modify user rights assignment powershell

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

Managing User Rights in Powershell

Managing User Rights Assignments in Powershell

Windows User Rights, also known as Windows Privileges, are traditionally managed via GPO or in the simplest of cases via the server’s Local Security Policy. These assignments control special permissions that are often needed by IIS applications or other application hosting on Windows Servers.

So how can we manage these assignments in Powershell? There’s no obvious solution provided in Powershell, but there are several options are available. None of which are a pure Powershell solution, but some are close.

• Wrap the ntrights.exe process in Powershell. This is relatively simple, but the downside is having an external dependency on the ntrights.exe file.
• Embed a wrapper class to the LSA API in your script. This is a pretty good solution but certainly bloats your script.
• Load and Reference the Carbon DLL (If you haven’t already checked out this Powershell library, you should it is very powerful and regularly updated. I choose this approach because it keeps the script clean and compact, it returns an array of strings for easy interrogation. It does require a dependency on carbon.dll, but this library provides a ton of functionality beyond just this.

I like the 3rd option, its very clean, and I like working with the Carbon library.

Now lets take this script to the next level and wrap it into a DSC Script implementation. We can use this same logic in a DSC configuration to make sure our desired User Rights Assignments are kept in place.

What else can we do? We could also create a Custom DSC Resource to have a cleaner DSC Configuration.

Related Posts

Local Administrator Audit Script

Powershell Log Archival Script

My new stories.

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Confirm Password *

Username or email *

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

You must login to ask a question.

Please briefly explain why you feel this question should be reported.

Please briefly explain why you feel this answer should be reported.

Please briefly explain why you feel this user should be reported.

IT Solutions | Free tech support | SolutionFall.Com

How can user rights assignments be modified using a PowerShell script?

I am currently undertaking a project to create a script that ensures any computer is CIS compliant up to IG3 level. As part of this effort, I am adjusting the User Rights Assignments to only include Admins or remote desktop users. Ideally, I aim to execute this task using PowerShell within my script, avoiding tools like NTRights.exe. Assistance on how to remove undesired users with existing rights and how to add necessary users with the appropriate permissions would be highly valued. Thank you in advance for any guidance provided. 🙂

Leave an answer Cancel reply

Save my name, email, and website in this browser for the next time I comment.

To modify user rights assignments using a PowerShell script, you can use the `Get-Acl` and `Set-Acl` cmdlets. Here is an example script that demonstrates how you can modify user rights assignments:

Make sure to replace `”C:\Path\To\Your\File.txt”`, `”DOMAIN\Username”`, and `”FullControl”` with the appropriate paths, user/group identities, and permissions you want to assign. Additionally, ensure that you have the necessary permissions to modify ACLs on the object.

Please test this script in a non-production environment before executing it on critical systems to avoid unintended changes.

• Share on Facebook
• Share on Twitter
• Share on LinkedIn
• Share on WhatsApp

Related Questions

• What is the error message when calling Get-ChildItem from Invoke-Command?
• What permissions are required for a custom runner in GitHub Actions?
• What is the error when importing a module in an Azure PowerShell runbook?
• Why are Azure tag values missing when querying with PowerShell?
• How can I retrieve a list of published pipelines in Azure Data Factory for a specific branch and repository in ...

Jordan's space

Computers, survival, and fun., change local user rights assignment from powershell.

There are lots of “solutions” out there that just shell out to ntrights.exe or secedit or something else not powershell, and say “but powershell calls it so it counts!”  No it doesn’t.

There is no native NET or COM interface to manage local user rights assignment.  You have to use P/Invoke to call the API.  It’s a pain.  But I swiped some code from Roel van Lisdonk ( http://www.roelvanlisdonk.nl/?p=1151 ) and got it working.  Looks like he got the code from Willy Denoyette (see http://www.pinvoke.net/default.aspx/advapi32.lsalookupsids ) which I kept intact except for a minor error correction (it was missing a semicolon and wouldn’t compile). See http://www.hightechtalks.com/csharp/lsa-functions-276626.html for what seems to be Willy’s original source.

$LsaWrapper = @' using System; using System.Collections.Generic; using System.Text; namespace LsaSecurity { /* * LsaWrapper class credit: Willy Denoyette [MVP] * * http://www.hightechtalks.com/csharp/lsa-functions-276626.html * * Added support for: * * LsaLookupSids * * for the purposes of providing a working example. * * * */ using System.Runtime.InteropServices; using System.Security; using System.Management; using System.Runtime.CompilerServices; using System.ComponentModel; using LSA_HANDLE = IntPtr; public class Program { public static void Main() { using (LsaWrapper lsaSec = new LsaWrapper()) { string[] accounts = lsaSec.GetUsersWithPrivilege("SeNetworkLogonRight"); } } } [StructLayout(LayoutKind.Sequential)] struct LSA_OBJECT_ATTRIBUTES { internal int Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal int Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct LSA_UNICODE_STRING { internal ushort Length; internal ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer; } sealed class Win32Sec { [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaOpenPolicy( LSA_UNICODE_STRING[] SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, int AccessMask, out IntPtr PolicyHandle ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaAddAccountRights( LSA_HANDLE PolicyHandle, IntPtr pSID, LSA_UNICODE_STRING[] UserRights, int CountOfRights ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaRemoveAccountRights( LSA_HANDLE PolicyHandle, IntPtr pSID, bool allRights, LSA_UNICODE_STRING[] UserRights, int CountOfRights ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaEnumerateAccountsWithUserRight( LSA_HANDLE PolicyHandle, LSA_UNICODE_STRING[] UserRights, out IntPtr EnumerationBuffer, out int CountReturned ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaLookupSids( LSA_HANDLE PolicyHandle, int count, IntPtr buffer, out LSA_HANDLE domainList, out LSA_HANDLE nameList ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern int LsaLookupNames2( LSA_HANDLE PolicyHandle, uint Flags, uint Count, LSA_UNICODE_STRING[] Names, ref IntPtr ReferencedDomains, ref IntPtr Sids ); [DllImport("advapi32")] internal static extern int LsaNtStatusToWinError(int NTSTATUS); [DllImport("advapi32")] internal static extern int LsaClose(IntPtr PolicyHandle); [DllImport("advapi32")] internal static extern int LsaFreeMemory(IntPtr Buffer); } public sealed class LsaWrapper : IDisposable { private bool _writeToConsole = false; [StructLayout(LayoutKind.Sequential)] struct LSA_TRUST_INFORMATION { internal LSA_UNICODE_STRING Name; internal IntPtr Sid; } [StructLayout(LayoutKind.Sequential)] struct LSA_TRANSLATED_SID2 { internal SidNameUse Use; internal IntPtr Sid; internal int DomainIndex; uint Flags; } //[StructLayout(LayoutKind.Sequential)] //struct LSA_REFERENCED_DOMAIN_LIST //{ // internal uint Entries; // internal LSA_TRUST_INFORMATION Domains; //} // Commented by KaushalendraATgmail.com [StructLayout(LayoutKind.Sequential)] internal struct LSA_REFERENCED_DOMAIN_LIST { internal uint Entries; internal IntPtr Domains; } [StructLayout(LayoutKind.Sequential)] struct LSA_ENUMERATION_INFORMATION { internal LSA_HANDLE PSid; } [StructLayout(LayoutKind.Sequential)] struct LSA_SID { internal uint Sid; } [StructLayout(LayoutKind.Sequential)] struct LSA_TRANSLATED_NAME { internal SidNameUse Use; internal LSA_UNICODE_STRING Name; internal int DomainIndex; } enum SidNameUse : int { User = 1, Group = 2, Domain = 3, Alias = 4, KnownGroup = 5, DeletedAccount = 6, Invalid = 7, Unknown = 8, Computer = 9 } enum Access : int { POLICY_READ = 0x20006, POLICY_ALL_ACCESS = 0x00F0FFF, POLICY_EXECUTE = 0X20801, POLICY_WRITE = 0X207F8 } const uint STATUS_ACCESS_DENIED = 0xc0000022; const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a; const uint STATUS_NO_MEMORY = 0xc0000017; IntPtr lsaHandle; public LsaWrapper() : this(null) { } // // local system if systemName is null public LsaWrapper(string systemName) { LSA_OBJECT_ATTRIBUTES lsaAttr; lsaAttr.RootDirectory = IntPtr.Zero; lsaAttr.ObjectName = IntPtr.Zero; lsaAttr.Attributes = 0; lsaAttr.SecurityDescriptor = IntPtr.Zero; lsaAttr.SecurityQualityOfService = IntPtr.Zero; lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES)); lsaHandle = IntPtr.Zero; LSA_UNICODE_STRING[] system = null; if (systemName != null) { system = new LSA_UNICODE_STRING[1]; system[0] = InitLsaString(systemName); } uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle); if (ret == 0) return; if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } public string[] GetUsersWithPrivilege(string privilege) { LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1]; privileges[0] = InitLsaString(privilege); IntPtr buffer; int count; uint ret = Win32Sec.LsaEnumerateAccountsWithUserRight(lsaHandle, privileges, out buffer, out count); if (ret != 0) { if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if (ret == STATUS_INSUFFICIENT_RESOURCES || ret == STATUS_NO_MEMORY) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } LSA_ENUMERATION_INFORMATION[] lsaInfo = new LSA_ENUMERATION_INFORMATION[count]; for (int i = 0, elemOffs = (int)buffer; i < count; i++) { lsaInfo[i] = (LSA_ENUMERATION_INFORMATION)Marshal.PtrToStructure((IntPtr)elemOffs, typeof(LSA_ENUMERATION_INFORMATION)); elemOffs += Marshal.SizeOf(typeof(LSA_ENUMERATION_INFORMATION)); } LSA_HANDLE domains; LSA_HANDLE names; ret = Win32Sec.LsaLookupSids(lsaHandle, lsaInfo.Length, buffer, out domains, out names); if (ret != 0) { if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if (ret == STATUS_INSUFFICIENT_RESOURCES || ret == STATUS_NO_MEMORY) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } /*string[] retNames = new string[count]; LSA_TRANSLATED_NAME[] lsaNames = new LSA_TRANSLATED_NAME[count]; for (int i = 0, elemOffs = (int)names; i < count; i++) { lsaNames[i] = (LSA_TRANSLATED_NAME)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRANSLATED_NAME)); elemOffs += Marshal.SizeOf(typeof(LSA_TRANSLATED_NAME)); LSA_UNICODE_STRING name = lsaNames[i].Name; retNames[i] = name.Buffer.Substring(0, name.Length / 2); }*/ // Following code also fetches Domains and associates domains and usernames string[] retNames = new string[count]; List currentDomain = new List(); int domainCount = 0; LSA_TRANSLATED_NAME[] lsaNames = new LSA_TRANSLATED_NAME[count]; for (int i = 0, elemOffs = (int)names; i < count; i++) { lsaNames[i] = (LSA_TRANSLATED_NAME)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRANSLATED_NAME)); elemOffs += Marshal.SizeOf(typeof(LSA_TRANSLATED_NAME)); LSA_UNICODE_STRING name = lsaNames[i].Name; retNames[i] = name.Buffer.Substring(0, name.Length / 2); if (!currentDomain.Contains(lsaNames[i].DomainIndex)) { domainCount = domainCount + 1; currentDomain.Add(lsaNames[i].DomainIndex); } } string[] domainPtrNames = new string[count]; LSA_REFERENCED_DOMAIN_LIST[] lsaDomainNames = new LSA_REFERENCED_DOMAIN_LIST[count]; for (int i = 0, elemOffs = (int)domains; i < count; i++) { lsaDomainNames[i] = (LSA_REFERENCED_DOMAIN_LIST)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_REFERENCED_DOMAIN_LIST)); elemOffs += Marshal.SizeOf(typeof(LSA_REFERENCED_DOMAIN_LIST)); } LSA_TRUST_INFORMATION[] lsaDomainName = new LSA_TRUST_INFORMATION[count]; string[] domainNames = new string[domainCount]; for (int i = 0, elemOffs = (int)lsaDomainNames[i].Domains; i < domainCount; i++) { lsaDomainName[i] = (LSA_TRUST_INFORMATION)Marshal.PtrToStructure((LSA_HANDLE)elemOffs, typeof(LSA_TRUST_INFORMATION)); elemOffs += Marshal.SizeOf(typeof(LSA_TRUST_INFORMATION)); LSA_UNICODE_STRING tempDomain = lsaDomainName[i].Name; //if(tempDomain.Buffer != null) //{ domainNames[i] = tempDomain.Buffer.Substring(0, tempDomain.Length / 2); //} } string[] domainUserName = new string[count]; for (int i = 0; i 0x7ffe) throw new ArgumentException("String too long"); LSA_UNICODE_STRING lus = new LSA_UNICODE_STRING(); lus.Buffer = s; lus.Length = (ushort)(s.Length * sizeof(char)); lus.MaximumLength = (ushort)(lus.Length + sizeof(char)); // If unicode issues then do this instead of previous two line //lus.Length = (ushort)(s.Length * 2); // Unicode char is 2 bytes //lus.MaximumLength = (ushort)(lus.Length + 2) return lus; } public bool WriteToConsole { set { this._writeToConsole = value; } } } public class LsaWrapperCaller { public static void AddPrivileges(string account, string privilege) { using (LsaWrapper lsaWrapper = new LsaWrapper()) { lsaWrapper.AddPrivileges(account, privilege); } } public static void RemovePrivileges(string account, string privilege) { using (LsaWrapper lsaWrapper = new LsaWrapper()) { lsaWrapper.RemovePrivileges(account, privilege); } } } } '@ Add-Type $LsaWrapper $account = "computername\name" # Will default to local computer if you do not specify computername. Can also accept domain name there. Name is a user name or group name. $right = "SeServiceLogonRight" # see http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671(v=vs.85).aspx for a list. [LsaSecurity.LsaWrapperCaller]::RemovePrivileges($account,$right);

