Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

User Rights Assignment - Adding a Username using powershell

Posted on 2016-09-26
23
Medium Priority
?
359 Views
Last Modified: 2016-10-10
Using the Windows GUI, I would be doing this:

gpedit.msc
      Computer Configuration / Windows Settings / Security Settings / Local Policies
                              Audit Policy
                                    Each Policy: Enable Success and Failure
                              THEN:
User Rights Assignment
Manage Auditing and Security Log  … add “[username]”

Now I want to automate doing this using powershell.  I've found the script by Tony Pombo but it seems unwieldy for such a simple task and I've had lots of problems getting the commands to be recognized at all.

Suggestions?
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
23 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41817730
The best way to manage these settings is using GPO. Create a Group policy and assign it to a group of computers or and OU.

Regarding the PowerShell option :
Using the Tony's module is pretty simple..
You need to download the module it a folder (In our example module is placed in C:\temp)
After that open PowerShell console using Run As Administrator Option. Sun the following commands to assign the privileges for user.
Import-Module C:\temp\UserRights.ps1
Grant-UserRight -Computer ComputerA -Account Domain\UserA -Right SeSecurityPrivilege

Open in new window

Let me know if you get any error.
1
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41818246
Subsun:  Thanks!  How would you change that approach for workstations on a peer-to-peer network?  No "group of computers" possibility that I know of.

It would be great to do as you suggest and run these commands all from my own workstation!
If need be, I can run them on the target workstation as I have access to them all.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41818260
For computers In workgroup, to add local users, we don't have to specify the domain part.
Grant-UserRight -Computer ComputerA -Account UserA -Right SeSecurityPrivilege

Open in new window

I don't have any workgroup computer to test it, but I am pretty sure that it should work. I will test this as soon as I get a chance and let you know result.
1
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 40

Expert Comment

by:Subsun
ID: 41818331
gpedit.msc
       Computer Configuration / Windows Settings / Security Settings / Local Policies
                               Audit Policy
                                     Each Policy: Enable Success and Failure
BTB, for enable auditing, you can use auditpol, Example.
auditpol /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:enable /success:enable

Open in new window

Since the computers are not in domain, you probably have to use different credentials for each computer. If all the computer have same credential (Example, if all computers have same password for their administrator account), then it'll be easy to create a script which you can run from a work station.
1
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41818373
Subsun:  Yes that works!  Thank you!
The only nit remaining is that the "username" shows up in the settings as an indecipherable *S-1-5-21-2973359201 .........
I hate to think of living with that because how might one check the rights vs. usernames later on then?
Maybe there's a way to read and translate?  That would be better than nothing.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41818383
re: auditpol
I have a script for that already .. sorry I didn't mention it.
But so far, it has to run on the target workstation.
Now, if it could be run on my workstation and target various others (as for UserRights) then that would be great!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41818486
What if you use ComputerA\UserA instead of UserA
Grant-UserRight -Computer ComputerA -Account ComputerA\UserA -Right SeSecurityPrivilege

Open in new window

Does this shows the correct user name instead of SID (S-1-5-21-2973359201)
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41819160
Grant-UserRight -Computer WIN10PRO3500 -Account WIN10PRO3500\Computerguy -Right SecurityPr
ivilege

Exception calling "AddPrivilege" with "2" argument(s): "Some or all identity references could not be translated."
At C:\Users\Public\Scripts\UserRights.ps1:523 char:17
+                 $lsa.AddPrivilege($Acct,$Priv)
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41820728
I didn't get a chance to test this. I will update as soon as I can..
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41820858
thanks!!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822687
OK.. As per my testing in order to add the local user the command has to run locally..

What is the operating system on your computers? is it windows 8 or 10?
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41826881
All are Windows 10 Pro.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41826958
I guess you will have remote Powershell enabled. Can you test command
Invoke-Command -ComputerName <RemotecompterNamehere> -ScriptBlock {Ipconfig} -Credential (Get-Credential)

Open in new window

Command will prompt to enter credentials, enter remote computer credentials.
1
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41827091
Very interesting!
So it might look like this:

Invoke-Command -ComputerName 192.168.1.33 -ScriptBlock {Grant-UserRight -Computer ComputerA -Account UserA -Right SeSecurityPrivilege} -Credential (Get-Credential)

I'm getting an error:
[192.168.1.33] Connecting to remote server 192.168.1.33 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (192.168.1.33:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken

Maybe the amount of preparation on the target machines is greater than just running the commands locally???
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 41827106
Okie.. It's really a pain to have remote PowerShell on workgroup computers. but once enabled, you can remotely run PowerShell commands and automation will be easy.. But still you will have to deal with access errors as each server you need a different credential..
Ref : https://blogs.msdn.microsoft.com/wmi/2009/07/24/powershell-remoting-between-two-workgroup-machines/
If it's less number of machines, you can save the module in a share.. example \\10.0.0.1\script\UserRights.ps1
and try runing following commands on locally on computers..
cmd /c 'auditpol.exe /set /category:"System","Account Management","Account Logon","Logon/Logoff","Policy Change" /failure:enable /success:enable'
Copy "\\10.0.0.1\script\UserRights.ps1" "$($Env:Temp)"
Import-Module "$($Env:Temp)\UserRights.ps1"
Grant-UserRight -Account UserA -Right SeSecurityPrivilege

Open in new window

Any reason for computers are not added to domain?
1
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41827213
Any reason for computers are not added to domain?
... like there is no server OS machine..
I know this is a stretch for peer-to-peer but it's been working well for us for some time.  
Some of the issues we're dealing with here (i.e. the script) is not only to make the setup more efficient but to make repeated setups more efficient because recent MS Windows 10 updates have been erasing our firewall settings (amongst a one or two other things).  So I'm trying to roll it all up into one script.

