  • Does making a ground plane and a power plane on a PCB make the board behave like a large capacitor?
  • Is it a bad idea to design a purposefully inconsistent magic system?
  • When is it worthwhile to report academic misconduct of a referee?
  • The Wu line drawing algorithm for anti-aliased lines optimization
  • Isn't the fundamental group a hom functor?
  • Text Based Game about Synthesizing Fuel from Scratch?
  • What's the story behind the "mysterious" 486DX3?
  • Troubleshooting why my hammock fell
  • Is the estimand in a Regression Discontinuity Design the ATE, ATT, etc?
  • Find the length of a line segment in a triangle
  • How does Russia exactly define Russian territory in its state policy?
  • On Pareto functions
  • Miniature with man falling into a chasm and a camel—what is the myth being depicted here?
  • Story about robots and unemployment
  • Create an empty 8x8 One Up puzzle with a unique solution
  • Immigration and customs requirements on entering JFK (self-transfer)
  • Is science value-free?
  • Why doesn't `FindInstance` work in finding Heronian triangle?
  • Is the meter relative to time?
  • Quickest return from stable Earth orbit to ground?
  • Dismissive and uncommunicative coworker when there are clear signs of tension
  • When in Rome... – a deconstruction sudoku
  • Could not locate statistics in the system catalogs error in SQL Server

windows user rights assignment powershell

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User rights assignment in Group Policy Object using powershell?

Not able to grant user rights assignment in group policy object using PowerShell Is there any way or command to add user rights in group policy?

Manual steps:

  • Open Group Policy Management
  • Navigate to the following path in the Group Policy Object
  • Select Policy
  • Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  • Add/remove the necessary users.

Image of rights which needs to be assigned

Active Directory A set of directory-based technologies included in Windows Server. 5,932 questions Sign in to follow

Windows Server PowerShell Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language. 5,389 questions Sign in to follow

I realise this post is quite old, but there is a post that talks about a way you could do this by building up a GPO, the same way the export/import GPO works in Powershell: https://jigsolving.com/gpo-deep-dive-part-1/ Within that article, there's a bare bones example of this on Github: https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1

It definitely works, and this is just one way it can be done. The article focuses on basically building up the raw bones of a GPO that resembles what an exported GPO looks like, and then imports it.

Give this a try.

https://learn-powershell.net/2015/06/03/managing-privileges-using-poshprivilege

Thanks @MotoX80 for sharing this module Tried this module but it didn't work as per my expectations I am looking to add user rights in group policy in group policy management of domain controller but this module gives user rights in local policy. If you have another module or command please share I also tried Set-GPPermission but it is giving user permission to edit settings, delete, modify security.

Set-GPPermission result.png

I no longer have access to an AD environment, so I am not able to test. Perhaps another forum user can provide assistance.

Have you seen this page?

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759177(v=ws.11)?redirectedfrom=MSDN

https://www.ntweekly.com/2020/08/07/configure-a-group-policy-with-powershell/

Yes, already seen these pages And as per https://www.microsoft.com/en-au/download/details.aspx?id=25250 this link/sheet user rights assignment don't have registry keys.

Random thoughts from a retired sysadmin....

Well it has to be stored somewhere on the DC.

https://techgenix.com/group-policy-settings-part1/

Make a change to one policy and then search the sysvol folder and see if you can find the file that contains your update. If that's a text based file (not in binary format) then you might be able to update the policy just like you would update the content of any other text file.

I assume that you have already done the "Import-Module GroupPolicy" and searched for "GP" related commands as that page described. If you haven't, then you should start there.

Hi @ArpitShivhare-6858

I've had to do something similar in the past with automatic GPO generation, and the below was the only way I could find to do so. It basically creates the GPO manually, but it should work for your purposes

To add additional fields or users to the Local User Rights Assignments, I would recommend creating the GPO manually, then taking a look at the GptTmpl.inf file to see what format, values and syntax of the fields required. From my testing it uses SIDs, not the SamAccountName value, so you will have to pull the SID for each user that you need to add

  Windows OS Hub / PowerShell / PowerShell Remoting via WinRM for Non-Admin Users

PowerShell Remoting via WinRM for Non-Admin Users

Remote access to winrm and remote management users group, security descriptor of powershell session, remote hyper-v management also needs winrm privileges.

When trying to create a PowerShell session with a remote computer as a non-privileged user account (Enter-PSSession lon-srv1) an access error occurs:

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied.

