powershell edit user rights assignment

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

Managing User Rights in Powershell

Managing User Rights Assignments in Powershell

Windows User Rights, also known as Windows Privileges, are traditionally managed via GPO or in the simplest of cases via the server’s Local Security Policy. These assignments control special permissions that are often needed by IIS applications or other application hosting on Windows Servers.

So how can we manage these assignments in Powershell? There’s no obvious solution provided in Powershell, but there are several options are available. None of which are a pure Powershell solution, but some are close.

• Wrap the ntrights.exe process in Powershell. This is relatively simple, but the downside is having an external dependency on the ntrights.exe file.
• Embed a wrapper class to the LSA API in your script. This is a pretty good solution but certainly bloats your script.
• Load and Reference the Carbon DLL (If you haven’t already checked out this Powershell library, you should it is very powerful and regularly updated. I choose this approach because it keeps the script clean and compact, it returns an array of strings for easy interrogation. It does require a dependency on carbon.dll, but this library provides a ton of functionality beyond just this.

I like the 3rd option, its very clean, and I like working with the Carbon library.

Now lets take this script to the next level and wrap it into a DSC Script implementation. We can use this same logic in a DSC configuration to make sure our desired User Rights Assignments are kept in place.

What else can we do? We could also create a Custom DSC Resource to have a cleaner DSC Configuration.

Related Posts

Local Administrator Audit Script

Powershell Log Archival Script

My new stories.

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

• PowerShell Forum Directory
• Publications

Managing Privileges using PoshPrivilege

A recent project of mine has been to write a module to manage privileges on a local system. What I came up is a module called PoshPrivilege that allows you to not only look at what user rights are available on a local or remote system, but also provide the ability to Add, Remove, Enable and Disable the privileges as well.

If you are running PowerShell V5, you can download this module from the PowerShell Gallery:

Otherwise, check out my GitHub page where I am maintaining this project:

https://github.com/proxb/PoshPrivilege

I won’t spend time talking about how I wrote this module and my reasons behind it. What I will say is that instead of writing out C# code and then using Add-Type to compile it, I went with the Reflection approach of building out everything from the pinvoke signatures for methods to the Structs and even the Enums.

Let’s get started by looking at what is available in this module. The first function that is available is Get-Privilege and it comes with a few parameters. This function’s purpose is to let you view what privileges are currently available on the system (local or remote) as well as what is currently applied to your current process token.

A quick run through of using this function with various parameters:

If this one looks familiar, then it is probably likely that you have used the following command:

I opted for boolean values instead to determine the state for easier filtering if needed.

Up next are the Enable/Disable-Privilege functions. These work to Enable or Disable the privileges that are currently available on your local system to your process token. This means that if something like SeDebugPrivilege isn’t available on your system (such as being removed via Group Policy), then you cannot use Enable-Privilege to add your process token to this privilege. As in the previous image where we can see what is enabled and disabled, these are the only privileges that are available for me to work with.

To show this point, I am going to enable both SeSecurityPrivilege and SeDebugPrivilege so you can see that while the first privilege will show as Enabled, the other will not appear as it has not been made available.

As you can see from the picture, SeSecurityPrivilege has been enabled as expected, but SeDebugPrivilege is nowhere to be found. If we want SeDebugPrivilege, we will need to go about this another way which will be shown shortly.

Disabling a privilege can be done using Disable-Privilege as shown in the example below.

Now that I have covered Enabling and Disabling of the privileges and their limitations, I will move onto the Add/Remove-Privilege functions which allow you to add a privilege for a user or group or remove them on a local system. Note that this only works up until it gets reverted if set by group policy. This will also note show up if you look at the privileges available on your current process token (you will log off and log back in to see it).

Remember that I do not have SeDebugPrivilege available to use? Well, now we can add it to my own account using Add-Privilege.

We can see it is now available, but as I mentioned before, it doesn’t show up in my current process. A logoff and login now shows that it is not only available, but already enabled.

With this now enabled, we could disable it as well if needed using Disable-Privilege. I added my account for show, but we can also add groups this was as well.

As with Adding a privilege, we can remove privileges as well using Remove-Privilege.

As with Add-Privilege, you will need to log off and log back in to see the change take effect on your account.

Again, you can install this module using Install-Module if running PowerShell V5 and this project is out on GitHub to download (and contribute to as well). Enjoy!

Share this:

4 responses to managing privileges using poshprivilege.

I downloaded the scripts from Github, but getting compile errors.

Specifically the errors are around the WInOS Structures listed below:

Unable to find type [LUID]: make sure that the assembly containing this type is loaded. Unable to find type [LSA_UNICODE_STRING]: make sure that the assembly containing this type is loaded. Unable to find type [LARGE_INTEGER]: make sure that the assembly containing this type is loaded. Unable to find type [LUID_AND_ATTRIBUTES]: make sure that the assembly containing this type is loaded. Unable to find type [TokPriv1Luid]: make sure that the assembly containing this type is loaded.

Unable to find type [TOKEN_INFORMATION_CLASS]: make sure that the assembly containing this type is loaded.

