powershell add user to user rights assignment

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Tutorial: Grant a user access to Azure resources using Azure PowerShell

• 6 contributors

Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this tutorial, you grant a user access to view everything in a subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

• Grant access for a user at different scopes

List access

Remove access.

If you don't have an Azure subscription, create a free account before you begin.

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell . To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az .

Prerequisites

To complete this tutorial, you will need:

• Permissions to create users in Microsoft Entra ID (or have an existing user)
• Azure Cloud Shell
• Microsoft Graph PowerShell SDK

Role assignments

In Azure RBAC, to grant access, you create a role assignment. A role assignment consists of three elements: security principal, role definition, and scope. Here are the two role assignments you will perform in this tutorial:

Create a user

To assign a role, you need a user, group, or service principal. If you don't already have a user, you can create one.

In Azure Cloud Shell, create a password that complies with your password complexity requirements.

Create a new user for your domain using the New-MgUser command.

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

Get a list of region locations using the Get-AzLocation command.

Select a location near you and assign it to a variable.

Create a new resource group using the New-AzResourceGroup command.

Grant access

To grant access for the user, you use the New-AzRoleAssignment command to assign a role. You must specify the security principal, role definition, and scope.

Get the ID of your subscription using the Get-AzSubscription command.

Save the subscription scope in a variable.

Assign the Reader role to the user at the subscription scope.

Assign the Contributor role to the user at the resource group scope.

To verify the access for the subscription, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that the Reader role has been assigned to the RBAC Tutorial User at the subscription scope.

To verify the access for the resource group, use the Get-AzRoleAssignment command to list the role assignments.

In the output, you can see that both the Contributor and Reader roles have been assigned to the RBAC Tutorial User. The Contributor role is at the rbac-tutorial-resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

To see how the role assignments look in the Azure portal, view the Access control (IAM) blade for the subscription.

View the Access control (IAM) blade for the resource group.

To remove access for users, groups, and applications, use Remove-AzRoleAssignment to remove a role assignment.

Use the following command to remove the Contributor role assignment for the user at the resource group scope.

Use the following command to remove the Reader role assignment for the user at the subscription scope.

Clean up resources

To clean up the resources created by this tutorial, delete the resource group and the user.

Delete the resource group using the Remove-AzResourceGroup command.

When asked to confirm, type Y . It will take a few seconds to delete.

Delete the user using the Remove-MgUser command.

Assign Azure roles using Azure PowerShell

Was this page helpful?

Additional resources

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.