Set and Check User Rights Assignment via Powershell

Posted by : at

Category : powershell   operationsManager   troubleshooting   projects


This post was last updated on April 23rd, 2022

I stumbled across this gem (weloytty/Grant-LogonAsService.ps1) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

Set-UserRights.ps1

Some (but not all) of the User Rights that can be set:

"Log on as a batch job (SeBatchLogonRight)"
"Allow log on locally (SeInteractiveLogonRight)"
"Access this computer from the network (SeNetworkLogonRight)"
"Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight)"
"Log on as a service (SeServiceLogonRight)"
"Deny log on as a batch job (SeDenyBatchLogonRight)"
"Deny log on locally (SeDenyInteractiveLogonRight)"
"Deny access to this computer from the network (SeDenyNetworkLogonRight)"
"Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)"
"Deny log on as a service (SeDenyServiceLogonRight)"
...

Here are a few examples:

Add Users

Single Users

Example 1

Add User Right “Allow log on locally” for current user:

.\Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight

Example 2

Add User Right “Log on as a service” for CONTOSO\User:

.\Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight

Example 3

Add User Right “Log on as a batch job” for CONTOSO\User:

.\Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight

Example 4

Add User Right “Log on as a batch job” for user SID S-1-5-11:

.\Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight

Multiple Users / Services / Computers

Example 5

Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User and run on, local machine and SQL.contoso.com:

.\Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight, SeBatchLogonRight -ComputerName $env:COMPUTERNAME, SQL.contoso.com -UserName CONTOSO\User1, CONTOSO\User2

Remove Users

Single Users

Example 1

Remove User Right “Allow log on locally” for current user:

.\Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight

Example 2

Add User Right “Log on as a service” for CONTOSO\User:

.\Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight

Example 3

Add User Right “Log on as a batch job” for CONTOSO\User:

.\Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight

Example 4

Add User Right “Log on as a batch job” for user SID S-1-5-11:

.\Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight

Multiple Users / Services / Computers

Example 5

Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User and run on, local machine and SQL.contoso.com:

.\Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight, SeBatchLogonRight -ComputerName $env:COMPUTERNAME, SQL.contoso.com -UserName CONTOSO\User1, CONTOSO\User2

Note

You can also modify line 392 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.


Check User Rights

Get-UserRights.ps1

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

You may edit line 485 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Local Computer

Get Local User Account Rights and output to text in console:

.\Get-UserRights.ps1

Remote Computer

Get Remote SQL Server User Account Rights:

.\Get-UserRights.ps1 -ComputerName SQL.contoso.com

Get Local Machine and SQL Server User Account Rights:

.\Get-UserRights.ps1 -ComputerName $env:COMPUTERNAME, SQL.contoso.com

Output Types

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

.\Get-UserRights.ps1 -FileOutputPath C:\Temp -FileOutputType CSV

Output to Text in ‘C:\Temp’:

.\Get-UserRights.ps1 -FileOutputPath C:\Temp -FileOutputType Text
# or
.\Get-UserRights.ps1 -FileOutputPath C:\Temp

PassThru object to allow manipulation / filtering:

.\Get-UserRights.ps1 -ComputerName SQL.contoso.com -PassThru | Where {$_.Principal -match "Administrator"}
# or
.\Get-UserRights.ps1 -PassThru | ? {$_.Privilege -match 'SeServiceLogonRight'}

Page Views


Share on:
About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suite my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

About Blake Drumm

This is the personal technical blog for Blake Drumm. Currently primarily focused towards Microsoft System Center Enterprise Management Products. I am an Microsoft Support Engineer on the System Center North America Support Team. I am new to blogging. July 6th, 2021 marks my first day as a Microsoft FTE converting from a contractor. I had been working as a contractor since January 2020. Continue to check back for new posts or tips. I like to continually update this page as time permits.

Follow @blakedrumm
Useful Links