Unable to find type [ProcessAccessFlags]: make sure that the assembly containing this type is loaded.

BTW, I have posted the full error log @ https://docs.google.com/document/d/18boeWSbvlLwpoIAMTJAp0ooNaLxe6kniYrJr_q3ZNMQ/edit?usp=sharing

Just a question, how can I grant the SESecurityPrivilege to the Set-Acl process ? If I do a whoami /priv I can see my useraccount (PS –> run as administrator) I can see the privilege is enabled, but when I try to run the script I have I get the following error :

Set-Acl : The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation. At C:\Scripts\SESOG\ImportACLSEv2.ps1:16 char:16 + $acl | Set-Acl $path + ~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (P:\Common:String) [Set-Acl], PrivilegeNotHeldException + FullyQualifiedErrorId : System.Security.AccessControl.PrivilegeNotHeldException,Microsoft.PowerShell.Commands.SetAclCommand

The script looks like this : $par = Import-Csv -Path “c:\scripts\sesog\ImportMainCC.csv” -Delimiter “;”

foreach ( $i in $par ) { $path= $i.Path $IdentityReference= $i.IdentityReference $AccessControlType=$i.AccessControlType $InheritanceFlags= $i.InheritanceFlags $PropagationFlags=$i.PropagationFlags $FileSystemRights=$i.FileSystemRights echo $path $IdentityReference $acl = Get-Acl $path $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $path }

In the import csv a path is set and exported export rights from the original location (I am doing a fileserver migration) but on each of the folders mentioned the inherentance flag has been removed.

Pingback: PowerShell Magazine » The case of potentially broken PackageManagement for Windows 10 Insiders

You are a lifesaver! I have been fretting over how to manage service account rights on remote servers – each OU has a corresponding AD security group and GPO, and doing this manually is both time-consuming and fraught with error. I can’t wait to try this out. First PoshWSUS, then this …you rock.

Leave a comment Cancel reply

Translate this blog.

• Search for:

Recent Posts

• Dealing with Runspacepool Variable Scope Creep in PowerShell
• 2018 PowerShell Resolutions
• Quick Hits: Getting the Local Computer Name
• Recent Articles on MCPMag
• Quick Hits: Finding all Hyperlinks in an Excel Workbook
• Querying UDP Ports with PowerShell
• Changing Ownership of File or Folder Using PowerShell
• Starting,Stopping and Restarting Remote Services with PowerShell
• PowerShell and Excel: Adding Some Formatting To Your Report
• Using Mutexes to Write Data to the Same Logfile Across Processes With PowerShell
• Using PowerShell Parameter Validation to Make Your Day Easier
• Using Background Runspaces Instead of PSJobs For Better Performance
• Using PowerShell to Query Web Site Information
• Building a TCP Server Using PowerShell
• Quick Hits: Finding Exception Types with PowerShell
• background jobs
• Internet Explorer
• performance
• powerscripting
• Regular Expressions
• scripting games 2012
• scripting games 2013
• scripting guy
• winter scriting games 2014

Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Email Address:

Sign me up!

• 5,585,832 Visitors Since August 5, 2010
• Entries feed
• Comments feed
• WordPress.com

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to Set Logon User Rights with the Ntrights.exe in windows 10(64 bit) [duplicate]

I need to know whether ntrights.exe 64 bit version exists?

If not, which is the 64 bit equivalent of ntrights.exe?

Thanks in advance.

• command-line

What is an equivalent for ntrights.exe on Windows 10?

Set and Check User Rights Assignment via Powershell You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts.

Read the blakedrumm page for detailed instructions, and download the script .

I just tested it successfully on Windows 2022 Standard.

• 1 This look really useful but all of the links are broken. –  user2871239 Commented Jan 26, 2023 at 13:35

Not the answer you're looking for? Browse other questions tagged windows-10 command-line 64-bit .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• "With" as a function word to specify an additional circumstance or condition
• What is the optimal number of function evaluations?
• Plausible orbit to have a visible object slowly circle over the night sky
• What qualifies as a Cantor diagonal argument?
• Is the 2024 Ukrainian invasion of the Kursk region the first time since WW2 Russia was invaded?
• Information theoretical interpretation of Free Energy
• Question about word (relationship between language and thought)
• What is the missing fifth of the missing fifths?
• Somebody used recommendation by an in-law – should I report it?
• Can you move between an attack and the attack granted by Horde Breaker?
• Audio mixing problem in cpp
• How high does the ocean tide rise every 90 minutes due to the gravitational pull of the space station?
• Is this host and 'parasite' interaction feasible?
• Topos notions coming from topology and uniqueness of generalizations
• Would two switches in parallel in the same box meet code?
• Generating function for A261041
• Minimal permutation degree of the dihedral group
• The head of a screw is missing on one side of the spigot outdoor
• Is "She played good" a grammatically correct sentence?
• How would you read this time change with the given note equivalence?
• Is my magic enough to keep a person without skin alive for a month?
• CompizConfig not working with xubuntu 24.04
• Replacement derailleur for Schwinn
• Would it be out of style to start a history book with a poem I wrote?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

• 1 contributor
• Windows 10

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local device by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see Configure security policy settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Related topics

• Security policy settings reference

Additional resources

How to Add, Delete and Change Local Users and Groups with PowerShell

To help admins manage local users and groups with PowerShell more easily, Microsoft provides a cmdlet collection called Microsoft.PowerShell.LocalAccounts . Previously, you had to download and import it into PowerShell explicitly, and also install Windows Management Framework 5.1; in the Windows Server 2016 and Windows 10 operating systems, the cmdlet collection is included as a standard module.

