如何使用 power-shell 將登錄下的用戶列為服務本地安全策略
[英]How to list the users under login as a service local security policy using power-shell
問題描述
我想使用 Power shell 在登錄作為服務策略下查找用戶。 我不想使用任何第三方 dll 或模塊來實現這一點。
1 個解決方案
解決方案1
0 2019-11-08 19:33:11
聽起來你想要這樣的東西:
https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0
示例使用:
Get-AccountsWithUserRight -Right SeServiceLogonRight
function Get-AccountsWithUserRight {
<#
.SYNOPSIS
Gets all accounts that are assigned a specified privilege
.DESCRIPTION
Retrieves a list of all accounts that hold a specified right (privilege). The accounts returned are those that hold the specified privilege directly through the user account, not as part of membership to a group. A list of SIDs and account names is returned. For each SID that cannot be resolved to a name, the Account property is set to an empty string ("").
.PARAMETER Right
Name of the right to query. More than one right may be listed.
Possible values:
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeNetworkLogonRight Access this computer from the network
SeTcbPrivilege Act as part of the operating system
SeMachineAccountPrivilege Add workstations to domain
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeInteractiveLogonRight Allow log on locally
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeBackupPrivilege Back up files and directories
SeChangeNotifyPrivilege Bypass traverse checking
SeSystemtimePrivilege Change the system time
SeTimeZonePrivilege Change the time zone
SeCreatePagefilePrivilege Create a pagefile
SeCreateTokenPrivilege Create a token object
SeCreateGlobalPrivilege Create global objects
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeDebugPrivilege Debug programs
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyServiceLogonRight Deny log on as a service
SeDenyInteractiveLogonRight Deny log on locally
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeAuditPrivilege Generate security audits
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseWorkingSetPrivilege Increase a process working set
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeSecurityPrivilege Manage auditing and security log
SeRelabelPrivilege Modify an object label
SeSystemEnvironmentPrivilege Modify firmware environment values
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session
SeManageVolumePrivilege Perform volume maintenance tasks
SeProfileSingleProcessPrivilege Profile single process
SeSystemProfilePrivilege Profile system performance
SeUnsolicitedInputPrivilege "Read unsolicited input from a terminal device"
SeUndockPrivilege Remove computer from docking station
SeAssignPrimaryTokenPrivilege Replace a process level token
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeTakeOwnershipPrivilege Take ownership of files or other objects
.PARAMETER Computer
Specifies the name of the computer on which to run this cmdlet. If the input for this parameter is omitted, then the cmdlet runs on the local computer.
.PARAMETER SidForUnresolvedName
For each SID that cannot be resolved to a name, set the Account property to the SID instead of leaving it blank.
.EXAMPLE
Get-AccountsWithUserRight SeServiceLogonRight
Returns a list of all accounts that hold the "Log on as a service" right.
.EXAMPLE
Get-AccountsWithUserRight -Right SeServiceLogonRight,SeDebugPrivilege -Computer TESTPC
Returns a list of accounts that hold the "Log on as a service" right, and a list of accounts that hold the "Debug programs" right, on the TESTPC system.
.INPUTS
PS_LSA.Rights Right
String Computer
Switch SidForUnresolvedName
.OUTPUTS
String Account
String SID
String Right
.LINK
http://msdn.microsoft.com/en-us/library/ms721792.aspx
http://msdn.microsoft.com/en-us/library/bb530716.aspx
#>
[CmdletBinding()]
param (
[Parameter(Position=0, Mandatory=$true, ValueFromPipelineByPropertyName=$true, ValueFromPipeline=$true)]
[Alias('Privilege')] [PS_LSA.Rights[]] $Right,
[Parameter(ValueFromPipelineByPropertyName=$true, HelpMessage="Computer name")]
[Alias('System','ComputerName','Host')][String] $Computer,
[switch] $SidForUnresolvedName
)
process {
$lsa = New-Object PS_LSA.LsaWrapper($Computer)
foreach ($Priv in $Right) {
$sids = $lsa.EnumerateAccountsWithUserRight($Priv, $false)
foreach ($sid in $sids) {
$output = @{'Account'=(Convert-SIDtoName $sid $SidForUnresolvedName); 'SID'=$sid; 'Right'=$Priv; }
Write-Output (New-Object -Typename PSObject -Prop $output)
}
}
}
} # Gets all accounts that are assigned specified rights
當文件夾 \\\\appdata\\local 由於安全策略被鎖定時如何工作?
[英]How to work when the folder \\appdata\local is locked because of security policy?
如何通過 powershell ISE 腳本編輯安全選項(在本地安全策略中)?
[英]How would I edit Security Options ( In Local Security Policy ) through a powershell ISE script?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.