Skip to content

Provides a way to configure user rights assignments in local security policies using PowerShell without using secedit.exe.

License

Notifications You must be signed in to change notification settings

EvotecIT/SecurityPolicy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecurityPolicy - PowerShell Module

Description

Provides a way to configure user rights assignments in local security policies using PowerShell without using secedit.exe. This module is alternative to SecurityPolicyDSC which uses a wrapper around secedit.exe. This module is based on LocalSecurityEditor .NET Library.

Supported User Rights Assignment

ConstantName Group Policy Setting
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeNetworkLogonRight Access this computer from the network
SeTcbPrivilege Act as part of the operating system
SeMachineAccountPrivilege Add workstations to domain
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeInteractiveLogonRight Allow log on locally
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeBackupPrivilege Back up files and directories
SeChangeNotifyPrivilege Bypass traverse checking
SeSystemtimePrivilege Change the system time
SeTimeZonePrivilege Change the time zone
SeCreatePagefilePrivilege Create a pagefile
SeCreateTokenPrivilege Create a token object
SeCreateGlobalPrivilege Create global objects
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeDebugPrivilege Debug programs
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyServiceLogonRight Deny log on as a service
SeDenyInteractiveLogonRight Deny log on locally
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege Increase a process working set
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeSecurityPrivilege Manage auditing and security log
SeRelabelPrivilege Modify an object label
SeSystemEnvironmentPrivilege Modify firmware environment values
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session
SeManageVolumePrivilege Perform volume maintenance tasks
SeProfileSingleProcessPrivilege Profile single process
SeSystemProfilePrivilege Profile system performance
SeUndockPrivilege Remove computer from docking station
SeAssignPrimaryTokenPrivilege Replace a process level token
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeTakeOwnershipPrivilege Take ownership of files or other objects

Installing

Install-Module -Name SecurityPolicy -AllowClobber -Force

Force and AllowClobber aren't necessary but they do skip errors in case some appear.

Updating

Update-Module -Name SecurityPolicy

That's it. Whenever there's a new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen the PowerShell session if you have already used the module before updating it.

The important thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!

Using SecurityPolicy

Getting and setting Security Policies

$SecurityPolicies = Get-SecurityPolicy -Verbose -All
# $SecurityPolicies | Format-Table

$SecurityPolicies.'Unicode' | Format-Table
$SecurityPolicies.'System Access' | Format-Table
# $SecurityPolicies.'Event Audit' | Format-Table
# $SecurityPolicies.'Registry Values' | Format-Table
# $SecurityPolicies.'Privilege Rights' | Format-Table
# $SecurityPolicies.'Version' | Format-Table


Set-SecurityPolicy -SystemAccess MinimumPasswordAge -Value 1

Getting and setting User Rights Assignment

Adding and removing UserRightsAssignment can be done using Add-UserRightsAssignment and Remove-UserRightsAssignment.

$Output = Get-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege #-Computer AD1
$Output | Format-Table

Remove-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege -Identity "S-1-5-21-853615985-2870445339-3163598659-4098"

$Output = Get-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege #-Computer AD1
$Output | Format-Table

$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table

Add-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"

$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table

Remove-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"

$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table

Or you can use Set-UserRightsAssignment which will add and remove identities for you in one command.

$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table

$Identity = @(
    'BUILTIN\Backup Operators'
    'BUILTIN\Administrators'
    'Guest'
    #'BUILTIN\Users'
    #'przemyslaw.klys'
)

Set-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity $Identity -WhatIf #-Computer AD1

$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table

About

Provides a way to configure user rights assignments in local security policies using PowerShell without using secedit.exe.

Topics

Resources

License

Stars

Watchers

Forks