There are 15 cmdlets in the LocalAccounts module. You can view the full list by running the following command:

• Add-LocalGroupMember — Add a user to the local group
• Disable-LocalUser —Disable a local user account
• Enable-LocalUser — Enable a local user account
• Get-LocalGroup — View local group preferences
• Get-LocalGroupMember — View the list of all local group members
• Get-LocalUser — View a local user account’s preferences
• New-LocalGroup — Create a new local group
• New-LocalUser — Create a new local user account
• Remove-LocalGroup — Remove a local group
• Remove-LocalGroupMember — Remove a member from a local group
• Remove-LocalUser — Remove a local user account
• Rename-LocalGroup — Rename a local group
• Rename-LocalUser — Rename a local user account
• Set-LocalGroup — Change the settings of a local group
• Set-LocalUser — Change the account settings of a local user

Managing Local User Accounts with PowerShell

Let’s see how you can use these commands to perform common tasks related to managing local users on a Windows 10 computer.

Listing users and their properties with PowerShell

First, let’s get a list of all local user accounts on the machine. We’ll use the Get-LocalUser cmdlet:

As you can see, we have two local user accounts, and one of them is disabled (the one that has “False” in the “Enabled” column).

If you want to output all the properties and their values for a local user account, you need to use the Get-LocalUser cmdlet with the following parameters:

To get the value of a particular local user account attribute, type its name after the Select-Object parameter. In this example, we want to know the value of the PasswordLastSet attribute for the account with the username “administrator”:

Creating a local user with PowerShell

Let’s create a new user with the help of the New-LocalUser cmdlet. This cmdlet can create the following types of user accounts:

• Windows local user accounts
• Microsoft accounts
• Azure Active Directory accounts

When creating a local user account, never type in the password as plain text; always convert it to a secure string using the ?AsSecureString or ?ConvertTo-SecureString parameter. Here’s the command for creating a new local user account:

In a Windows 10 environment, users can authorize under their Microsoft accounts, so we can create a new local user account that binds to a Microsoft account’s credentials. Use the following script to do this (note that you don’t need to type in the password because it is stored in the Microsoft cloud):

In order to create a local account that binds to your Azure AD, use the following command:

Changing a local user’s password or password properties with PowerShell

To change the password of a local user account, we need to use the Set-LocalUser cmdlet. Let’s change the local admin password:

To set the Password never expires to a local user with PowerShell, we need to run the following script:

Deleting a local user account with PowerShell

To remove a local user account, you need to use the Remove-LocalUser cmdlet:

Managing Local Groups with PowerShell

Now let’s turn our attention from local users to local groups.

Reviewing local groups with PowerShell

First, let’s get a list of all groups on our Windows Server:

Adding a local group with PowerShell

Now let’s create a new group:

Adding users to a local group with PowerShell

To add a user (or a group) to a local group, we need to use the Add-LocalGroupMember cmdlet. For example, suppose we want to add users to the local Administrators group, but we don’t want to add them one by one. Let’s add a group to local Administrators, namely the “Netwrix Users” group:

If your computer or server is a part of the domain, you can also add domain account and groups to local groups in order to give those users special local rights on the server. Add them using the format “DomainNameUser” (for a user) or “DomainNameDomain Group” (for a group).

Viewing the membership of a particular group with PowerShell

Now let’s list all the members of a particular local group:

As you can see, the command shows all the local account and groups that are members of the group “Netwrix Users”. Although only local accounts and groups are listed here, this command will also show any domain users and group, as well as all Microsoft and Azure AD accounts.

Viewing all groups that a user is a member of using PowerShell

To list all the groups that a particular user is a member of, we’d run the following script:

Removing a local group with PowerShell

To remove a local user account from a group, you need to use the Remove-LocalGroupMember cmdlet:

Managing local users and groups remotely with PowerShell

If you want to manage local user account and groups remotely, you need to connect to the remote workstations via WinRM using the Invoke-Command and Enter-PSSession cmdlets. For example if we want to output the membership of the local Admin group remotely on multiple computers we need to run the following script:

As you can see, it is rather easy to manage local groups and users via PowerShell, but to ensure security, compliance and business continuity, it’s essential to audit all these changes. To learn about configuring native auditing, please refer to the Windows Server Auditing Quick Reference Guide .

Jordan's space

Computers, survival, and fun., change local user rights assignment from powershell.

There are lots of “solutions” out there that just shell out to ntrights.exe or secedit or something else not powershell, and say “but powershell calls it so it counts!”  No it doesn’t.

