堆栈内存溢出
  简体   繁体   English

如何使用 powershell 获取具有交互式登录权限的服务帐户列表?

[英]How can I use powershell to get a list of service accounts with interactive logon privileges?

 原文  2021-02-21 21:32:50       powershell/ active-directory/ service-accounts

问题描述

By interactive logon, I mean logon types 2, 10, or 11.交互式登录是指登录类型 2、10 或 11。

I would like to write a PowerShell script that can give me a list of service accounts where interactive logon privileges are enabled.我想编写一个 PowerShell 脚本,它可以给我一个启用交互式登录权限的服务帐户列表。

I have tried two approaches.我尝试了两种方法。

I have tried to obtain the list of service accounts as follows:我试图获取服务帐户列表,如下所示:

Get-ADServiceAccount -Right -seInteractiveLogonRight

I've also tried to apply a filter on the user population:我还尝试对用户群体应用过滤器:

Get-ADUser -Filter {name like ‘svc*’} | 
Where-Object LogonType -eq 'Interactive'

Neither approach seems to work.这两种方法似乎都不起作用。 With the first, I get a syntax error saying -Right does not exist as a valid parameter, and with the second I don't get a response (just times out).第一个,我收到一个语法错误,说 -Right 不作为有效参数存在,第二个我没有得到响应(只是超时)。

Help/pointers appreciated.帮助/指针表示赞赏。 Am quite new to Powershell so apologies if I'm missing anything fundamental.我对 Powershell 很陌生,如果我遗漏了任何基本内容,我深表歉意。

1 个解决方案

解决方案1
 0 已采纳  2021-02-22 08:55:20

As for this...至于这个……

Get-ADServiceAccount -Right

... there is no such parameter for that cmdlet. ...该 cmdlet 没有这样的参数。 Always, always check the help file what is and is not possible for a cmdlet, function, module, et al.始终,始终检查帮助文件,对于 cmdlet、function、模块等,哪些是可能的,哪些是不可能的。

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADServiceAccount).Parameters
(Get-Command -Name Get-ADServiceAccount).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADServiceAccount -Examples
Get-help -Name Get-ADServiceAccount -Full
Get-help -Name Get-ADServiceAccount -Online

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADUser).Parameters
(Get-Command -Name Get-ADUser).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name  Get-ADUser -Examples
Get-help -Name  Get-ADUser -Full
Get-help -Name  Get-ADUser -Online

Logon Type is on the service object on the host, not a property via an AD user/computer object.登录类型在主机上的服务 object 上,而不是通过 AD 用户/计算机 object 的属性。

# Get all services
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName | 
Select-Object -Property DisplayName, StartName, State  

# Filter for type
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName | 
Where-Object { $PSItem.StartName -match 'LocalSystem' } | 
Select-Object -Property DisplayName, StartName, State

Rights are set in Policies (GPO or LPO) for a user/service account.在策略(GPO 或 LPO)中为用户/服务帐户设置权限。

[xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML

You can filter that report for specific information.您可以过滤该报告以获取特定信息。 Also, You can use the secedit.exe tool to get them.此外,您可以使用secedit.exe工具来获取它们。

secedit commands secedit 命令

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

This can give a rights report, but you will need to translate the SIDs to see the name in plain English.这可以提供权限报告,但您需要翻译 SID 才能看到简单英语的名称。

See this sample:请参阅此示例:

https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings

Though the tool has long since been depreciated, you can still use the ntrights.exe tool to get that information.尽管该工具早已被贬低,但您仍然可以使用ntrights.exe工具来获取该信息。 The ntights.exe tool is in the Windows Resource Kit. ntights.exe工具位于 Windows 资源工具包中。 That is if you have the old MSDN, TechNet media to get it, or know someone who does.也就是说,如果您有旧的 MSDN、TechNet 媒体来获取它,或者知道有人这样做。 If not you have to do stuff like this.如果不是,你必须做这样的事情。

Find-Module -Name '*rights*'
# Results
<#
Version Name                  Repository Description                                                                                                                
------- ----                  ---------- -----------                                                                                                                
1.0.2   cUserRightsAssignment PSGallery  The cUserRightsAssignment module contains the cUserRight DSC resource that provides a mechanism to manage user rights:     
                                         logon rights and privileges. 
#>

Or download and use this tool...或下载并使用此工具...

https://archive.codeplex.com/?p=userrights

The UserRights PowerShell module covers the following use cases: UserRights PowerShell 模块涵盖以下用例:

  • Get a list of users assigned a specific user right获取分配了特定用户权限的用户列表
  • Get a list of user rights assigned to a specific user获取分配给特定用户的用户权限列表
  • Get a list of all user rights with accounts获取具有帐户的所有用户权限的列表
  • Grant a user a or group a user right授予用户或组用户权限
  • Revoke a user a or group a user right撤销用户或组用户权限

... note: it is a legacy tool also. ...注意:它也是一个遗留工具。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Powershell 服务帐户列表 - Powershell List of Service Accounts 我应该如何从远程计算机获取所有交互式和远程登录会话 - How I should get all interactive and remote logon sessions from the remote computer 如何在交互式Powershell Remoting会话中使用cdb.exe - How can I use cdb.exe in an interactive Powershell Remoting session Powershell-获取上次登录 - Powershell - Get Last Logon 如何使用PowerShell安装此服务结构项目? - How can I use PowerShell to install this service fabric project? Powershell 如何导入 ADusers.csv 并获取登录 ComputerName.csv 列表(导出) - Powershell how to Import ADusers.csv and get list of logon ComputerName.csv (export) 如何使用 PowerShell 复制 AzureAD 用户组以匹配帐户? - How can I copy AzureAD user groups with PowerShell for matching accounts? 如何使用 PowerShell 获取目录和元数据的树列表 - How can you use PowerShell to get a tree list of directories and metadata 使用 powershell 我想获取对域具有管理员权限的人员列表? - Using powershell I'd like to get a list of people who have admin privileges for a domain? 如何使用 powershell 在本地用户上设置“环境”&gt;“登录时启动以下程序”属性? - How can I set the “Environment” > “Start the following program at logon” property on a local user using powershell?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM