By interactive logon, I mean logon types 2, 10, or 11.
I would like to write a PowerShell script that can give me a list of service accounts where interactive logon privileges are enabled.
I have tried two approaches.
I have tried to obtain the list of service accounts as follows:
Get-ADServiceAccount -Right -seInteractiveLogonRight
I've also tried to apply a filter on the user population:
Get-ADUser -Filter {name like ‘svc*’} |
Where-Object LogonType -eq 'Interactive'
Neither approach seems to work. With the first, I get a syntax error saying -Right does not exist as a valid parameter, and with the second I don't get a response (just times out).
Help/pointers appreciated. Am quite new to Powershell so apologies if I'm missing anything fundamental.
As for this...
Get-ADServiceAccount -Right
... there is no such parameter for that cmdlet. Always, always check the help file what is and is not possible for a cmdlet, function, module, et al.
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADServiceAccount).Parameters
(Get-Command -Name Get-ADServiceAccount).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADServiceAccount -Examples
Get-help -Name Get-ADServiceAccount -Full
Get-help -Name Get-ADServiceAccount -Online
# Get specifics for a module, cmdlet, or function
(Get-Command -Name Get-ADUser).Parameters
(Get-Command -Name Get-ADUser).Parameters.Keys
# Results
<#
Verbose
Debug
ErrorAction
WarningAction
InformationAction
ErrorVariable
WarningVariable
InformationVariable
OutVariable
OutBuffer
PipelineVariable
AuthType
Credential
Filter
Identity
LDAPFilter
Partition
Properties
ResultPageSize
ResultSetSize
SearchBase
SearchScope
Server
#>
Get-help -Name Get-ADUser -Examples
Get-help -Name Get-ADUser -Full
Get-help -Name Get-ADUser -Online
Logon Type is on the service object on the host, not a property via an AD user/computer object.
# Get all services
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName |
Select-Object -Property DisplayName, StartName, State
# Filter for type
Get-WmiObject -Class Win32_Service -ComputerName $env:ComputerName |
Where-Object { $PSItem.StartName -match 'LocalSystem' } |
Select-Object -Property DisplayName, StartName, State
Rights are set in Policies (GPO or LPO) for a user/service account.
[xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML
You can filter that report for specific information. Also, You can use the secedit.exe
tool to get them.
secedit commands
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
This can give a rights report, but you will need to translate the SIDs to see the name in plain English.
See this sample:
https://www.powershellbros.com/get-user-rights-assignment-security-policy-settings
Though the tool has long since been depreciated, you can still use the ntrights.exe
tool to get that information. The ntights.exe
tool is in the Windows Resource Kit. That is if you have the old MSDN, TechNet media to get it, or know someone who does. If not you have to do stuff like this.
Find-Module -Name '*rights*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
1.0.2 cUserRightsAssignment PSGallery The cUserRightsAssignment module contains the cUserRight DSC resource that provides a mechanism to manage user rights:
logon rights and privileges.
#>
Or download and use this tool...
https://archive.codeplex.com/?p=userrights
The UserRights PowerShell module covers the following use cases:
... note: it is a legacy tool also.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.