Get “User Rights Assignment” security policy settings

Recently I had to check if adfssvr account is present in “Generate security audits” policy settings. As I’m working in large scale environment and mostly on server cores it was obvious that it needs to be done by script.

User Rights Assignment

Below you can find list of user rights. In this example we will focus on SeAuditPrivilege – Generate security audits.

User Rights table
User Rights table

More info about user rights – link.

To check security settings manually we have to open Local Security Policy on affected server, expand Local Policies and then click “User Rights Assignment”:

Local Security Policy
Local Security Policy

For purpose of this script we can use switch with some random policy names – you can add here all of them if needed:

                    Switch ( $PolicyName )
                    {
                        "Generate security audits"     { $Val = "SeAuditPrivilege" }
                        "Log on as a service"          { $Val = "SeServiceLogonRight" }
                        "Create a token object"        { $Val = "SeCreateTokenPrivilege" }
                        "Create a pagefile"            { $Val = "SeCreatePagefilePrivilege" }
                    }

Script is based on Secedit command which allows to configure and analyze system security by comparing your current configuration to at least one template, for more info please visit technet site.

secedit /export /areas USER_RIGHTS /cfg C:\users\$env:username\desktop\UserRights.txt

I found some simple function for translating SIDs to account names. To run it on remote server I used invoke-command:

# Function to translates SID to account name ---------------------
    function Get-AccountName {
      param(
        [String] $principal
      )
      If ( $principal[0] -eq "*" ) 
      {
        $SIDName = $principal.Substring(1)
        $sid = New-Object System.Security.Principal.SecurityIdentifier($SIDName)
        $sid.Translate([Security.Principal.NTAccount])
      }
      Else 
      {
        Return $principal
      }
    }
	
# Run local function remotely -------------------------------------
$TName = Invoke-Command -ComputerName $Server -ScriptBlock ${Function:Get-AccountName} -ArgumentList $Principal -Credential $Cred
	

Final results should look like this:

User Rights
User Rights

Final script:



# Function to translates SID to account name ---------------------
    function Get-AccountName {
      param(
        [String] $principal
      )
      If ( $principal[0] -eq "*" ) 
      {
        $SIDName = $principal.Substring(1)
        $sid = New-Object System.Security.Principal.SecurityIdentifier($SIDName)
        $sid.Translate([Security.Principal.NTAccount])
      }
      Else 
      {
        Return $principal
      }
    }
# -----------------------------------------------------------------

# Parameters
$Servers = Get-Content -path "D:\scripts\servers.txt"
$Cred = Get-Credential "domain\$env:username"
$PolicyName = "Generate security audits"
$Account = "adfssrv"
$Array = @()
$ErrorActionPreference = "SilentlyContinue"

Switch ( $PolicyName )
{
     "Generate security audits"     { $Val = "SeAuditPrivilege" }
     "Log on as a service"          { $Val = "SeServiceLogonRight" }
     "Create a token object"        { $Val = "SeCreateTokenPrivilege" }
     "Create a pagefile"            { $Val = "SeCreatePagefilePrivilege" }
}

# Looping server
Foreach( $Server in $Servers )
{    
    $Check = $null
    $AuditPath = $null
    $Audit = $null
    $TempArray = @()
    $Server = $Server.trim()

    Write-Host "Processing $Server : " -ForegroundColor Green -NoNewline 

    # Query server to check User rights
    Invoke-Command $Server -ScriptBlock{ secedit /export /areas USER_RIGHTS /cfg C:\users\$env:username\desktop\UserRights.txt | Where-Object {$_ -match "The task"} } -Credential $Cred

    $Check = Invoke-Command $Server -ScriptBlock{Test-Path "C:\users\$env:username\desktop\UserRights.txt" }-Credential $Cred

    If($Check -match "False")
    {
        Write-Warning "Something went wrong"
    }
    Else
    {
        $AuditPath = Invoke-Command $Server -ScriptBlock{ Get-Content "C:\users\$env:username\desktop\UserRights.txt" } -Credential $Cred
        $AuditPath | Out-File -FilePath "C:\users\$env:username\desktop\data.txt"
        $Audit = Select-String '^(Se\S+) = (\S+)' "C:\users\$env:username\desktop\data.txt" | Where-Object {$_ -match "$Val"}
        
        If( $Audit )
        {
            $Audit | Foreach-Object {
                
                $Privilege = $null
                $Principals = $null

                $Privilege = $_.Matches[0].Groups[1].Value
                $Principals = $_.Matches[0].Groups[2].Value -split ',' 

                foreach ( $Principal in $Principals ) 
                {     
                    If ( $Principal[0] -eq "*" ) 
                    {
                        $sid = $null
                        $Name = $null
                        $Object = $null
                        $TName = $null

                        $TName = Invoke-Command -ComputerName $Server -ScriptBlock ${Function:Get-AccountName} -ArgumentList $Principal -Credential $Cred
                        If($TName)
                        {
                            $Name = $TName
                        }
                        Else
                        {
                            $Name = '(SID not found)'
                        }

                        $TempObject = New-Object PSObject -Property ([ordered]@{ 
                      
                                Principal      = $Name
                            })
    
                            $TempArray += $TempObject    
                    }
                    Else
                    {
                        Write-Warning "No SID found"
                    }
                }

                If( $TempArray.principal.value -match "$Account" )
                {
                    $Value = $null
                    $Value = $TempArray.principal.value | Where-Object { $_ -match "$Account" } 

                    $Object = New-Object PSObject -Property ([ordered]@{ 
                      
                            Server             = $Server
                             "Policy name"     = $PolicyName
                            Privilege          = $Privilege
                            Principal          = $Value
  
                        })
    
                    $Array += $Object 
                }
                Else
                {
                    $Object = New-Object PSObject -Property ([ordered]@{ 
                      
                            Server             = $Server
                            "Policy name"      = $PolicyName
                            Privilege          = $Privilege
                            Principal          = '(not found)'
  
                        })
    
                    $Array += $Object 
                }
            }
        }

    }

    Remove-Variable check,auditpath,audit
}
    If( $Array )
    {
        Write-Host "`nFinal results:" -ForegroundColor Yellow
        $Array | Format-Table -Wrap -AutoSize

        # Save results to CSV
        $Array | Export-Csv -Path C:\users\$env:username\desktop\UserRights.csv -NoTypeInformation
    }


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.