Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evotecit/securitypolicy
Provides a way to configure user rights assignments in local security policies using PowerShell without using secedit.exe.
https://github.com/evotecit/securitypolicy
powershell secedit userrightsassignment
Last synced: 4 days ago
JSON representation
Provides a way to configure user rights assignments in local security policies using PowerShell without using secedit.exe.
- Host: GitHub
- URL: https://github.com/evotecit/securitypolicy
- Owner: EvotecIT
- License: mit
- Created: 2022-04-13T11:05:53.000Z (over 2 years ago)
- Default Branch: master
- Last Pushed: 2024-03-12T22:13:13.000Z (8 months ago)
- Last Synced: 2024-10-29T21:06:12.717Z (14 days ago)
- Topics: powershell, secedit, userrightsassignment
- Language: PowerShell
- Homepage:
- Size: 158 KB
- Stars: 13
- Watchers: 3
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.MD
- Changelog: CHANGELOG.MD
- License: License
- Security: SecurityPolicy.psd1
Awesome Lists containing this project
README
# SecurityPolicy - PowerShell Module
## Description
Provides a way to configure **user rights assignments** in local security policies using PowerShell without using `secedit.exe`.
This module is alternative to [SecurityPolicyDSC](https://github.com/dsccommunity/SecurityPolicyDsc) which uses a wrapper around secedit.exe.
This module is based on [LocalSecurityEditor](https://github.com/EvotecIT/LocalSecurityEditor) .NET Library.
### Supported User Rights Assignment
| ConstantName | Group Policy Setting |
| ----------------------------------------- | ------------------------------------------------------------------ |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller |
| SeNetworkLogonRight | Access this computer from the network |
| SeTcbPrivilege | Act as part of the operating system |
| SeMachineAccountPrivilege | Add workstations to domain |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process |
| SeInteractiveLogonRight | Allow log on locally |
| SeRemoteInteractiveLogonRight | Allow log on through Remote Desktop Services |
| SeBackupPrivilege | Back up files and directories |
| SeChangeNotifyPrivilege | Bypass traverse checking |
| SeSystemtimePrivilege | Change the system time |
| SeTimeZonePrivilege | Change the time zone |
| SeCreatePagefilePrivilege | Create a pagefile |
| SeCreateTokenPrivilege | Create a token object |
| SeCreateGlobalPrivilege | Create global objects |
| SeCreatePermanentPrivilege | Create permanent shared objects |
| SeCreateSymbolicLinkPrivilege | Create symbolic links |
| SeDebugPrivilege | Debug programs |
| SeDenyNetworkLogonRight | Deny access to this computer from the network |
| SeDenyBatchLogonRight | Deny log on as a batch job |
| SeDenyServiceLogonRight | Deny log on as a service |
| SeDenyInteractiveLogonRight | Deny log on locally |
| SeDenyRemoteInteractiveLogonRight | Deny log on through Remote Desktop Services |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system |
| SeAuditPrivilege | Generate security audits |
| SeImpersonatePrivilege | Impersonate a client after authentication |
| SeIncreaseWorkingSetPrivilege | Increase a process working set |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority |
| SeLoadDriverPrivilege | Load and unload device drivers |
| SeLockMemoryPrivilege | Lock pages in memory |
| SeBatchLogonRight | Log on as a batch job |
| SeServiceLogonRight | Log on as a service |
| SeSecurityPrivilege | Manage auditing and security log |
| SeRelabelPrivilege | Modify an object label |
| SeSystemEnvironmentPrivilege | Modify firmware environment values |
| SeDelegateSessionUserImpersonatePrivilege | Obtain an impersonation token for another user in the same session |
| SeManageVolumePrivilege | Perform volume maintenance tasks |
| SeProfileSingleProcessPrivilege | Profile single process |
| SeSystemProfilePrivilege | Profile system performance |
| SeUndockPrivilege | Remove computer from docking station |
| SeAssignPrimaryTokenPrivilege | Replace a process level token |
| SeRestorePrivilege | Restore files and directories |
| SeShutdownPrivilege | Shut down the system |
| SeSyncAgentPrivilege | Synchronize directory service data |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects |
### Installing
```powershell
Install-Module -Name SecurityPolicy -AllowClobber -Force
```
Force and AllowClobber aren't necessary but they do skip errors in case some appear.
### Updating
```powershell
Update-Module -Name SecurityPolicy
```
That's it. Whenever there's a new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen the PowerShell session if you have already used the module before updating it.
**The important thing** is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!
### Using SecurityPolicy
#### Getting and setting Security Policies
```powershell
$SecurityPolicies = Get-SecurityPolicy -Verbose -All
# $SecurityPolicies | Format-Table
$SecurityPolicies.'Unicode' | Format-Table
$SecurityPolicies.'System Access' | Format-Table
# $SecurityPolicies.'Event Audit' | Format-Table
# $SecurityPolicies.'Registry Values' | Format-Table
# $SecurityPolicies.'Privilege Rights' | Format-Table
# $SecurityPolicies.'Version' | Format-Table
Set-SecurityPolicy -SystemAccess MinimumPasswordAge -Value 1
```
#### Getting and setting User Rights Assignment
Adding and removing UserRightsAssignment can be done using `Add-UserRightsAssignment` and `Remove-UserRightsAssignment`.
```powershell
$Output = Get-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege #-Computer AD1
$Output | Format-Table
Remove-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege -Identity "S-1-5-21-853615985-2870445339-3163598659-4098"
$Output = Get-UserRightsAssignment -UserRightsAssignment SeTrustedCredManAccessPrivilege #-Computer AD1
$Output | Format-Table
$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table
Add-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"
$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table
Remove-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"
$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table
```
Or you can use `Set-UserRightsAssignment` which will add and remove identities for you in one command.
```powershell
$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table
$Identity = @(
'BUILTIN\Backup Operators'
'BUILTIN\Administrators'
'Guest'
#'BUILTIN\Users'
#'przemyslaw.klys'
)
Set-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity $Identity -WhatIf #-Computer AD1
$Output = Get-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege #-Computer AD1
$Output | Format-Table
```