8
1
I am trying to write a script to list the privileges (eg SeShutDownPrivilege
etc) of all user accounts. I'd prefer it if my script could be run as a standard user, but I can run it as an admin account if I had to.
Here are the approaches I have tried so far:
using tokensz (from https://blogs.technet.microsoft.com/askds/2007/11/02/whats-in-a-token/): works (
tokensz /compute_tokensize /dump_groups
) for the currently logged in user. But when logged in even as a domain administrator, when trying for another user (tokensz /compute_tokensize /dump_groups /user:[another.user]
), I get the errorSEC_E_LOGON_DENIED
whoami /all
works but only for the currently logged in userntrights.exe
doesn't appear to be able to list privileges, only add and remove.secedit /export /areas USER_RIGHTS /cfg out.txt
: lists all privileges and the SIDs that have that privilege, but that list appears incomplete; the output fromtokensz
shows a userJohn.Smith
withSeShutdownPrivilege
, but the output fromsecedit
forSeShutdownPrivilege
lists groups thatJohn.Smith
is not a member of.
I can use portable executables (eg tokensz.exe
, ntrights.exe
) and built in utilities but will not be able to install applications or extensions
I believe your last proposal should really be
secedit /export /mergedpolicy /areas USER_RIGHTS /cfg out.txt
: this way it should list all the privileges that the security database will apply, should they come from the machine policies (as you got) as well as those granted through the Active Directory policies ("GPOs") – AntoineL – 2016-10-29T21:26:45.727