Set and Check User Rights Assignment via Powershell

Posted by : on

Category : powershell   operationsManager   troubleshooting   projects


This post was last updated on August 29th, 2022

I stumbled across this gem (weloytty/Grant-LogonAsService.ps1) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it

Set-UserRights.ps1 :arrow_left: Direct Download Link
or
Personal File Server - Set-UserRights.ps1 :arrow_left: Alternative Download Link
or
Personal File Server - Set-UserRights.txt :arrow_left: Text Format Alternative Download Link

Some (but not all) of the User Rights that can be set:

"Log on as a batch job (SeBatchLogonRight)"
"Allow log on locally (SeInteractiveLogonRight)"
"Access this computer from the network (SeNetworkLogonRight)"
"Allow log on through Remote Desktop Services (SeRemoteInteractiveLogonRight)"
"Log on as a service (SeServiceLogonRight)"
"Deny log on as a batch job (SeDenyBatchLogonRight)"
"Deny log on locally (SeDenyInteractiveLogonRight)"
"Deny access to this computer from the network (SeDenyNetworkLogonRight)"
"Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)"
"Deny log on as a service (SeDenyServiceLogonRight)"
...

:notebook: Note

You may edit line 392 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users

Single Users

Example 1

Add User Right “Allow log on locally” for current user:

.\Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight

Example 2

Add User Right “Log on as a service” for CONTOSO\User:

.\Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight

Example 3

Add User Right “Log on as a batch job” for CONTOSO\User:

.\Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight

Example 4

Add User Right “Log on as a batch job” for user SID S-1-5-11:

.\Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight

Add Multiple Users / Rights / Computers

Example 5

Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com:

.\Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight, SeBatchLogonRight -ComputerName $env:COMPUTERNAME, SQL.contoso.com -UserName CONTOSO\User1, CONTOSO\User2

 

Remove Users

Single Users

Example 1

Remove User Right “Allow log on locally” for current user:

.\Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight

Example 2

Add User Right “Log on as a service” for CONTOSO\User:

.\Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight

Example 3

Add User Right “Log on as a batch job” for CONTOSO\User:

.\Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight

Example 4

Add User Right “Log on as a batch job” for user SID S-1-5-11:

.\Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight

Remove Multiple Users / Rights / Computers

Example 5

Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com:

.\Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight, SeBatchLogonRight -ComputerName $env:COMPUTERNAME, SQL.contoso.com -UserName CONTOSO\User1, CONTOSO\User2

Check User Rights

How to get it

Get-UserRights.ps1 :arrow_left: Direct Download Link
or
Personal File Server - Get-UserRights.ps1 :arrow_left: Alternative Download Link
or
Personal File Server - Get-UserRights.txt :arrow_left: Text Format Alternative Download Link

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

Note

You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Local Computer

Get Local User Account Rights and output to text in console:

.\Get-UserRights.ps1

Remote Computer

Get Remote SQL Server User Account Rights:

.\Get-UserRights.ps1 -ComputerName SQL.contoso.com

Get Local Machine and SQL Server User Account Rights:

.\Get-UserRights.ps1 -ComputerName $env:COMPUTERNAME, SQL.contoso.com

Output Types

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

.\Get-UserRights.ps1 -FileOutputPath C:\Temp -FileOutputType CSV

Output to Text in ‘C:\Temp’:

.\Get-UserRights.ps1 -FileOutputPath C:\Temp -FileOutputType Text
# or
.\Get-UserRights.ps1 -FileOutputPath C:\Temp

PassThru object to allow manipulation / filtering:

.\Get-UserRights.ps1 -ComputerName SQL.contoso.com -PassThru | Where {$_.Principal -match "Administrator"}
# or
.\Get-UserRights.ps1 -PassThru | ? {$_.Privilege -match 'SeServiceLogonRight'}

Leave some feedback if this helped you! :v:

Page Views


Share on:
About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email :

Website :

About Blake Drumm

My name is Blake Drumm, I am working on the System Center Enterprise Management Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager products mostly, keep checking back for new posts. My goal is to post atleast once a month if possible.

Follow @blakedrumm
Useful Links