There is no native NET or COM interface to manage local user rights assignment.  You have to use P/Invoke to call the API.  It’s a pain.  But I swiped some code from Roel van Lisdonk ( http://www.roelvanlisdonk.nl/?p=1151 ) and got it working.  Looks like he got the code from Willy Denoyette (see http://www.pinvoke.net/default.aspx/advapi32.lsalookupsids ) which I kept intact except for a minor error correction (it was missing a semicolon and wouldn’t compile). See http://www.hightechtalks.com/csharp/lsa-functions-276626.html for what seems to be Willy’s original source.

$LsaWrapper = @' using System; using System.Collections.Generic; using System.Text; namespace LsaSecurity { /* * LsaWrapper class credit: Willy Denoyette [MVP] * * http://www.hightechtalks.com/csharp/lsa-functions-276626.html * * Added support for: * * LsaLookupSids * * for the purposes of providing a working example. * * * */ using System.Runtime.InteropServices; using System.Security; using System.Management; using System.Runtime.CompilerServices; using System.ComponentModel; using LSA_HANDLE = IntPtr; public class Program { public static void Main() { using (LsaWrapper lsaSec = new LsaWrapper()) { string[] accounts = lsaSec.GetUsersWithPrivilege("SeNetworkLogonRight"); } } } [StructLayout(LayoutKind.Sequential)] struct LSA_OBJECT_ATTRIBUTES { internal int Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal int Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct LSA_UNICODE_STRING { internal ushort Length; internal ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer; } sealed class Win32Sec { [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaOpenPolicy( LSA_UNICODE_STRING[] SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, int AccessMask, out IntPtr PolicyHandle ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaAddAccountRights( LSA_HANDLE PolicyHandle, IntPtr pSID, LSA_UNICODE_STRING[] UserRights, int CountOfRights ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaRemoveAccountRights( LSA_HANDLE PolicyHandle, IntPtr pSID, bool allRights, LSA_UNICODE_STRING[] UserRights, int CountOfRights ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaEnumerateAccountsWithUserRight( LSA_HANDLE PolicyHandle, LSA_UNICODE_STRING[] UserRights, out IntPtr EnumerationBuffer, out int CountReturned ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaLookupSids( LSA_HANDLE PolicyHandle, int count, IntPtr buffer, out LSA_HANDLE domainList, out LSA_HANDLE nameList ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern int LsaLookupNames2( LSA_HANDLE PolicyHandle, uint Flags, uint Count, LSA_UNICODE_STRING[] Names, ref IntPtr ReferencedDomains, ref IntPtr Sids ); [DllImport("advapi32")] internal static extern int LsaNtStatusToWinError(int NTSTATUS); [DllImport("advapi32")] internal static extern int LsaClose(IntPtr PolicyHandle); [DllImport("advapi32")] internal static extern int LsaFreeMemory(IntPtr Buffer); } public sealed class LsaWrapper : IDisposable { private bool _writeToConsole = false; [StructLayout(LayoutKind.Sequential)] struct LSA_TRUST_INFORMATION { internal LSA_UNICODE_STRING Name; internal IntPtr Sid; } [StructLayout(LayoutKind.Sequential)] struct LSA_TRANSLATED_SID2 { internal SidNameUse Use; internal IntPtr Sid; internal int DomainIndex; uint Flags; } //[StructLayout(LayoutKind.Sequential)] //struct LSA_REFERENCED_DOMAIN_LIST //{ // internal uint Entries; // internal LSA_TRUST_INFORMATION Domains; //} // Commented by KaushalendraATgmail.com [StructLayout(LayoutKind.Sequential)] internal struct LSA_REFERENCED_DOMAIN_LIST { internal uint Entries; internal IntPtr Domains; } [StructLayout(LayoutKind.Sequential)] struct LSA_ENUMERATION_INFORMATION { internal LSA_HANDLE PSid; } [StructLayout(LayoutKind.Sequential)] struct LSA_SID { internal uint Sid; } [StructLayout(LayoutKind.Sequential)] struct LSA_TRANSLATED_NAME { internal SidNameUse Use; internal LSA_UNICODE_STRING Name; internal int DomainIndex; } enum SidNameUse : int { User = 1, Group = 2, Domain = 3, Alias = 4, KnownGroup = 5, DeletedAccount = 6, Invalid = 7, Unknown = 8, Computer = 9 } enum Access : int { POLICY_READ = 0x20006, POLICY_ALL_ACCESS = 0x00F0FFF, POLICY_EXECUTE = 0X20801, POLICY_WRITE = 0X207F8 } const uint STATUS_ACCESS_DENIED = 0xc0000022; const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a; const uint STATUS_NO_MEMORY = 0xc0000017; IntPtr lsaHandle; public LsaWrapper() : this(null) { } // // local system if systemName is null public LsaWrapper(string systemName) { LSA_OBJECT_ATTRIBUTES lsaAttr; lsaAttr.RootDirectory = IntPtr.Zero; lsaAttr.ObjectName = IntPtr.Zero; lsaAttr.Attributes = 0; lsaAttr.SecurityDescriptor = IntPtr.Zero; lsaAttr.SecurityQualityOfService = IntPtr.Zero; lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES)); lsaHandle = IntPtr.Zero; LSA_UNICODE_STRING[] system = null; if (systemName != null) { system = new LSA_UNICODE_STRING[1]; system[0] = InitLsaString(systemName); } uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle); if (ret == 0) return; if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } public string[] GetUsersWithPrivilege(string privilege) { LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1]; privileges[0] = InitLsaString(privilege); IntPtr buffer; int count; uint ret = Win32Sec.LsaEnumerateAccountsWithUserRight(lsaHandle, privileges, out buffer, out count); if (ret != 0) { if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if (ret == STATUS_INSUFFICIENT_RESOURCES || ret == STATUS_NO_MEMORY) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } LSA_ENUMERATION_INFORMATION[] lsaInfo = new LSA_ENUMERATION_INFORMATION[count]; for (int i = 0, elemOffs = (int)buffer; i < count; i++) { lsaInfo[i] = (LSA_ENUMERATION_INFORMATION)Marshal.PtrToStructure((IntPtr)elemOffs, typeof(LSA_ENUMERATION_INFORMATION)); elemOffs += Marshal.SizeOf(typeof(LSA_ENUMERATION_INFORMATION)); } LSA_HANDLE domains; LSA_HANDLE names; ret = Win32Sec.LsaLookupSids(lsaHandle, lsaInfo.Length, buffer, out domains, out names); if (ret != 0) { if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if (ret == STATUS_INSUFFICIENT_RESOURCES || ret == STATUS_NO_MEMORY) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } /*string[] retNames = new string[count]; LSA_TRANSLATED_NAME[] lsaNames = new LSA_TRANSLATED_NAME[count]; for (int i = 0, elemOffs = (int)names; i < count; i++) { lsaNames[i] = (LSA_TRANSLATED_NAME)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRANSLATED_NAME)); elemOffs += Marshal.SizeOf(typeof(LSA_TRANSLATED_NAME)); LSA_UNICODE_STRING name = lsaNames[i].Name; retNames[i] = name.Buffer.Substring(0, name.Length / 2); }*/ // Following code also fetches Domains and associates domains and usernames string[] retNames = new string[count]; List currentDomain = new List(); int domainCount = 0; LSA_TRANSLATED_NAME[] lsaNames = new LSA_TRANSLATED_NAME[count]; for (int i = 0, elemOffs = (int)names; i < count; i++) { lsaNames[i] = (LSA_TRANSLATED_NAME)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRANSLATED_NAME)); elemOffs += Marshal.SizeOf(typeof(LSA_TRANSLATED_NAME)); LSA_UNICODE_STRING name = lsaNames[i].Name; retNames[i] = name.Buffer.Substring(0, name.Length / 2); if (!currentDomain.Contains(lsaNames[i].DomainIndex)) { domainCount = domainCount + 1; currentDomain.Add(lsaNames[i].DomainIndex); } } string[] domainPtrNames = new string[count]; LSA_REFERENCED_DOMAIN_LIST[] lsaDomainNames = new LSA_REFERENCED_DOMAIN_LIST[count]; for (int i = 0, elemOffs = (int)domains; i < count; i++) { lsaDomainNames[i] = (LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_REFERENCED_DOMAIN_LIST)); elemOffs += Marshal.SizeOf(typeof(LSA_REFERENCED_DOMAIN_LIST)); } LSA_TRUST_INFORMATION[] lsaDomainName = new LSA_TRUST_INFORMATION[count]; string[] domainNames = new string[domainCount]; for (int i = 0, elemOffs = (int)lsaDomainNames[i].Domains; i < domainCount; i++) { lsaDomainName[i] = (LSA_TRUST_INFORMATION)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRUST_INFORMATION)); elemOffs += Marshal.SizeOf(typeof(LSA_TRUST_INFORMATION)); LSA_UNICODE_STRING tempDomain = lsaDomainName[i].Name; //if(tempDomain.Buffer != null) //{ domainNames[i] = tempDomain.Buffer.Substring(0, tempDomain.Length / 2); //} } string[] domainUserName = new string[count]; for (int i = 0; i 0x7ffe) throw new ArgumentException("String too long"); LSA_UNICODE_STRING lus = new LSA_UNICODE_STRING(); lus.Buffer = s; lus.Length = (ushort)(s.Length * sizeof(char)); lus.MaximumLength = (ushort)(lus.Length + sizeof(char)); // If unicode issues then do this instead of previous two line //lus.Length = (ushort)(s.Length * 2); // Unicode char is 2 bytes //lus.MaximumLength = (ushort)(lus.Length + 2) return lus; } public bool WriteToConsole { set { this._writeToConsole = value; } } } public class LsaWrapperCaller { public static void AddPrivileges(string account, string privilege) { using (LsaWrapper lsaWrapper = new LsaWrapper()) { lsaWrapper.AddPrivileges(account, privilege); } } public static void RemovePrivileges(string account, string privilege) { using (LsaWrapper lsaWrapper = new LsaWrapper()) { lsaWrapper.RemovePrivileges(account, privilege); } } } } '@ Add-Type $LsaWrapper $account = "computername\name" # Will default to local computer if you do not specify computername. Can also accept domain name there. Name is a user name or group name. $right = "SeServiceLogonRight" # see http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671(v=vs.85).aspx for a list. [LsaSecurity.LsaWrapperCaller]::RemovePrivileges($account,$right);

4 thoughts on “ Change local user rights assignment from powershell ”

When I found your post I was really happy, because it was exactly what I was looking for!

