Windows 如何通过powershell向本地用户帐户分配用户权限?
我想修改与本地用户帐户关联的用户权限。我想将组和用户添加到特定的用户权限。这是通过打开组策略并打开控制台树中的以下文件夹来完成的:计算机配置\Windows设置\Security Settings\Local Policys\User Rights Assignment。然后单击所需的用户权限并将用户或组添加到其中Windows 如何通过powershell向本地用户帐户分配用户权限?,windows,powershell,Windows,Powershell,我想修改与本地用户帐户关联的用户权限。我想将组和用户添加到特定的用户权限。这是通过打开组策略并打开控制台树中的以下文件夹来完成的:计算机配置\Windows设置\Security Settings\Local Policys\User Rights Assignment。然后单击所需的用户权限并将用户或组添加到其中 是否可以通过powershell脚本执行相同的操作?我要做的是打开SecPol.msc,通过GUI将您的修改发送到基线计算机,并导出.inf模板,以便通过powershell进行安装
是否可以通过powershell脚本执行相同的操作?我要做的是打开SecPol.msc,通过GUI将您的修改发送到基线计算机,并导出.inf模板,以便通过powershell进行安装 该模板可以与secedit.exe一起安装。如果需要,可以在文本编辑器中打开inf文件并滚动,直到看到
[特权][Privilege Rights]
SeDenyServiceLogonRight = *S-1-1-0,*S-1-5-19, KNUCKLE-DRAGGER
secedit.exe /configure /cfg C:\customsettings.inf /db C:\WINDOWS\security\Database\customsettings.db /quiet
找到了第三方命令行解决方案。nts.exe
这里是一个纯powershell方法-
添加类型@'
使用制度;
使用System.Collections.Generic;
使用系统文本;
名称空间LSA
{
使用System.Runtime.InteropServices;
使用系统安全;
使用制度管理;
使用System.Runtime.CompilerServices;
使用系统组件模型;
使用LSA_HANDLE=IntPtr;
[StructLayout(LayoutKind.Sequential)]
结构LSA_对象_属性
{
内部整数长度;
内部IntPtr根目录;
内部IntPtr对象名;
内部int属性;
内部IntPtr安全描述符;
内部IntPtr安全性服务质量;
}
[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]
结构LSA\u UNICODE\u字符串
{
内孔长度;
内部ushort最大长度;
[Marshallas(UnmanagedType.LPWStr)]
内部字符串缓冲区;
}
密封类Win32Sec
{
[DllImport(“advapi32”,CharSet=CharSet.Unicode,SetLastError=true),
SuppressUnmanagedCodeSecurity属性]
内部静态外部单元LsaOpenPolicy(
LSA_UNICODE_字符串[]系统名,
参考LSA_对象_属性对象属性,
int访问掩码,
out IntPtr策略句柄
);
[DllImport(“advapi32”,CharSet=CharSet.Unicode,SetLastError=true),
SuppressUnmanagedCodeSecurity属性]
内部静态外部单元lsaaddaccountry(
LSA_HANDLE policy HANDLE,
IntPtr pSID,
LSA_UNICODE_字符串[]用户权限,
整数右数
);
[DllImport(“advapi32”,CharSet=CharSet.Unicode,SetLastError=true),
SuppressUnmanagedCodeSecurity属性]
内部静态外部内部LsaLookupNames2(
LSA_HANDLE policy HANDLE,
乌因特旗,
单位计数,
LSA_UNICODE_字符串[]名称,
ref IntPtr ReferencedDomains,
参考IntPtr Sids
);
[DllImport(“advapi32”)]
内部静态外部内部LsantStatusToInError(内部NTSTATUS);
[DllImport(“advapi32”)]
内部静态外部intlsaclose(IntPtr PolicyHandle);
[DllImport(“advapi32”)]
内部静态外部内部LsaFreeMemory(IntPtr缓冲区);
}
///
///此类用于授予“作为服务登录”、“作为批处理作业登录”、“本地登录”等权限。
///给用户。
///
公共密封等级LsaWrapper:IDisposable
{
[StructLayout(LayoutKind.Sequential)]
结构LSA\u信任\u信息
{
内部LSA_UNICODE_字符串名称;
内部IntPtr Sid;
}
[StructLayout(LayoutKind.Sequential)]
结构LSA\u转换\u SID2
{
内部使用;
内部IntPtr Sid;
内部int域索引;
国旗;
}
[StructLayout(LayoutKind.Sequential)]
结构LSA\u引用的\u域\u列表
{
内部uint条目;
内部LSA_信任_信息域;
}
枚举SidNameUse:int
{
用户=1,
组=2,
域=3,
别名=4,
KnownGroup=5,
DeletedAccount=6,
无效=7,
未知=8,
计算机=9
}
枚举访问:int
{
策略读取=0x200006,
策略所有访问权=0x00F0FFF,
策略_EXECUTE=0X20801,
策略写入=0X207F8
}
consuint STATUS\u ACCESS\u DENIED=0xc0000022;
施工状态资源不足=0xc000009a;
