|
25 | 25 | Name of the right you want to add to: SeServiceLogonRight |
26 | 26 | There is no default for this argument |
27 | 27 | |
28 | | - Some (but not all) of the Options you can use: |
29 | | - "Log on as a batch job (SeBatchLogonRight)" |
30 | | - "Allow log on locally (SeInteractiveLogonRight)" |
31 | | - "Access this computer from the network (SeNetworkLogonRight)" |
32 | | - "Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight)" |
33 | | - "Log on as a service (SeServiceLogonRight)" |
34 | | - "Deny log on as a batch job (SeDenyBatchLogonRight)" |
35 | | - "Deny log on locally (SeDenyInteractiveLogonRight)" |
36 | | - "Deny access to this computer from the network (SeDenyNetworkLogonRight)" |
37 | | - "Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)" |
38 | | - "Deny log on as a service (SeDenyServiceLogonRight)" |
| 28 | + All of the Options you can use: |
| 29 | + Replace a process level token (SeAssignPrimaryTokenPrivilege) |
| 30 | + Generate security audits (SeAuditPrivilege) |
| 31 | + Back up files and directories (SeBackupPrivilege) |
| 32 | + Log on as a batch job (SeBatchLogonRight) |
| 33 | + Bypass traverse checking (SeChangeNotifyPrivilege) |
| 34 | + Create global objects (SeCreateGlobalPrivilege) |
| 35 | + Create a pagefile (SeCreatePagefilePrivilege) |
| 36 | + Create permanent shared objects (SeCreatePermanentPrivilege) |
| 37 | + Create symbolic links (SeCreateSymbolicLinkPrivilege) |
| 38 | + Create a token object (SeCreateTokenPrivilege) |
| 39 | + Debug programs (SeDebugPrivilege) |
| 40 | + Obtain an impersonation token for another user in the same session (SeDelegateSessionUserImpersonatePrivilege) |
| 41 | + Deny log on as a batch job (SeDenyBatchLogonRight) |
| 42 | + Deny log on locally (SeDenyInteractiveLogonRight) |
| 43 | + Deny access to this computer from the network (SeDenyNetworkLogonRight) |
| 44 | + Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight) |
| 45 | + Deny log on as a service (SeDenyServiceLogonRight) |
| 46 | + Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) |
| 47 | + Impersonate a client after authentication (SeImpersonatePrivilege) |
| 48 | + Increase scheduling priority (SeIncreaseBasePriorityPrivilege) |
| 49 | + Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) |
| 50 | + Increase a process working set (SeIncreaseWorkingSetPrivilege) |
| 51 | + Allow log on locally (SeInteractiveLogonRight) |
| 52 | + Load and unload device drivers (SeLoadDriverPrivilege) |
| 53 | + Lock pages in memory (SeLockMemoryPrivilege) |
| 54 | + Add workstations to domain (SeMachineAccountPrivilege) |
| 55 | + Perform volume maintenance tasks (SeManageVolumePrivilege) |
| 56 | + Access this computer from the network (SeNetworkLogonRight) |
| 57 | + Profile single process (SeProfileSingleProcessPrivilege) |
| 58 | + Modify an object label (SeRelabelPrivilege) |
| 59 | + Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight) |
| 60 | + Force shutdown from a remote system (SeRemoteShutdownPrivilege) |
| 61 | + Restore files and directories (SeRestorePrivilege) |
| 62 | + Manage auditing and security log (SeSecurityPrivilege) |
| 63 | + Log on as a service (SeServiceLogonRight) |
| 64 | + Shut down the system (SeShutdownPrivilege) |
| 65 | + Synchronize directory service data (SeSyncAgentPrivilege) |
| 66 | + Modify firmware environment values (SeSystemEnvironmentPrivilege) |
| 67 | + Profile system performance (SeSystemProfilePrivilege) |
| 68 | + Change the system time (SeSystemtimePrivilege) |
| 69 | + Take ownership of files or other objects (SeTakeOwnershipPrivilege) |
| 70 | + Act as part of the operating system (SeTcbPrivilege) |
| 71 | + Change the time zone (SeTimeZonePrivilege) |
| 72 | + Access Credential Manager as a trusted caller (SeTrustedCredManAccessPrivilege) |
| 73 | + Remove computer from docking station (SeUndockPrivilege) |
39 | 74 | |
40 | 75 | .Example |
41 | 76 | Usage: |
@@ -224,18 +259,21 @@ PROCESS |
224 | 259 | if ($ActionType -eq 'Adding') |
225 | 260 | { |
226 | 261 | # If right has no value it needs to be added |
227 | | - if($sids -eq $null) { |
| 262 | + if ($sids -eq $null) |
| 263 | + { |
228 | 264 | $sids = "$right = *$sid" |
229 | 265 | $sidList = $sids |
230 | | - } else { |
| 266 | + } |
| 267 | + else |
| 268 | + { |
231 | 269 | $sidList = "$sids,*$sid" |
232 | 270 | } |
233 | 271 | } |
234 | 272 | elseif ($ActionType -eq 'Removing') |
235 | 273 | { |
236 | 274 | $sidList = "$($sids.Replace("*$sid", '').Replace("$Username", '').Replace(",,", ',').Replace("= ,", '= '))" |
237 | 275 | } |
238 | | - Write-Verbose $sidlist |
| 276 | + Write-Verbose $sidlist |
239 | 277 | foreach ($line in @("[Unicode]", "Unicode=yes", "[System Access]", "[Event Audit]", "[Registry Values]", "[Version]", "signature=`"`$CHICAGO$`"", "Revision=1", "[Profile Description]", "Description=$ActionType `"$UserLogonRight`" right for user account: $Username", "[Privilege Rights]", "$sidList")) |
240 | 278 | { |
241 | 279 | Add-Content $import $line |
@@ -386,7 +424,7 @@ PROCESS |
386 | 424 | else |
387 | 425 | { |
388 | 426 |
|
389 | | - <# Edit line 399 to modify the default command run when this script is executed. |
| 427 | + <# Edit line 437 to modify the default command run when this script is executed. |
390 | 428 | Example: |
391 | 429 | Set-UserRights -AddRight -UserRight SeServiceLogonRight, SeBatchLogonRight -ComputerName $env:COMPUTERNAME, SQL.contoso.com -UserName CONTOSO\User1, CONTOSO\User2 |
392 | 430 | or |
|
0 commit comments