I tried to use your code in one of my scripts, but I keep getting this error: ‘LsaSecurity.LsaWrapper’ does not implement interface member ‘System.IDisposable.Dispose()’

Unfortunately, my knowledge of C# is not nearly enough to know how to fix that. I can see the line it fails on, but I have no idea how to fix it. This is from a direct copy of your code above…

Hope you can help me out :)

Thanks, Arjan.

It looks like wordpress ate some of the code. It doesn’t work when I copy it out, and I can’t find my original files. It’s going to take me a while to clean it up again… I’m not so hot at C# either. The problem you’re seeing is that it doesn’t implement a dispose member. But there are others that will come up after that. I’ll work on cleaning it up (and thanks for letting me know), but in the meantime you might try this: https://stackoverflow.com/questions/26392151/enabling-a-local-user-right-assignment-in-powershell

Did you happen to rebuild this yet… I would love to get my hands on it…

I have a scaled down version. Only does logon as batch. But it should be easy enough to make it do any other right. Try this: https://jordanmillsv2.blob.core.windows.net/public/Add-UserToLoginAsBatch.ps1

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Get the Reddit app

PowerShell is a cross-platform (Windows, Linux, and macOS) automation tool and configuration framework optimized for dealing with structured data (e.g. JSON, CSV, XML, etc.), REST APIs, and object models. PowerShell includes a command-line shell, object-oriented scripting language, and a set of tools for executing scripts/cmdlets and managing modules.

User Rights Assignment for running a powershell.

I'm trying to write a powershell that a user would run but during the context of the powershell it runs a process as a different user (to allow the deletion of an spn as a non-admin user). In the below example $Credential is the credentials of the service account that has the rights to delete the spn in AD.

What's the minimum rights the $Credential account needs on the instance to accomplish this? I know "Allow Log on Locally" works but I'd rather use something a bit more restrictive like "Log on as a Batch" or "Log on as a Service".

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

Select Product

Machine Translated

Technical overview

Fixed issues

Known issues

System requirements

Sizing guidelines

Install, configure, and uninstall

Set up environment

NetScaler Gateway

License Server

Configure HTTP/HTTPS applications

Configure access policies for the applications

Available access restrictions

Cluster setup

Uninstall Secure Private Access

Upgrade installer

Upgrade database using scripts

Manage settings after installation

Manage apps and policies

Unsanctioned websites

End-user flow

Monitor and troubleshoot

Dashboard overview

Basic troubleshooting

Troubleshooting using Director

SIEM integration

Logs retention settings

Logs and telemetry cleanup

Third party notifications

This content has been machine translated dynamically.

Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)

Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)

Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)

此内容已经过机器动态翻译。 放弃

このコンテンツは動的に機械翻訳されています。 免責事項

이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인

Este texto foi traduzido automaticamente. (Aviso legal)

Questo contenuto è stato tradotto dinamicamente con traduzione automatica. (Esclusione di responsabilità))

This article has been machine translated.

Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)

Ce article a été traduit automatiquement. (Clause de non responsabilité)

Este artículo ha sido traducido automáticamente. (Aviso legal)

この記事は機械翻訳されています. 免責事項

이 기사는 기계 번역되었습니다. 책임 부인

Este artigo foi traduzido automaticamente. (Aviso legal)

这篇文章已经过机器翻译. 放弃

Questo articolo è stato tradotto automaticamente. (Esclusione di responsabilità))

Translation failed!

This topic list some of the errors that you might come across while or after setting up Secure Private Access.

• Certificate errors
• Database creation errors
• StoreFront failures
• Public gateway/callback gateway failures
• Secure Private Access Server not reachable

Error message : Unable to get the certificates automatically from one or more gateway servers.

This error message appears when you try to add a public NetScaler Gateway address and there is an issue fetching the certificate. This issue can occur when setting up Secure Private Access or updating settings after the setup is complete.

Workaround : Update the gateway certificate the same way in which you would for Citrix Virtual Apps and Desktops.

Error message : Failed to create database

Resolution : For Automatic case - The machine must have READ, WRITE, UPDATE permissions to create tables within the database on the SQL server.

Error message : Failed to create database: A database already exists.

This error message might appear in any of the following scenarios.

• If the Automatic configuration option is selected while configuring the databases.

If the admin is creating a database, it must be an empty database. This error message can appear if the database is a non-empty database.

Resolution : You must create an empty database.

You uninstall Secure Private Access and retry the setup with the same site name. In this case, the database from the previous installation would not have been deleted.

Resolution : You must manually delete the database.

You choose to set up the database manually (by selecting Manual Configuration in the Configuring Databases page) by using the script, and then change to the Automatic Configuration option but use the same site name. In this case, a database with the same name is already created while running the script.

Resolution : You must rename the site and then run the script again.

The machine does not have the READ, WRITE, UPDATE permissions to create tables within the database on the SQL server.

Resolution : Enable appropriate permissions on the machine. For details, see Permissions required to set up databases .

Error message : Failed to create database: Connection failed

Resolution :

• Check database network connectivity from your machine. Ensure that the SQL server port is open on the firewall.
• If using a remote SQL server, check if the SQL server has login created with the Secure Private Access machine identity, Domain\hostname$.
• If using a remote SQL server, confirm that the machine identity has the correct role assigned, system administrator role.
• If using a Local SQL server (not from the installer), check if the NT AUTHORITY\SYSTEM user must have a login created.

Error message : Failed to create StoreFront entry for: <Store URL>

Update the StoreFront entries from the Settings tab if it is not visible. After you have set up Secure Private Access using the wizard, you can edit StoreFront entries from the Settings tab. Note down the StoreFront Store URL for which this error occurred.

• Click Settings and then click the Integrations tab.
• In StoreFront Store URL , add the StoreFront entry if it is not visible.

Error message : Failed to configure StoreFront entry for: <Store URL>

There might be a PowerShell execution policy restriction in place. Run the PowerShell script command Get-ExecutionPolicy for details.

• If it is restricted, you must bypass this and run a StoreFront configuration script manually.
• In StoreFront Store URL , identify the StoreFront URL entry for which the error occurred.
• Click the Download Script button next to this Store URL and run this PowerShell script with admin privileges on the machine on which the corresponding StoreFront installation is present. This script must be run on all the StoreFront machines.

Note: If you are retrying the installation after uninstalling, ensure that you don’t have an entry with the name “Secure Private Access” in the StoreFront configuration ( StoreFront > store> Delivery Controller -> Secure Private Access ). If Secure Private Access is present, delete this entry. Manually download and run the script from the Settings > Integrations page.

Error message : StoreFront configuration is not local for: <Store URL>

After you have set up Secure Private Access using the wizard, you can edit gateway entries from the Settings tab. Note down the StoreFront Store URL for which this error occurred.

This issue occurs if StoreFront is not installed on the same machine as Secure Private Access. You must manually run the StoreFront configuration on the machine where you have installed StoreFront.

Note: To run the StoreFront PowerShell script, open the Windows x64 compatible PowerShell window with admin privileges and then run ConfigureStorefront.ps1. StoreFront script is not compatible with Windows PowerShell (x86).

Error message : “Get-STFStoreService : Exception of type ‘Citrix.DeliveryServices.Framework.Feature.Exceptions.RegistryKeyNotFoundException’ was thrown.” while running StoreFront script using PowerShell.

This error occurs when the StoreFront script is run on a x86-compatible PowerShell window.

Resolution:

To run the StoreFront PowerShell script, open the Windows x64 compatible PowerShell window with admin privileges and then run ConfigureStorefront.ps1 .

Error message : Failed to create Gateway entry for: <Gateway URL> OR Failed to create Callback Gateway entry for: <Callback Gateway URL>

Note the Public Gateway or Callback Gateway URL for which the failure occurred. After you have set up Secure Private Access using the wizard, you can edit gateway entries from the Settings tab.

• Update the public gateway address or the callback gateway address and the virtual IP address for which the failure occurred.

Error message : Failed to update IIS pool. Failed to restart IIS pool

Go to Application pools in Internet Information Services (IIS) and check that the following application pools have started and are running:

• Secure Private Access Runtime Pool
• Secure Private Access Admin Pool

Also check that the default IIS site "Default Web Site" is up and running.

• Database connectivity check failures

Error Message: Connectivity check failed

Database connectivity check can fail due the multiple reasons:

The database server is not reachable from the Secure Private Access plug-in host machine due to a firewall.

Resolution: Check if the database port (default port 1433) is open on the firewall.

The Secure Private Access plug-in host machine does not have the permission to connect to the database.

Resolution: See SQL database permissions for Secure Private Access .

• Gateway connectivity check failed. Unable to fetch public certificate

Error Message: Post installation configuration fails with the error “Gateway connectivity check failed. Unable to fetch a public certificate….”

• Upload the gateway public certificate to the Secure Private Access database manually using the config tool.
• Open the PowerShell or the command prompt window with admin privileges.
• Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”)

Run the following command:

.\AdminConfigTool.exe /UPLOAD_PUBLIC_GATEWAY_CERTIFICATE <PublicGatewayUrl> <PublicGatewayCertificatePath>

• Application enumeration failure

Application enumeration breaks if the StoreFront URL or the NetScaler Gateway URL contains a trailing slash (/).

Delete the trailing slash in the StoreFront store URL or the NetScaler Gateway URL. For details, see Update StoreFront or the NetScaler Gateway server details after the setup .

Miscellaneous

• First-time setup cannot be completed

You might not be able to re-configure license server if Director configuration failed during the first-time setup.

Manually clean up the license_server table.

