This project is read-only.

Summary

A question raised quite often in many discussion lists, as well as by a number of attendees in my PowerShell classes is: How can we manage user rights with PowerShell. There are some code snippets available – mainly demos on how to invoke the Win32 functions of the advapi.dll – but they don’t work out of the box, and they do not cover the whole story. Additionally there is the good old ntrights.exe. This will help granting or revoking a user right, but it does not offer a way to get a list of all rights and the associated accounts. The UserRights PowerShell module covers all this.


Use Cases

The UserRights PowerShell module covers the following use cases:

  • Get a list of users assigned a specific user right
  • Get a list of user rights assigned to a specific user
  • Get a list of all user rights with accounts
  • Grant a user a or group a user right
  • Revoke a user a or group a user right

It is important to be able to do all this remotely on another computer.

The next section describes how the module can be used to cover the mentioned tasks.

Technical description

The UserRights PowerShell modules provides you three cmdlets:

  • Get-UserRight
  • Grant-UserRight
  • Revoke-UserRight

There is no .net implementation to handle user rights so the following Win32 functions defined in the advapi.dll are used:

  • LsaEnumerateAccountsWithUserRight
  • LsaEnumerateAccountRights
  • LsaAddAccountRights
  • LsaRemoveAccountRights

Please use the Get-Help cmdlet to retrieve details about each cmdlet and its parameters.

Get a list of users assigned a specific user right

To read a privilege (or user right), just call the cmdlet Get-UserRight by only specifying the privilege. TabExpansion helps you find the privilege you are searching for.

To access the list of accounts, type:

In this case, the first account in the list does no longer exist in Active Directory and hence cannot be resolved.

Get a list of user rights assigned to a specific user

If you want to get all user rights of 'NT AUTHORITY\Everyone', type:

Get a list of all user rights with accounts

In this case, simply call the cmdlet Get-UserRight without specifying any parameters:

Grant a user a or group a user right

This works pretty similar to how ntrights.exe works.

If you additionally want to see the result of the operation, use the PassThru switch:

If the user has already been granted the right you are trying to grant, the account will be skipped and a warning is written to the console.

Revoking a right from a user or group

This works almost the same ways as when granting rights:

If you also want to see the result of the operation, use the PassThru switch:

If you are trying to revoke a right from a user not having the right, the account will be skipped and a warning is written to the console.

 

Solution Design

The visual studio solution comprises of three parts:

  • The project Lsa contains the Win32 definitions and the LsaLib class which makes all the functions easy to use in .net
  • The UserRights project provides the UserRights class which is the basis for the PowerShell cmdlets
  • Security2 is taken from another project, NTFSSecurity. The IdentityReference2 class was quite useful for this project for SID / Name translation.

You can easily make use the LsaLib, if you need the functionality in some other project.

Last edited Sep 1, 2014 at 12:19 AM by raandree, version 16