Enter-PSSession : Connecting to remote server lon-srv1 failed with the following error message : Access is denied

Check the standard permissions of the PoSh session:

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

As you can see, the access is allowed for the following built-in groups:

  • BUILTIN\Administrators — AccessAllowed,
  • BUILTIN\Remote Management Users — AccessAllowed

So, to let a user connect to a remote machine through WinRM, it’s enough to be a member of the built-in local group of administrators or Remote Management Users security group (this group is created by default starting from PowerShell 4.0). This group also has access to WMI resources via management protocols (e.g., WS-Management)

A user can be added to the group using Computer Management snap-in:

Remote Management Users built-in Group

net localgroup "Remote Management Users" /add jsmith

If  you need to provide such permissions on multiple computers, you can use Group Policy. To do this, assign the GPO to the computers you need, and add the new Remote Management Users group to the Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups policy. Add to the policy users or groups that need to be granted access to WinRM.

restricted groups gpo

After a user becomes a member of the Remote Management Users group, he can create a remote PowerShell session using Enter-PSSession or run commands using the Invoke-Command cmdlet . User privileges in this session will be limited to user rights on this machine.

Make sure if the remote connection is established.

enter-pssession

The following command displays the list of current permissions:

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

In this dialog window, add a user or group and grant them Execute (Invoke) permissions.

Set-PSSessionConfiguration-Name Microsoft.PowerShell-showSecurityDescriptorUI

After you save the changes, the system will prompt for confirmation and restart of WinRM service.

If you have to automatically modify the security descriptor (without GUI), you will need to make changes manually first and then to get the current access descriptor in SDDL format.

O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

Get-PSSessionConfiguration

Then you can use this SDDL string to grant access to PowerShell on any other server or workstation.

$SDDL = “O:NSG:BAD:P(A;;GA;;;BA)(A;;GXGR;;;S-1-5-21-2323243421-3342677354-2633435451-55422122)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)” Set-PSSessionConfiguration -Name Microsoft.PowerShell -SecurityDescriptorSddl $SDDL

In Windows 10 /Windows Server 2016 to connect to a Hyper-V server remotely using Hyper-V Manager, PowerShell Remoting began to be used. Thus, by default remote users without administrator privileges won’t be able to manage the Hyper-V server, even if they have the corresponding permissions in Hyper-V.

When trying to connect to the Hyper-V server as a common user from a computer running Windows 10, the following error appears:

Hyper-V An error occurred while attempting to connect to server “server1”, Check that the Virtual Machine Management service is running and that you are authorized to connect to the server

To allow a remote connection to the console, it’s enough to add a Hyper-V user to the local group Remote Management Users in the same way.

Unable to Connect Windows 10 Shared Printer to Windows XP

Using wmi filter to apply group policy to ip subnet, related reading, read, modify, and parse json file (object) with..., how to read outlook emails with powershell, prevent server manager from starting at logon on..., how to enable and configure wake-on-lan (wol) in..., how to create, delete, and manage system restore....

' src=

The advice to copy the new SDDL and simply apply it to other computers is a bad idea. What you want to do is capture the part of the SDDL that corresponds to the new user/group and then APPEND it to the existing SDDL on other computers

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

MorganTechSpace

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

  • Grant Allow log on locally user rights via Powershell
  • Set Allow log on locally user rights via Command Line
  • Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

Set Allow Log On Locally User Rights via Powershell, C# and CMD

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

Set Allow Log On Locally User Rights via Powershell, C# and CMD

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Configure Allow Log On Locally User Rights via Powershell, C# and CMD

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

  • Change local system user account password using Powershell
  • Remove user from local Administrator group using PowerShell
  • Unlock AD User Account using Powershell script
  • Check if AD user exists with PowerShell
  • Set Office 365 user password via Powershell

IMAGES

  1. Set and Check User Rights Assignment via Powershell

    windows user rights assignment powershell

  2. Set and Check User Rights Assignment via Powershell

    windows user rights assignment powershell

  3. Managing User Rights in Powershell

    windows user rights assignment powershell

  4. Show file rights with PowerShell

    windows user rights assignment powershell

  5. PowerShell User List

    windows user rights assignment powershell

  6. User rights assignment in Group Policy Object using powershell

    windows user rights assignment powershell

VIDEO

  1. CIS27 Lab 11: Computer Forensic and User Rights Assignment

  2. Enable inherited rights for a website in Windows IIS

  3. Windows 11 install WITHOUT 3rd party bloatware and online account bypass

  4. How to Assign Locally Login Permission on Domain User in Windows Server 2019,Video No. 11

  5. How to create Add user and OU in Active Directory with PowerShell Command on Windows Server 2012

  6. Understanding Group Policy: User Rights Assignment Policies

COMMENTS

  1. Set and Check User Rights Assignment via Powershell

    Personal File Server - Get-UserRights.ps1 Alternative Download Link. or. Personal File Server - Get-UserRights.txt Text Format Alternative Download Link. In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

  2. windows

    This is done by opening the group policy and opening the following folder in the console tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Then click on the required user Right and add the user or group to it. Is it possible to do the same through powershell scripts?

  3. Change User Rights Assignment Security Policy Settings in Windows 10

    1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...