• Create Secure Private Access diagnostics support bundle

Perform the following steps to create a Secure Private Access diagnostics support bundle:

• Change the directory to the Admin\AdminConfigTool folder under the Secure Private Access installation folder (for example, cd “C:\Program Files\Citrix\Citrix Access Security\Admin\AdminConfigTool”).

.\AdminConfigTool.exe /SUPPORTBUNDLE <output folder>

• SQL database permissions for Secure Private Access

For automatic database creation, the Secure Private Access plug-in host machine must have the permissions to connect to the database and create the database schema.

Remote database:

Perform the following steps to set up the permissions for a remote database.

Create an empty database with the name syntax CitrixAccessSecurity<Site Name> . Here <Site Name> is the Secure Private Access site name. (for example. CitrixAccessSecuritySPA).

CREATE DATABASE CitrixAccessSecurity<SiteName>

Create an SQL server login for the machine identity for the Secure Private Access virtual machine. For example, if your Secure Private Access broker machine name is HOST1 and the machine domain is DOMAIN1, then the machine identity is “DOMAIN1\HOST1$”. If the login is already created, then you can ignore this step.

USE CitrixAccessSecurity<SiteName>

CREATE LOGIN [DOMAIN1\HOST1$] FROM WINDOWS

Domain name can be found using the following query:

SELECT DEFAULT_DOMAIN()[DomainName]

Assign the db_owner role to the machine identity.

EXEC sys.sp_addrolemember [db_owner], 'DOMAIN1\HOST1$'

ALTER USER [DOMAIN1\HOST1$] WITH DEFAULT_SCHEMA = dbo;

Local database:

Perform the following steps to set up the permissions for a local database.

Create an empty database with the name syntax CitrixAccessSecurity<Site Name> . Here <Site Name> is the Secure Private Access site name. (for example, CitrixAccessSecuritySPA).

Create an SQL server login for the NT AUTHORITY\SYSTEM user. If the login is already created then you can ignore this step.

CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS

Assign the db_owner role to the “NT AUTHORITY\SYSTEM” user.

EXEC sys.sp_addrolemember [db_owner], 'NT AUTHORITY\SYSTEM'

ALTER USER [NT AUTHORITY\SYSTEM] WITH DEFAULT_SCHEMA = dbo;

When you manually create the database, the downloaded database script adds the permissions to the machine identity.

• Change log level for troubleshooting logs

Troubleshooting logs are the default error log level.

To change the log level for the troubleshooting logs, in the runtime service appsettings.json (C:\Program Files\Citrix\Citrix Access Security\Runtime\RuntimeService) update restrictedToMinimumLevel for TroubleshootingSql to one of the following values:

In this article

This Preview product documentation is Citrix Confidential.

You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.

The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.

The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.

If you do not agree, select I DO NOT AGREE to exit.

Machine Translation Feedback Form

Do you want to switch to the website in your browser preferred language?

Edit Article

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

User rights assignment in Group Policy Object using powershell?

Not able to grant user rights assignment in group policy object using PowerShell Is there any way or command to add user?

Manual steps:

• Open Group Policy Management
• Navigate to the following path in the Group Policy Object
• Select Policy
• Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
• Add/remove the necessary users

Click on image for details

Tried Set-GPPermission but didn't work it adds user in delegation refer to below image Result after using Set-GPPermission

• set-gppermission? –  js2010 Commented Oct 7, 2022 at 12:50
• @js2010 also used Set-GPPermission but it give edit, modify, etc rights which are mentioned in delegation tab of policy Added image in post for your reference –  Arpit Shivhare Commented Oct 7, 2022 at 13:03

Know someone who can answer? Share a link to this question via email , Twitter , or Facebook .

Your answer.

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Browse other questions tagged powershell or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• Could a lawyer agree not to take any further cases against a company?
• What was the typical amount of disk storage for a mainframe installation in the 1980s?
• Colossians 1:16 New World Translation renders τα πάντα as “all other things” but why is this is not shown in their Kingdom Interlinear?
• Pólya trees counted efficiently
• Generating function for A261041
• What are the steps to write a book?
• Is it possible to travel to Uppsala from Stockholm with SL unlimited card?
• Topos notions coming from topology and uniqueness of generalizations
• Advanced Composite Solar Sail (ACS3) Orbit
• Plausible orbit to have a visible object slowly circle over the night sky
• Background package relying on obsolete everypage package
• What is the missing fifth of the missing fifths?
• What do these expressions mean in NASA's Steve Stitch's brief Starliner undocking statement?
• Would two switches in parallel in the same box meet code?
• Why does the guardian who admits guilt pay more than when his guilt is established by witnesses?
• Beatles reference in parody story from the 1980s
• Is the 2024 Ukrainian invasion of the Kursk region the first time since WW2 Russia was invaded?
• Improper Subpanel Concerns
• Is this host and 'parasite' interaction feasible?
• Romeo & Juliet laws and age of consent laws
• Filtering polygons by name in one column of QGIS Attribute Table
• Do US universities invite faculty applicants from outside the US for an interview?
• Why a minus sign is often put into the law of induction for an inductor
• What are the most common types of FOD (Foreign Object Debris)?