LocPolicyAddUserRight.ps1 (5,75 kb)
#### SCRIPT: ADD NEW ACCOUNT IN USER RIGHT ASSIGNMENT OF LOCAL SECURITY POLICY
# SCRIPTNAME : LocPolicyAddUserRight.ps1
# PARAMETERS:
# User: Account to grant
# PrivilegeName : See $AccesList to select right name
# ConfFilesPath : Path to export/import Conf File
# EXAMPLE: LocPolicyAddUserRight.ps1 -User MyDomain\MyAccount -PrivilegeName SeTimeZonePrivilege -ConfFilesPath C:\
Param
(
$User,
$PrivilegeName,
$ConfFilesPath
)
#USER RIGHT ASSIGNMENT LIST
[array]$AccessList = $(
"Access Credential Manager as a trusted caller = SeTrustedCredManAccessPrivilege"
"Access this computer from the network = SeNetworkLogonRight"
"Act as part of the operating system;SeTcbPrivilege"
"Add workstations to domain = SeMachineAccountPrivilege"
"Adjust memory quotas for a process = SeIncreaseQuotaPrivilege"
"Allow log on locally = SeInteractiveLogonRight"
"Allow log on through Remote Desktop Services = SeRemoteInteractiveLogonRight"
"Back up files and directories = SeBackupPrivilege"
"Bypass traverse checking = SeChangeNotifyPrivilege"
"Change the system time = SeSystemtimePrivilege"
"Change the time zone = SeTimeZonePrivilege"
"Create a pagefile = SeCreatePagefilePrivilege"
"Create a token object = SeCreateTokenPrivilege"
"Create global objects = SeCreateGlobalPrivilege"
"Create permanent shared objects = SeCreatePermanentPrivilege"
"Create symbolic links = SeCreateSymbolicLinkPrivilege"
"Debug programs = SeDebugPrivilege"
"Deny access to this computer from the network = SeDenyNetworkLogonRight"
"Deny log on as a batch job = SeDenyBatchLogonRight"
"Deny log on as a service = SeDenyServiceLogonRight"
"Deny log on locally = SeDenyInteractiveLogonRight"
"Deny log on through Remote Desktop Services = SeDenyRemoteInteractiveLogonRight"
"Enable computer and user accounts to be trusted for delegation = SeEnableDelegationPrivilege"
"Force shutdown from a remote system = SeRemoteShutdownPrivilege"
"Generate security audits = SeAuditPrivilege"
"Impersonate a client after authentication = SeImpersonatePrivilege"
"Increase a process working set = SeIncreaseWorkingSetPrivilege"
"Increase scheduling priority = SeIncreaseBasePriorityPrivilege"
"Load and unload device drivers = SeLoadDriverPrivilege"
"Lock pages in memory = SeLockMemoryPrivilege"
"Log on as a batch job = SeBatchLogonRight"
"Log on as a service = SeServiceLogonRight"
"Manage auditing and security log = SeSecurityPrivilege"
"Modify an object label = SeRelabelPrivilege"
"Modify firmware environment values = SeSystemEnvironmentPrivilege"
"Perform volume maintenance tasks = SeManageVolumePrivilege"
"Profile single process = SeProfileSingleProcessPrivilege"
"Profile system performance = SeSystemProfilePrivilege"
"Remove computer from docking station = SeUndockPrivilege"
"Replace a process level token = SeAssignPrimaryTokenPrivilege"
"Restore files and directories = SeRestorePrivilege"
"Shut down the system = SeShutdownPrivilege"
"Synchronize directory service data = SeSyncAgentPrivilege"
"Take ownership of files or other objects = SeTakeOwnershipPrivilege"
)
Function GetUserSID($UserName)
{
(New-Object System.Security.Principal.NTAccount($UserName)).Translate([System.Security.Principal.SecurityIdentifier]).value
}
Function Parse-SecPol($CfgFile){
secedit /export /cfg "$CfgFile" | out-null
$obj = New-Object psobject
$index = 0
$contents = Get-Content $CfgFile -raw
[regex]::Matches($contents,"(?<=\[)(.*)(?=\])") | %{
$title = $_
[regex]::Matches($contents,"(?<=\]).*?((?=\[)|(\Z))", [System.Text.RegularExpressions.RegexOptions]::Singleline)[$index] | %{
$section = new-object psobject
$_.value -split "\r\n" | ?{$_.length -gt 0} | %{
$value = [regex]::Match($_,"(?<=\=).*").value
$name = [regex]::Match($_,".*(?=\=)").value
$section | add-member -MemberType NoteProperty -Name $name.tostring().trim() -Value $value.tostring().trim() -ErrorAction SilentlyContinue | out-null
}
$obj | Add-Member -MemberType NoteProperty -Name $title -Value $section
}
$index += 1
}
return $obj
}
Function Set-SecPol($Object, $CfgFile){
$OldSecPool.psobject.Properties.GetEnumerator() | %{
"[$($_.Name)]"
$_.Value | %{
$_.psobject.Properties.GetEnumerator() | %{
"$($_.Name)=$($_.Value)"
}
}
} | out-file $CfgFile -ErrorAction Stop
secedit /configure /db c:\windows\security\local.sdb /cfg "$CfgFile" #| out-null
}
# Export Original Conf
$OldSecPool = Parse-SecPol -CfgFile "$ConfFilesPath`Old.inf"
# Get user SID
try
{
$newsid = GetUserSID -UserName $User
}
catch
{
$Message = "'$User' user SID has not been found"
Write-Host -F Red $Message.ToUpper()
exit 1
}
#
if ($OldSecPool.'Privilege Rights'.$PrivilegeName -eq $null)
{
$Message = "'$PrivilegeName' privilege has not been found. Check Name. `n "
Write-Host -F Red $Message.ToUpper()
Write-Host "--- ACCESS RIGHTS NAMES ---:`n"
$AccessList
exit 1
}
Else
{
# get original value
$OldValue = $OldSecPool.'Privilege Rights'.$PrivilegeName
# Add new SID to the string with required additional characters
$NewValue = $OldValue+",*$newsid"
# Set New Value
$OldSecPool.'Privilege Rights'.$PrivilegeName = $NewValue
}
$result = Set-SecPol -Object $OldValue -CfgFile "$ConfFilesPath`New.inf"
if ($result[-2] -like "*successfully*")
{
$Message = "OK - '$User' has been granted '$PrivilegeName' `n $($result[-2]) `n $($result[-1])"
write-host -F Green $Message.ToUpper()
exit 0
}
Else
{
$Message = "Error during grant of rights"
write-host -F Red $Message.ToUpper()
$result
exit 1
}