17

I am trying to write a script to list the privileges (eg SeShutDownPrivilege etc) of all user accounts. I'd prefer it if my script could be run as a standard user, but I can run it as an admin account if I had to. Here are the approaches I have tried so far:

  • using tokensz (from https://blogs.technet.microsoft.com/askds/2007/11/02/whats-in-a-token/): works (tokensz /compute_tokensize /dump_groups) for the currently logged in user. But when logged in even as a domain administrator, when trying for another user (tokensz /compute_tokensize /dump_groups /user:[another.user]), I get the error SEC_E_LOGON_DENIED

  • whoami /all works but only for the currently logged in user

  • ntrights.exe doesn't appear to be able to list privileges, only add and remove.

  • secedit /export /areas USER_RIGHTS /cfg out.txt: lists all privileges and the SIDs that have that privilege, but that list appears incomplete; the output from tokensz shows a user John.Smith with SeShutdownPrivilege, but the output from secedit for SeShutdownPrivilege lists groups that John.Smith is not a member of.

I can use portable executables (eg tokensz.exe, ntrights.exe) and built in utilities but will not be able to install applications or extensions

A G
  • 623

3 Answers3

11

You can use AccessChk in accomplish this task.

Accesschk “domain\user” -a * will list all the permissions of a given domain user.

You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about.

Ramhound
  • 44,080
6

For anybody looking for a PowerShell script, this ought to do it:

Get-WmiObject Win32_UserProfile | foreach-object {
  $sid = New-Object System.Security.Principal.SecurityIdentifier($_.SID)
  $user = $sid.Translate([System.Security.Principal.NTAccount])
  $username = $user.Value
  $username
  $chkCmd = "accesschk """ + $username + """ -a * -q"
  Invoke-Expression $chkCmd
  ""
}

It gets the list of users who have a profile on the local machine, determines their names from the SID, and invokes accesschk - as recommended by Ramhound - on them. Each user's record starts with the username in DOMAIN\user format, contains each right on a line, and ends with a blank line. (SID translation courtesy of this article.) You can dump its stuff to a file with the redirection operator, >.

A caveat of AccessChk is that it seems to produce an empty list for domain users that don't have local admin rights. Therefore, this version that produces the above information for every known user in the domain and on the machine is a little lame, but may become useful with a future version of the tool:

Get-WmiObject Win32_UserAccount | foreach-object {
  $username = $_.Caption
  $username
  $chkCmd = "accesschk """ + $username + """ -a * -q"
  Invoke-Expression $chkCmd
  ""
}

If you're wondering what secedit is talking about, it's just getting the list of principals (in SID form) to which the rights have been assigned in User Rights Assignment (see secpol.msc). Therefore, you'll usually see the SIDs for groups like Users or Administrators rather than specific people.

Dennis
  • 163
Ben N
  • 42,308
1

Install the newly released module Carbon.Security which works on both local accounts and domain accounts

Get-CPrivilege -Identity <user>

Carbon has been around a long while, but it's gotten pretty big. So the new release splits Carbon into several smaller modules instead.

Dennis
  • 163