Had you not enticed me into the remote idea I'd have been done by now!  :-)
Putting the module in a share is a great idea in moving forward!  The idea was bouncing around in the back of my head but hadn't been fully formed.  
I really appreciate the excellent suggestions and help!

The last hurdle is DCOM settings in a separate question:
https://www.experts-exchange.com/questions/28973373/DCOMCNFG-Settings-with-Powershell.html
I've not worked on any of the suggestions yet much.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41827216
Really excellent help!!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41827218
I can see few experts has responded to DECOM question, is it not working?
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41827233
DCOM
I've not worked on any of the suggestions yet much.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41828459
I had an old script which I was using for similar requirement. I have made it in to following function, which should work locally, try and let me know if you get any error..
Add-DCOMPermission -User UserName

Open in new window

Function Add-DCOMPermission {
PARAM([string]$User)

function get-sid {
 PARAM ($DSIdentity)
 $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
 return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}

$sid = get-sid $User

#DefaultLaunchPermission - Local Launch, Remote Launch, Local Activation, Remote Activation
$DCOMSDDLDefaultLaunchPermission = "A;;CCDCLCSWRP;;;$sid"

#DefaultAccessPermision - Local Access, Remote Access
$DCOMSDDLDefaultAccessPermision = "A;;CCDCLC;;;$sid"

#PartialMatch
$DCOMSDDLPartialMatch = "A;;\w+;;;$sid"

 # Get the respective binary values of the DCOM registry entries
 $Reg = [WMIClass]"\\$($env:COMPUTERNAME)\root\default:StdRegProv"
 $DCOMDefaultLaunchPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission").uValue
 $DCOMDefaultAccessPermission = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission").uValue

 # Convert the current permissions to SDDL
 $converter = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper
 $CurrentDCOMSDDLDefaultLaunchPermission = $converter.BinarySDToSDDL($DCOMDefaultLaunchPermission)
 $CurrentDCOMSDDLDefaultAccessPermission = $converter.BinarySDToSDDL($DCOMDefaultAccessPermission)

 # Build the new permissions
 if (($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -notmatch $DCOMSDDLDefaultLaunchPermission))
 {
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultLaunchPermission
 }
 else
 {
   $NewDCOMSDDLDefaultLaunchPermission = $CurrentDCOMSDDLDefaultLaunchPermission.SDDL + "(" + $DCOMSDDLDefaultLaunchPermission + ")"
 }

 if (($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLPartialMatch) -and ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -notmatch $DCOMSDDLDefaultAccessPermision))
 {
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL -replace $DCOMSDDLPartialMatch, $DCOMSDDLDefaultAccessPermision
 }
 else
 {
   $NewDCOMSDDLDefaultAccessPermission = $CurrentDCOMSDDLDefaultAccessPermission.SDDL + "(" + $DCOMSDDLDefaultAccessPermision + ")"
 }

 # Convert SDDL back to Binary
 $DCOMbinarySDDefaultLaunchPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultLaunchPermission)
 $DCOMconvertedPermissionDefaultLaunchPermission = ,$DCOMbinarySDDefaultLaunchPermission.BinarySD

 $DCOMbinarySDDefaultAccessPermission = $converter.SDDLToBinarySD($NewDCOMSDDLDefaultAccessPermission)
 $DCOMconvertedPermissionsDefaultAccessPermission = ,$DCOMbinarySDDefaultAccessPermission.BinarySD

 # Apply the changes
 if ($CurrentDCOMSDDLDefaultLaunchPermission.SDDL -match $DCOMSDDLDefaultLaunchPermission)
 {
   write-host "DefaultLaunchPermission already set for $user"
 }
 else
 {
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultLaunchPermission", $DCOMbinarySDDefaultLaunchPermission.binarySD)
   if($result.ReturnValue='0'){write-host "Applied DefaultLaunchPermission for $User"}
 }

 if ($CurrentDCOMSDDLDefaultAccessPermission.SDDL -match $DCOMSDDLDefaultAccessPermision)
 {
   write-host "DefaultAccessPermission already set for $user"
 }
 else
 {
   $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","DefaultAccessPermission", $DCOMbinarySDDefaultAccessPermission.binarySD)
   if($result.ReturnValue='0'){write-host "Applied DefaultAccessPermission for $user"}

 }
}

Open in new window

0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41832757
It appears that this one works!!  Thank youi!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41832884
You are welcome!
0
 
LVL 26

Author Closing Comment

by:Fred Marshall
ID: 41837717
Thank you!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question