stackoom
  简体   繁体   中英

How can I use powershell to get a list of service accounts with interactive logon privileges?

 原文  2021-02-21 21:32:50       powershell/ active-directory/ service-accounts

Question

By interactive logon, I mean logon types 2, 10, or 11.

I would like to write a PowerShell script that can give me a list of service accounts where interactive logon privileges are enabled.

I have tried two approaches.

I have tried to obtain the list of service accounts as follows:

Get-ADServiceAccount -Right -seInteractiveLogonRight

I've also tried to apply a filter on the user population:

Get-ADUser -Filter {name like ‘svc*’} | 
Where-Object LogonType -eq 'Interactive'

Neither approach seems to work. With the first, I get a syntax error saying -Right does not exist as a valid parameter, and with the second I don't get a response (just times out).

Help/pointers appreciated. Am quite new to Powershell so apologies if I'm missing anything fundamental.

1 answers

solution1
 0 ACCPTED  2021-02-22 08:55:20

As for this...

Get-ADServiceAccount -Right

... there is no such parameter for that cmdlet. Always, always check the help file what is and is not possible for a cmdlet, function, module, et al.

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADServiceAccount).Parameters
(Get-Command -Name Get-ADServiceAccount).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADServiceAccount -Examples
Get-help -Name Get-ADServiceAccount -Full
Get-help -Name Get-ADServiceAccount -Online

# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADUser).Parameters
(Get-Command -Name Get-ADUser).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name  Get-ADUser -Examples
Get-help -Name  Get-ADUser -Full
Get-help -Name  Get-ADUser -Online

Logon Type is on the service object on the host, not a property via an AD user/computer object.

# Get all services
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName | 
Select-Object -Property DisplayName, StartName, State  

# Filter for type
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName | 
Where-Object { $PSItem.StartName -match 'LocalSystem' } | 
Select-Object -Property DisplayName, StartName, State

Rights are set in Policies (GPO or LPO) for a user/service account.

[xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML

You can filter that report for specific information. Also, You can use the secedit.exe tool to get them.

secedit commands

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

This can give a rights report, but you will need to translate the SIDs to see the name in plain English.

See this sample:

https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings

Though the tool has long since been depreciated, you can still use the ntrights.exe tool to get that information. The ntights.exe tool is in the Windows Resource Kit. That is if you have the old MSDN, TechNet media to get it, or know someone who does. If not you have to do stuff like this.

Find-Module -Name '*rights*'
# Results
<#
Version Name                  Repository Description                                                                                                                
------- ----                  ---------- -----------                                                                                                                
1.0.2   cUserRightsAssignment PSGallery  The cUserRightsAssignment module contains the cUserRight DSC resource that provides a mechanism to manage user rights:     
                                         logon rights and privileges. 
#>

Or download and use this tool...

https://archive.codeplex.com/?p=userrights

The UserRights PowerShell module covers the following use cases:

  • Get a list of users assigned a specific user right
  • Get a list of user rights assigned to a specific user
  • Get a list of all user rights with accounts
  • Grant a user a or group a user right
  • Revoke a user a or group a user right

... note: it is a legacy tool also.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Powershell List of Service Accounts How I should get all interactive and remote logon sessions from the remote computer How can I use cdb.exe in an interactive Powershell Remoting session Powershell - Get Last Logon How can I use PowerShell to install this service fabric project? Powershell how to Import ADusers.csv and get list of logon ComputerName.csv (export) How can I copy AzureAD user groups with PowerShell for matching accounts? How can you use PowerShell to get a tree list of directories and metadata Using powershell I'd like to get a list of people who have admin privileges for a domain? How can I set the “Environment” > “Start the following program at logon” property on a local user using powershell?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM