Grant, Revoke, Query user rights (privileges) using PowerShell

100% pure PowerShell solution to grant, revoke, and query user rights (privileges), such as "Log on on as a service". Works on local or remote computers.

4.7 Star
19,385 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • PowerShell Core (6.x)
    1 Posts | Last post July 12, 2019
    • Hi Tony,
      Awesome script!
      How much effort would it take to make this work in PowerShell Core (6.x)?
      Something easy you could do in a few minutes, or is it move involved?
      I'd be happy to help with some testing if you'd decide go make it happen. We are moving scripts to the PowerShell Core and there doesn't seem to be any alternative to this to manage user rights.
  • Trouble Granting User Right
    2 Posts | Last post July 09, 2019
    • When I run Grant-UserRight -Account "User" -Right SeServiceLogonRight I get the following message.
      Exception calling "AddPrivilege" with "2" argument(s): "Some or all identity references could not be translated."
      At C:\UserRights.psm1:570 char:76
      + ... ocess($Acct, "Grant $Priv right")) { $lsa.AddPrivilege($Acct,$Priv) }
      +                                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : IdentityNotMappedException
      Any Idea why?
    • I was able to get it to work by using the SID for the user.
  • Return codes?
    1 Posts | Last post June 19, 2019
    • Hi - appreciate the script.  Thanks for the work.
      I'm granting a user a right - is there any way to know that it succeeded?  I use "Get-UserRightsGrantedToAccount" to query the user's rights and look for the right, but I was wondering if there was a better way to determine success/failure when I attempt the "Grant-UserRight".  I don't see any return codes being used, but I'm not real familiar with PS.
      Thanks for any info!
  • (group) managed service account
    1 Posts | Last post May 10, 2019
    • hey tony, 
      first of all, nice work! 
      is there any idea to expand it to (group) managed service account?
  • Can't get this to take effect??
    1 Posts | Last post May 02, 2019
    • I'm wanting to use your script to change the account a service is running under.  I'm testing with the Spooler service on my Win 10 1903 (Insider) machine.  I'm running:
      I've made a new local user called 'serviceaccount' and am running the following command:
      Grant-UserRight -account "serviceaccount" -right SeServiceLogonRight
      I then confirm that it's taken:
      PS C:\users\tim.wiser\Downloads> get-accountswithuserright -Right SeServiceLogonRight
      Account                                           Right SID
      -------                                           ----- ---
      NT VIRTUAL MACHINE\Virtual Machines SeServiceLogonRight S-1-5-83-0
      NT SERVICE\autotimesvc              SeServiceLogonRight S-1-5-80-3169285310-278349998-1452333686-3865143136-42122...
      NT SERVICE\ALL SERVICES             SeServiceLogonRight S-1-5-80-0
      AIRITWSTW2\serviceaccount           SeServiceLogonRight S-1-5-21-1987512009-2578398568-1119844257-1005
      ...which it has!
      So I then go to try and start the service up:
      C:\WINDOWS\system32>net start spooler
      System error 1297 has occurred.
      A privilege that the service requires to function properly does not exist in the service account configuration.
      You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration.
      Any idea?  Am I using the wrong right, perhaps?
  • Anyone with this error?
    2 Posts | Last post April 24, 2019
    • When running Get-AccountsWithUserRight SeServiceLogonRight
      New-Object : Exception calling ".ctor" with "1" argument(s): "Attempted to perform an unauthorized operation."
      At D:\Scripts\UserRights.psm1:821 char:16
      +         $lsa = New-Object PS_LSA.LsaWrapper($Computer)
      +                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
          + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
      You cannot call a method on a null-valued expression.
      At D:\Scripts\UserRights.psm1:823 char:13
      +             $sids = $lsa.EnumerateAccountsWithUserRight($Priv, $false ...
      +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
          + FullyQualifiedErrorId : InvokeMethodOnNull
    • Yes, getting that same error. I'm trying to view accounts the SeBatchLogonRight and it throws this error. Same when I try and add a user with this right. This is from Server 2012 R2.
  • Awesome, simply awesome !
    1 Posts | Last post March 15, 2019
    • This has fixed a nasty little issue with temporary admin jea virtual accounts not being cleaned up once the session is finished.
      Thanks !
  • Provide Manifest File for PSRepository Usage?
    2 Posts | Last post March 06, 2019
    • Would it be possible to provide a completed .psd1 manifest file to use this module with a PSRepository via PSGet?
    • I second this request!
  • Compiling List with Get-AccountsWithUserRight
    1 Posts | Last post February 12, 2019
    • Hello Tony,
      I am currently using the UserRights.psm1 powershell module to try and compile a list of accounts that have the following rights:
      Act as part of the OS
      – SeTcbPrivilege
      Back up files and directories
      – SeBackupPrivilege
      Restore files and directories
      – SeRestorePrivilege
      Create a token object
      – SeCreateTokenPrivilege
      Debug programs
      – SeDebugPrivilege
      Impersonate a client
      – SeImpersonatePrivilege
      Manage auditing
      – SeAuditPrivilege
      Replace a process level token
      – SeAssignPrimaryTokenPrivilege
      Take ownership
      – SeTakeOwnershipPrivilege
      I have tried using this powershell script to compile the results but I'm unable to get an output using "Get-AccountsWithUserRight -Right InsertPrivilegeNameHere." If you could give me some insight on how to accomplish this task I would be very grateful.  
      Thanks Again,
  • IIS AppPool Identity SIDs
    1 Posts | Last post November 27, 2018
    • Thanks for the great module!  I love it! Get-AccountsWithUserRight will permit me to see who they put manually there!  I got just 1 complain : I got server with unresolved IIS AppPool Identity SIDs in it.  I've found on the web a script who translate the AppPool name (Ex.:DefaultAppPool) to SID, but not the SID-to-Name yet.  I'm working on it.  But, it would be a nice addition if your function resolve this.
      Code snip:
      $username = "DefaultAppPool"
      $sidPrefix = 'S-1-5-82'
      $userToString = $username.ToLower()
      $userBytes = [Text.Encoding]::Unicode.GetBytes($userToString)
      $sha = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
      $hash = $sha.ComputeHash($userBytes)
      $sid = $sidPrefix
      for ( $i=0; $i -lt 5; $i++ ) {
      $sid += '-' + [BitConverter]::ToUInt32($hash, $i*4)
      return $sid
1 - 10 of 48 Items