  4. User Rights Assignment

    User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy ...

  5. How to Set Logon User Rights with the Ntrights.exe in windows 10 (64

    What is an equivalent for ntrights.exe on Windows 10? Set and Check User Rights Assignment via Powershell You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts. Read the blakedrumm page for detailed instructions, ...

  6. How to Manage Local Users and Groups using PowerShell

    To view the local groups on a computer, run the command. Get-LocalGroup. To view the members of a specific group, use the Get-LocalGroupMember cmdlet. For example, to figure out who is a member of the local Administrators group, run the command Get-LocalGroupMember Administrators. You can create a new local user using the New-LocalUser cmdlet.

  7. How to list windows privileges for any user

    9. You can use AccessChk in accomplish this task. Accesschk "domain\user" -a * will list all the permissions of a given domain user. You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about. Share.

  8. Managing User Rights in Powershell

    1. 0. Managing User Rights Assignments in Powershell. Windows User Rights, also known as Windows Privileges, are traditionally managed via GPO or in the simplest of cases via the server's Local Security Policy. These assignments control special permissions that are often needed by IIS applications or other application hosting on Windows Servers.

  9. Managing Privileges using PoshPrivilege

    As with Adding a privilege, we can remove privileges as well using Remove-Privilege. Remove-Privilege -Privilege SeDebugPrivilege -AccountName boe-pc\proxb. As with Add-Privilege, you will need to log off and log back in to see the change take effect on your account. Again, you can install this module using Install-Module if running ...

  10. Understanding Group Policies: User Rights Assignment Policies

    Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

  11. powershell

    To view a specific account (user or group) privileges/rights, you would use: PrivMan -a username --list. The output will be the list of privileges/rights (e.g., SeServiceLogonRight, etc.) directly assigned to that account. edited Feb 6 at 19:03. answered Jan 22 at 21:15. Bill_Stewart. 23.8k 5 51 65.

  12. Powershell GPO Deep Dive

    Create a GPO for User Rights Assignment in Powershell. ... except that the "Machine" folder tree now has a subfolder \Machine\Microsoft\Windows NT\SecEdit containing a single file called GptTmpl.inf. The GptTmpl.inf file contains information relating to our User Rights Assignment. The encoding for this file is "UTF-16 LE" ("Unicode"):

  13. powershell

    With this method above I would have to read the file into my Powershell script, search for the privilege and delete the file afterwards. Is there any other method to do this in Powershell without external modules or executables? Thanks for your supply. Cheers. David

  14. User rights assignment in Windows Server 2016

    Local Policies/User Rights Assignment. User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be ...

  15. New-LocalUser (Microsoft.PowerShell.LocalAccounts)

    This cmdlet returns a LocalUser object representing the created user account. Notes. Windows PowerShell includes the following aliases for New-LocalUser: nlu; A user name can't be identical to any other user name or group name on the computer. A user name can't consist only of periods . or spaces. A user name can contain up to 20 uppercase ...

  16. Enabling a Local User Right assignment in PowerShell

    I've asked a similar question like this before to get the Local User right in PowerShell of a certain domain user, now I would like to enable the right. There are a few rights I am looking to enable, but for this example I will use Logon as a Batch Job. Ntrights does not come with Windows Server 2008 by default, so I cannot use that method.

  17. User rights assignment in Group Policy Object using powershell?

    Manual steps: Open Group Policy Management. Navigate to the following path in the Group Policy Object. Select Policy. Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Add/remove the necessary users. Windows. A family of Microsoft operating systems that run across personal ...

  18. PowerShell Remoting via WinRM for Non-Admin Users

    This method will allow to quickly grant temporary (till the next restart) remote connection rights to a user via PowerShell. The following command displays the list of current permissions: Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI. In this dialog window, add a user or group and grant them Execute (Invoke ...

  19. Set Allow Log On Locally User Rights via Powershell, C# and CMD

    Configure Allow log on locally user rights via Local Security Policy GUI. Follow the below steps to set Allow log on locally user rights via Local Security Policy. 1. Open the Run window by pressing ' Windows' + ' R' keys. 2. Type the command secpol.msc in the text box and click OK. 3. Now the Local Security Policy window will be open ...

  20. Using powershell, how do I grant "Log on as service" to an account?

    <# .Synopsis Add and Remove User Right(s) for defined user(s) and computer(s). .DESCRIPTION Add and Remove User Rights via Powershell. .PARAMETER AddRight You want to Add a user right. .Parameter ComputerName Defines the name of the computer where the user right should be granted.

  21. User rights assignment in Group Policy Object using powershell?

    Open Group Policy Management. Navigate to the following path in the Group Policy Object. Select Policy. Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Add/remove the necessary users. Click on image for details. Tried Set-GPPermission but didn't work it adds user in delegation ...