| | | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected]. | | | |
You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..
Posted by : blakedrumm on Jan 5, 2022
Remote computer, output types.
This post was last updated on August 29th, 2022
I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.
How to get it.
All of the User Rights that can be set:
Privilege | PrivilegeName |
---|---|
SeAssignPrimaryTokenPrivilege | Replace a process level token |
SeAuditPrivilege | Generate security audits |
SeBackupPrivilege | Back up files and directories |
SeBatchLogonRight | Log on as a batch job |
SeChangeNotifyPrivilege | Bypass traverse checking |
SeCreateGlobalPrivilege | Create global objects |
SeCreatePagefilePrivilege | Create a pagefile |
SeCreatePermanentPrivilege | Create permanent shared objects |
SeCreateSymbolicLinkPrivilege | Create symbolic links |
SeCreateTokenPrivilege | Create a token object |
SeDebugPrivilege | Debug programs |
SeDelegateSessionUserImpersonatePrivilege | Obtain an impersonation token for another user in the same session |
SeDenyBatchLogonRight | Deny log on as a batch job |
SeDenyInteractiveLogonRight | Deny log on locally |
SeDenyNetworkLogonRight | Deny access to this computer from the network |
SeDenyRemoteInteractiveLogonRight | Deny log on through Remote Desktop Services |
SeDenyServiceLogonRight | Deny log on as a service |
SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
SeImpersonatePrivilege | Impersonate a client after authentication |
SeIncreaseBasePriorityPrivilege | Increase scheduling priority |
SeIncreaseQuotaPrivilege | Adjust memory quotas for a process |
SeIncreaseWorkingSetPrivilege | Increase a process working set |
SeInteractiveLogonRight | Allow log on locally |
SeLoadDriverPrivilege | Load and unload device drivers |
SeLockMemoryPrivilege | Lock pages in memory |
SeMachineAccountPrivilege | Add workstations to domain |
SeManageVolumePrivilege | Perform volume maintenance tasks |
SeNetworkLogonRight | Access this computer from the network |
SeProfileSingleProcessPrivilege | Profile single process |
SeRelabelPrivilege | Modify an object label |
SeRemoteInteractiveLogonRight | Allow log on through Remote Desktop Services |
SeRemoteShutdownPrivilege | Force shutdown from a remote system |
SeRestorePrivilege | Restore files and directories |
SeSecurityPrivilege | Manage auditing and security log |
SeServiceLogonRight | Log on as a service |
SeShutdownPrivilege | Shut down the system |
SeSyncAgentPrivilege | Synchronize directory service data |
SeSystemEnvironmentPrivilege | Modify firmware environment values |
SeSystemProfilePrivilege | Profile system performance |
SeSystemtimePrivilege | Change the system time |
SeTakeOwnershipPrivilege | Take ownership of files or other objects |
SeTcbPrivilege | Act as part of the operating system |
SeTimeZonePrivilege | Change the time zone |
SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller |
SeUndockPrivilege | Remove computer from docking station |
Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.
Here are a few examples:
Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.
Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.
Get Local User Account Rights and output to text in console:
Get Remote SQL Server User Account Rights:
Get Local Machine and SQL Server User Account Rights:
Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:
Output to Text in ‘C:\Temp’:
PassThru object to allow manipulation / filtering:
I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.
Email : [email protected]
Website : https://blakedrumm.com
My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Anyone know if a setting exists to allow a non-admin user to shutdown a server?
Obviously I can set the "Allow Server to shutdown without logon" GPO but that is not quite the same thing. I am looking for a way to properly assign the shutdown right to a particular user if possible.
You can assign this in either a GPO or Local Security Policy.
The setting that you're looking for is in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shutdown the system
use "force shutdown from a remote system" then you can build a script like shutdown -r -t 120 -m "hostname" to restart the system remotely.
Not the answer you're looking for browse other questions tagged windows-server-2012 user-permissions ..
All about Microsoft Intune
Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more
This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the list of users that are allowed to shutdown a specific Windows device. This post will provide some more details around that configuration, followed with the configuration steps. This post will end with showing the user experience.
Note : Keep in mind that this post is focussed on the local options on the Windows device.
When looking at preventing users from shutting down, or restarting, specific Windows devices, the UserRights section in the Policy CSP is the place to look. That section contains many of the different policy settings of the User Rights Assignment Local Policies , including the Shut Down The System ( ShutDownTheSystem ) policy setting. That policy setting can be used to configure the users that are allowed to locally shutdown, or restart, the device. The configuration of that policy setting is available via the Settings Catalog . The following eight steps walk through the creation of a Settings Catalog profile that contains the required setting to configure the local shutdown rights, by using the Shut Down The System policy setting.
Note : The setting mentions that it’s available for Windows Insiders only, but that’s not the experience so far.
After configuring the list with users that are allowed to shutdown the device, it’s time to look at the user experience. And there are many things that indicate the behavior and that the configuration is applied. That can be the actual applied configuration, as well as the experience of the user. Pieces of both are shown below in Figure 2. To start with the first, the applied configuration can be verified in the Local Security Policy by looking at Local Policies > User Rights Assignment . That includes the Shut down the system right (1) that includes the configured list of users and local groups that are allowed to shutdown the system. The applied configuration will make sure that the users cannot shutdown, or restart, the device. That can be verified by for example looking at the available power options for the users (2), or the ability to restart the device after the installation of updates (3). Besides that, even command actions will be prevented and give the user an access denied message.
Note : This configuration was successfully tested on the latest Windows Insiders builds and on Windows 11 version 23H2.
For more information about preventing users from restarting Windows, refer to the following docs.
I don’t suppose you tested this on Win 11 22H2 as well did you by any chance? I’m not having much luck setting it yet, I’ve even tried using a SID rather than domain group name.
Before I dig too deeply I’m unsure if it’s the Windows Insider thing mentioned that isn’t working on 22H2 – but does on 23H2, or if it’s something else.
Hi Steve, I’ve successfully tested it on Windows 11 23H2 and Insider Builds. Regards, Peter
Notify me of follow-up comments by email.
Notify me of new posts by email.
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63883 | WN10-UR-000100 | SV-78373r1_rule | Medium |
Description |
---|
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system which could result in a DoS. |
STIG | Date |
---|---|
2017-04-28 |
Check Text ( None ) |
---|
None |
Fix Text (F-69811r1_fix) |
---|
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following groups or accounts: Administrators |
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Get early access and see previews of new features.
I am attempting to monitor the status of SeRemoteShutdownPrivilege and SeEnableDelegationPrivilege to determine if they have been updated/changed. When doing so, this configuration file doesn't seem to update. Are there any other locations where a variable would affect "Force shutdown form a remote system" and "Enable computer and user accounts to be trusted for delegation". I have already looked through Microsoft Registry key documentation. Here's the link I referred to: https://www.microsoft.com/en-us/download/details.aspx?id=25250 I have looked into using Get-GPRegistryValue, Get-GPOReport, and Get-GPO. The way I generated Sec.cfg was using "Secedit /export /cfg sec.cfg /log NUL".
Thank you for any help that you can provide.
• For the ‘Force Shutdown from a Remote System’ setting to apply effectively on a client system, kindly check whether the below group policy regarding this setting has been applied or not by executing the command ‘gpresult /h gpreport.html’ on the elevated command prompt on the client system. In the report, please check whether the above said group policy setting has been applied successfully or not.
Group policy setting: -
On the Group Policy Server, check the below group policy setting by checking the ‘Default domain policy’ or that policy which controls the below setting: -
To forcefully apply the domain group policy settings on the client system, execute the command ‘gpupdate /force’ on an elevated command prompt and restart the client system. Then check the client’s group policy report once again to check whether the setting has been applied or not.
• Also, I would suggest you to please make the above said modifications on a baseline client system through local group policy editor and export the settings in an ‘.inf’ template for installation via powershell script . Check for the below settings information in the ‘.inf’ file and then execute the below command by modifying the values for ‘.inf’ file and ‘.db’ file as appropriate: -
By doing the above, your issue should get resolved.
Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more
Post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
This security setting determines which users are allowed to shut down a device from a remote location on the network. This setting allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location.
Constant: SeRemoteShutdownPrivilege
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
By default this setting is Administrators and Server Operators on domain controllers and Administrators on stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy | Not defined |
Default Domain Controller Policy | Administrators Server Operators |
Stand-Alone Server Default Settings | Administrators |
Domain Controller Effective Default Settings | Administrators Server Operators |
Member Server Effective Default Settings | Administrators |
Client Computer Effective Default Settings | Administrators |
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
This policy setting must be applied on the computer that is being accessed remotely.