consuint STATUS\u NO\u MEMORY=0xc0000017;
IntPtr-lsaHandle;
公共拉锯机()
:此(空)
{ }
////如果systemName为null,则为本地系统
公共LsaWrapper(字符串systemName)
{
LSA_对象_属性lsaAttr;
lsaAttr.RootDirectory=IntPtr.Zero;
lsaAttr.ObjectName=IntPtr.Zero;
lsaAttr.Attributes=0;
lsaAttr.SecurityDescriptor=IntPtr.Zero;
lsaAttr.SecurityQualityOfService=IntPtr.Zero;
lsaAttr.Length=Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
lsaHandle=IntPtr.Zero;
LSA_UNICODE_字符串[]系统=null;
if(systemName!=null)
{
系统=新的LSA_UNICODE_字符串[1];
系统[0]=InitLsaString(系统名称);
}
uint ret=Win32Sec.LsaOpenPolicy(系统,参考lsaAttr,
(int)Access.POLICY_ALL_Access,out lsaHandle);
如果(ret==0)
返回;
如果(ret==状态\访问\拒绝)
{
抛出新的UnauthorizedAccessException();
}
if((ret==状态(资源不足)| |(ret==状态(内存不足)))
# Grant
.\NTWRONGS.exe -ID "Administrator" -Privilege "SeDenyServiceLogonRight"
# Revoke
.\NTWRONGS.exe -ID "Administrator" -Privilege "SeDenyServiceLogonRight" -Revoke
Add-Type @'
using System;
using System.Collections.Generic;
using System.Text;
namespace LSA
{
using System.Runtime.InteropServices;
using System.Security;
using System.Management;
using System.Runtime.CompilerServices;
using System.ComponentModel;
using LSA_HANDLE = IntPtr;
[StructLayout(LayoutKind.Sequential)]
struct LSA_OBJECT_ATTRIBUTES
{
internal int Length;
internal IntPtr RootDirectory;
internal IntPtr ObjectName;
internal int Attributes;
internal IntPtr SecurityDescriptor;
internal IntPtr SecurityQualityOfService;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
struct LSA_UNICODE_STRING
{
internal ushort Length;
internal ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
internal string Buffer;
}
sealed class Win32Sec
{
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
SuppressUnmanagedCodeSecurityAttribute]
internal static extern uint LsaOpenPolicy(
LSA_UNICODE_STRING[] SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
int AccessMask,
out IntPtr PolicyHandle
);
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
SuppressUnmanagedCodeSecurityAttribute]
internal static extern uint LsaAddAccountRights(
LSA_HANDLE PolicyHandle,
IntPtr pSID,
LSA_UNICODE_STRING[] UserRights,
int CountOfRights
);
[DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true),
SuppressUnmanagedCodeSecurityAttribute]
internal static extern int LsaLookupNames2(
LSA_HANDLE PolicyHandle,
uint Flags,
uint Count,
LSA_UNICODE_STRING[] Names,
ref IntPtr ReferencedDomains,
ref IntPtr Sids
);
[DllImport("advapi32")]
internal static extern int LsaNtStatusToWinError(int NTSTATUS);
[DllImport("advapi32")]
internal static extern int LsaClose(IntPtr PolicyHandle);
[DllImport("advapi32")]
internal static extern int LsaFreeMemory(IntPtr Buffer);
}
/// <summary>
/// This class is used to grant "Log on as a service", "Log on as a batchjob", "Log on localy" etc.
/// to a user.
