[英]How can I use powershell to get a list of service accounts with interactive logon privileges?
By interactive logon, I mean logon types 2, 10, or 11.交互式登录是指登录类型 2、10 或 11。
I would like to write a PowerShell script that can give me a list of service accounts where interactive logon privileges are enabled.我想编写一个 PowerShell 脚本,它可以给我一个启用交互式登录权限的服务帐户列表。
I have tried two approaches.我尝试了两种方法。
I have tried to obtain the list of service accounts as follows:我试图获取服务帐户列表,如下所示:
Get-ADServiceAccount -Right -seInteractiveLogonRight
I've also tried to apply a filter on the user population:我还尝试对用户群体应用过滤器:
Get-ADUser -Filter {name like ‘svc*’} |
Where-Object LogonType -eq 'Interactive'
Neither approach seems to work.这两种方法似乎都不起作用。 With the first, I get a syntax error saying -Right does not exist as a valid parameter, and with the second I don't get a response (just times out).第一个,我收到一个语法错误,说 -Right 不作为有效参数存在,第二个我没有得到响应(只是超时)。
Help/pointers appreciated.帮助/指针表示赞赏。 Am quite new to Powershell so apologies if I'm missing anything fundamental.我对 Powershell 很陌生,如果我遗漏了任何基本内容,我深表歉意。
As for this...至于这个……
Get-ADServiceAccount -Right
... there is no such parameter for that cmdlet. ...该 cmdlet 没有这样的参数。 Always, always check the help file what is and is not possible for a cmdlet, function, module, et al.始终,始终检查帮助文件,对于 cmdlet、function、模块等,哪些是可能的,哪些是不可能的。
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADServiceAccount).Parameters
(Get-Command -Name Get-ADServiceAccount).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADServiceAccount -Examples
Get-help -Name Get-ADServiceAccount -Full
Get-help -Name Get-ADServiceAccount -Online
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADUser).Parameters
(Get-Command -Name Get-ADUser).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADUser -Examples
Get-help -Name Get-ADUser -Full
Get-help -Name Get-ADUser -Online
Logon Type is on the service object on the host, not a property via an AD user/computer object.登录类型在主机上的服务 object 上,而不是通过 AD 用户/计算机 object 的属性。
# Get all services
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName |
Select-Object -Property DisplayName, StartName, State
# Filter for type
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName |
Where-Object { $PSItem.StartName -match 'LocalSystem' } |
Select-Object -Property DisplayName, StartName, State
Rights are set in Policies (GPO or LPO) for a user/service account.在策略(GPO 或 LPO)中为用户/服务帐户设置权限。
[xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML
You can filter that report for specific information.您可以过滤该报告以获取特定信息。 Also, You can use the secedit.exe
tool to get them.此外,您可以使用secedit.exe
工具来获取它们。
secedit commands secedit 命令
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
This can give a rights report, but you will need to translate the SIDs to see the name in plain English.这可以提供权限报告,但您需要翻译 SID 才能看到简单英语的名称。
See this sample:请参阅此示例:
https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings
Though the tool has long since been depreciated, you can still use the ntrights.exe
tool to get that information.尽管该工具早已被贬低,但您仍然可以使用ntrights.exe
工具来获取该信息。 The ntights.exe
tool is in the Windows Resource Kit. ntights.exe
工具位于 Windows 资源工具包中。 That is if you have the old MSDN, TechNet media to get it, or know someone who does.也就是说,如果您有旧的 MSDN、TechNet 媒体来获取它,或者知道有人这样做。 If not you have to do stuff like this.如果不是,你必须做这样的事情。
Find-Module -Name '*rights*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
1.0.2 cUserRightsAssignment PSGallery The cUserRightsAssignment module contains the cUserRight DSC resource that provides a mechanism to manage user rights:
logon rights and privileges.
#>
Or download and use this tool...或下载并使用此工具...
https://archive.codeplex.com/?p=userrights
The UserRights PowerShell module covers the following use cases: UserRights PowerShell 模块涵盖以下用例:
... note: it is a legacy tool also. ...注意:它也是一个遗留工具。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.