This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Any user who can shut down a device could cause a denial-of-service condition to occur. Therefore, this user right should be tightly restricted.
Restrict the Force shutdown from a remote system user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff.
On a domain controller, if you remove the Force shutdown from a remote system user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that delegated activities are not adversely affected.
Explore the latest interviews, correspondent coverage, best-of moments and more from The Daily Show.
S29 E68 • July 8, 2024
Host Jon Stewart returns to his place behind the desk for an unvarnished look at the 2024 election, with expert analysis from the Daily Show news team.
Attend a Live Taping
Find out how you can see The Daily Show live and in-person as a member of the studio audience.
New Episodes Thursdays
Jon Stewart and special guests tackle complex issues.
Great Things Are in Store
Become the proud owner of exclusive gear, including clothing, drinkware and must-have accessories.
COMMENTS
How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO. You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.This GPO option allows you to specify which locally logged-on users can shut down an ...
1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Group Policy. This user right doesn't have the same effect as Force shutdown from a remote system. For more information, see Force shutdown from a remote system.
1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment, and double click/tap on the Shut down the system policy in the right pane. (see screenshot below) 3.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Shut Down the System. Double click on it > Select Users > Press Remove > Apply/OK.
How to do it: Run secpol.msc. Open Security Settings \ Local Policies \ User Rights Assignment. Double-click Force shutdown from a remote system in the right pane. Click Add User or Group. Enter the name INTERACTIVE in the text box and click Check names, then click OK, and OK again.
For info about the User Rights Assignment policy, Shut down the system, see Shut down the system. Security considerations. This section describes: How an attacker might exploit a feature or its configuration. How to implement the countermeasure. Possible negative consequences of countermeasure implementation. Vulnerability
To Allow Users or Groups to Shut Down Windows 10, Press Win + R keys together on your keyboard and type: secpol.msc. Press Enter. Local Security Policy will open. Go to User Local Policies -> User Rights Assignment. On the right, double-click the option Shut down the system. In the next dialog, click Add User or Group.
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain.
a) Open Local Security Policy. b)Expand Local Policies. c) Select User Rights Assignment>Right Pane of User Rights Assignment. d) Double Click on Shut down the system. e) Now select User (s) and /or group (s) that you don't want to be allowed to shut down the computer. No it's not working. You already posted this.
User Rights Assignment; Shut down the system. The Explaination of the privilege: Shut down the system. This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.
How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell. ... SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments 1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources 0.0.12 ...
In the right pane of User Rights Assignment, double click on a listed Policy (ex: Shut down the system) that you wanted to add or remove a user or group, then go to step 3 and/or 4 below. (see screenshot above) 3. To Remove a User or Group from a User Rights Assignment Policy
Click Start Button, Type gpedit.msc in the search field. Browse to the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Shut Down the System. Double Click on Shut down the System, Select the user group you want to Disable and hit Remove > Apply > OK.
Although in this section they are called user rights, these authority assignments are more commonly called privileges. Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments.
Personal File Server - Get-UserRights.ps1 Alternative Download Link. or. Personal File Server - Get-UserRights.txt Text Format Alternative Download Link. In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.
0. use "force shutdown from a remote system" then you can build a script like shutdown -r -t 120 -m "hostname" to restart the system remotely. -r = restart. -t = time in seconds. -m = Target here you have to enter IP or hostname. Share. Improve this answer. edited Oct 13, 2016 at 14:56.
Select User Rights as category; Select Shut Down The System as setting; Specify the allowed users and local groups on separate lines (1) Figure 1: Overview of the configuration settings. On the Scope tags page, configure the required scope tags and click Next; On the Assignments page, configure the assignment for the specific devices and click Next
Fix Text (F-69811r1_fix) Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following groups or accounts:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment/Force shutdown from a remote system To forcefully apply the domain group policy settings on the client system, execute the command 'gpupdate /force' on an elevated command prompt and restart the client system. Then check the client's group ...
This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system. User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they ...
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ... On a domain controller, if you remove the Force shutdown from a remote system user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your ...
The source for The Daily Show fans, with episodes hosted by Jon Stewart, Ronny Chieng, Jordan Klepper, Dulcé Sloan and more, plus interviews, highlights and The Weekly Show podcast.