/// </summary>
public sealed class LsaWrapper : IDisposable
{
[StructLayout(LayoutKind.Sequential)]
struct LSA_TRUST_INFORMATION
{
internal LSA_UNICODE_STRING Name;
internal IntPtr Sid;
}
[StructLayout(LayoutKind.Sequential)]
struct LSA_TRANSLATED_SID2
{
internal SidNameUse Use;
internal IntPtr Sid;
internal int DomainIndex;
uint Flags;
}
[StructLayout(LayoutKind.Sequential)]
struct LSA_REFERENCED_DOMAIN_LIST
{
internal uint Entries;
internal LSA_TRUST_INFORMATION Domains;
}
enum SidNameUse : int
{
User = 1,
Group = 2,
Domain = 3,
Alias = 4,
KnownGroup = 5,
DeletedAccount = 6,
Invalid = 7,
Unknown = 8,
Computer = 9
}
enum Access : int
{
POLICY_READ = 0x20006,
POLICY_ALL_ACCESS = 0x00F0FFF,
POLICY_EXECUTE = 0X20801,
POLICY_WRITE = 0X207F8
}
const uint STATUS_ACCESS_DENIED = 0xc0000022;
const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a;
const uint STATUS_NO_MEMORY = 0xc0000017;
IntPtr lsaHandle;
public LsaWrapper()
: this(null)
{ }
// // local system if systemName is null
public LsaWrapper(string systemName)
{
LSA_OBJECT_ATTRIBUTES lsaAttr;
lsaAttr.RootDirectory = IntPtr.Zero;
lsaAttr.ObjectName = IntPtr.Zero;
lsaAttr.Attributes = 0;
lsaAttr.SecurityDescriptor = IntPtr.Zero;
lsaAttr.SecurityQualityOfService = IntPtr.Zero;
lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
lsaHandle = IntPtr.Zero;
LSA_UNICODE_STRING[] system = null;
if (systemName != null)
{
system = new LSA_UNICODE_STRING[1];
system[0] = InitLsaString(systemName);
}
uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr,
(int)Access.POLICY_ALL_ACCESS, out lsaHandle);
if (ret == 0)
return;
if (ret == STATUS_ACCESS_DENIED)
{
throw new UnauthorizedAccessException();
}
if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY))
{
throw new OutOfMemoryException();
}
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));
}
public void AddPrivileges(string account, string privilege)
{
IntPtr pSid = GetSIDInformation(account);
LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];
privileges[0] = InitLsaString(privilege);
uint ret = Win32Sec.LsaAddAccountRights(lsaHandle, pSid, privileges, 1);
if (ret == 0)
return;
if (ret == STATUS_ACCESS_DENIED)
{
throw new UnauthorizedAccessException();
}
if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY))
{
throw new OutOfMemoryException();
}
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));
}
public void Dispose()
{
if (lsaHandle != IntPtr.Zero)
{
Win32Sec.LsaClose(lsaHandle);
lsaHandle = IntPtr.Zero;
}
GC.SuppressFinalize(this);
}
~LsaWrapper()
{
Dispose();
}
// helper functions
IntPtr GetSIDInformation(string account)
{
LSA_UNICODE_STRING[] names = new LSA_UNICODE_STRING[1];
LSA_TRANSLATED_SID2 lts;
IntPtr tsids = IntPtr.Zero;
IntPtr tdom = IntPtr.Zero;
names[0] = InitLsaString(account);
lts.Sid = IntPtr.Zero;
Console.WriteLine("String account: {0}", names[0].Length);
int ret = Win32Sec.LsaLookupNames2(lsaHandle, 0, 1, names, ref tdom, ref tsids);
if (ret != 0)
throw new Win32Exception(Win32Sec.LsaNtStatusToWinError(ret));
lts = (LSA_TRANSLATED_SID2)Marshal.PtrToStructure(tsids,
typeof(LSA_TRANSLATED_SID2));
Win32Sec.LsaFreeMemory(tsids);
Win32Sec.LsaFreeMemory(tdom);
return lts.Sid;
}
static LSA_UNICODE_STRING InitLsaString(string s)
{
// Unicode strings max. 32KB
if (s.Length > 0x7ffe)
throw new ArgumentException("String too long");
LSA_UNICODE_STRING lus = new LSA_UNICODE_STRING();
lus.Buffer = s;
lus.Length = (ushort)(s.Length * sizeof(char));
lus.MaximumLength = (ushort)(lus.Length + sizeof(char));
return lus;
}
}
public class Editor
{
public static void AddPrivileges(string account, string privilege)
{
using (LsaWrapper lsaWrapper = new LsaWrapper())
{
lsaWrapper.AddPrivileges(account, privilege);
}
}
}
}
'@
[LSA.Editor]::AddPrivileges("KNUCKLE-DRAGGER", "SeBatchLogonRight")
secpol.msc