How to list windows privileges for any user

windows-7 privileges powershell vbscript windows-domain

I am trying to write a script to list the privileges (eg SeShutDownPrivilege etc) of all user accounts. I'd prefer it if my script could be run as a standard user, but I can run it as an admin account if I had to. Here are the approaches I have tried so far:

  • using tokensz (from https://blogs.technet.microsoft.com/askds/2007/11/02/whats-in-a-token/): works (tokensz /compute_tokensize /dump_groups) for the currently logged in user. But when logged in even as a domain administrator, when trying for another user (tokensz /compute_tokensize /dump_groups /user:[another.user]), I get the error SEC_E_LOGON_DENIED

  • whoami /all works but only for the currently logged in user

  • ntrights.exe doesn't appear to be able to list privileges, only add and remove.

  • secedit /export /areas USER_RIGHTS /cfg out.txt: lists all privileges and the SIDs that have that privilege, but that list appears incomplete; the output from tokensz shows a user John.Smith with SeShutdownPrivilege, but the output from secedit for SeShutdownPrivilege lists groups that John.Smith is not a member of.

I can use portable executables (eg tokensz.exe, ntrights.exe) and built in utilities but will not be able to install applications or extensions


You can use AccessChk in accomplish this task.

Accesschk “domain\user” -a * will list all the permissions of a given domain user.

You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about.


For anybody looking for a PowerShell script, this ought to do it:

gwmi Win32_UserProfile | foreach-object {
 $sid = New-Object System.Security.Principal.SecurityIdentifier($_.SID)
 $user = $sid.Translate([System.Security.Principal.NTAccount])
 $username = $user.Value
 $username
 $chkCmd = "accesschk """ + $username + """ -a * -q"
 iex $chkCmd
 ""
}

It gets the list of users who have a profile on the local machine, determines their names from the SID, and invokes accesschk - as recommended by Ramhound - on them. Each user's record starts with the username in DOMAIN\user format, contains each right on a line, and ends with a blank line. (SID translation courtesy of this article.) You can dump its stuff to a file with the redirection operator, >.

A caveat of AccessChk is that it seems to produce an empty list for domain users that don't have local admin rights. Therefore, this version that produces the above information for every known user in the domain and on the machine is a little lame, but may become useful with a future version of the tool:

gwmi Win32_UserAccount | foreach-object {
 $username = $_.Caption
 $username
 $chkCmd = "accesschk """ + $username + """ -a * -q"
 iex $chkCmd
 ""
}

If you're wondering what secedit is talking about, it's just getting the list of principals (in SID form) to which the rights have been assigned in User Rights Assignment (see secpol.msc). Therefore, you'll usually see the SIDs for groups like Users or Administrators rather than specific people.


This script may help you. It offers the following functions, all using pure PowerShell:

  • Grant-UserRight
  • Revoke-UserRight
  • Get-UserRightsGrantedToAccount
  • Get-AccountsWithUserRight
  • Grant-TokenPrivilege
  • Revoke-TokenPrivilege

Related

Adjusting gif framerate in GIMP 2
How can I swap primary and secondary display during an RDP session?
How to get the MAC Address and signal strength of nearby wireless devices?
Sequential vs Random I/O on SSDs?
Any way to dismiss "Say hello to your new Chrome browser" in 69?
What does "dirty computer" mean in Slack's About box
What makes the address bar in IE turn green?
Backup iTunes (store purchases, iphone backups, playlists) for Windows reinstall
How do I connect via FTP to XAMPP?
Handle fatal errors in PHP using register_shutdown_function()
Extract specific columns from delimited file using Awk
Localize Strings in Javascript