How can I get an overview of all users with a specific user right in Windows?

I need to check that only the administrators group (sid: S-1-5-32-544) has the privilege to take ownership of files or folders (SeTakeOwnershipPrivilege).

How can I get an overview of all users/groups that have this privilege?

What I already found and tried is the following command:

secedit /export /areas USER_RIGHTS /cfg output.txt

The output in the file looks pretty useful:

[Unicode]
Unicode=yes
[Privilege Rights]
SeNetworkLogonRight = *S-1-5-32-544
...
SeTakeOwnershipPrivilege = *S-1-5-32-544
...
[Version]
signature="$CHICAGO$"
Revision=1

With this method above I would have to read the file into my Powershell script, search for the privilege and delete the file afterwards.

Is there any other method to do this in Powershell without external modules or executables?

Thanks for your supply.

Cheers

David

dwettstein

Posted 2014-09-05T14:20:50.570

Reputation: 23

Answers

There is another way using the LsaEnumerateAccountsWithUserRight Win32 API function. This has to be coded in C# (PInvoke) in your script and the code definition would be very long and messy.

I would avoid the above and wrap the executable instead. Why reinvent the wheel?

# Check this priviledge.
$privilege = 'SeDenyInteractiveLogonRight'

# Create temp file for executable output.
$tempFile = [System.IO.Path]::GetTempFileName()

# Run the executable and wait for it to finish.
Start-Process -FilePath secedit.exe -ArgumentList "/export /areas USER_RIGHTS /cfg $tempFile" -Wait -WindowStyle Hidden

# Run through lines in the output file. 
Get-Content $tempFile -Encoding Unicode | Where-Object { 

    # Where the privilege is listed.
    $_ -match $privilege } | ForEach-Object { 

        # Seperate the key and values.    
        $_.split('=')[1].split(',') | ForEach-Object {

            # Ouput the user/SID values        
            $_.trim()
        }
}

MFT

Posted 2014-09-05T14:20:50.570

Reputation: 542

Thanks for your reply. I assume, I will have to go this way, since I cannot use other modules or executables. Nice hint with wrapping the executable. – dwettstein – 2014-09-09T09:14:17.113

Not a pure PS solution, but an option none the less. :)

You could use Microsoft's AccessChk utility (download it here) instead of SecEdit.

Unlike SecEdit, AccessChk outputs to the stdout, so you can easily capture its output into a PS variable, and then check that variable (with no need for an intermediate file).

Something like:

$privToCheckFor = "SeTakeOwnershipPrivilege"
$groupPrivs = .\accesschk -a administrators *
if ((Out-String -InputObject $groupPrivs).IndexOf($privToCheckFor) -ge 0) {
    Write-Host "Has Privilege"
} else {
    Write-Host "Doesn't Have Privilege"
}

Ƭᴇcʜιᴇ007

Posted 2014-09-05T14:20:50.570

Reputation: 103 763

Thanks for your hint. I also found this utility. Is it preinstalled on Windows Server 2008 and 2012 machines? Unfortunately, I cannot install external modules or executables. – dwettstein – 2014-09-09T09:19:34.577

Shameless promotion: check out the Carbon module (I'm the creater/maintainer). It has a Get-Privilege function that will return all a principal's privileges.

splattered bits

Posted 2014-09-05T14:20:50.570

Reputation: 173

Thanks for your reply. Nice module! Unfortunately, I can only use the "standard" modules. :( – dwettstein – 2014-09-09T09:08:58.810

-1

Here's the solution:

(Get-WmiObject -Namespace root\rsop\computer -Class RSOP_UserPrivilegeRight | Where-Object {$_.UserRight -eq "SeTakeOwnershipPrivilege"}).AccountList

Francis

Posted 2014-09-05T14:20:50.570

Reputation: 1

1Can you please add some explanations? – Romeo Ninov – 2016-04-19T06:44:10.760

It is questioning an instance of Wmi and extracting the requested parameter from the resultant set of policies. Pretty simple and straight forward. You could also specify a remote computer with -computername – Francis – 2016-04-20T19:59:24.443

-1

Maybe this command will be helpful

Get-WmiObject -Class win32_userprofile

sanyam jain

Posted 2014-09-05T14:20:50.570

Reputation: 29