4 thoughts on “ Change local user rights assignment from powershell ”

When I found your post I was really happy, because it was exactly what I was looking for!

I tried to use your code in one of my scripts, but I keep getting this error: ‘LsaSecurity.LsaWrapper’ does not implement interface member ‘System.IDisposable.Dispose()’

Unfortunately, my knowledge of C# is not nearly enough to know how to fix that. I can see the line it fails on, but I have no idea how to fix it. This is from a direct copy of your code above…

Hope you can help me out :)

Thanks, Arjan.

It looks like wordpress ate some of the code. It doesn’t work when I copy it out, and I can’t find my original files. It’s going to take me a while to clean it up again… I’m not so hot at C# either. The problem you’re seeing is that it doesn’t implement a dispose member. But there are others that will come up after that. I’ll work on cleaning it up (and thanks for letting me know), but in the meantime you might try this: https://stackoverflow.com/questions/26392151/enabling-a-local-user-right-assignment-in-powershell

Did you happen to rebuild this yet… I would love to get my hands on it…

I have a scaled down version. Only does logon as batch. But it should be easy enough to make it do any other right. Try this: https://jordanmillsv2.blob.core.windows.net/public/Add-UserToLoginAsBatch.ps1

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Modify User Permissions using Powershell

I am new to PowerShell and I am trying to add a local user called 'Tree' with read-only and list permissions to all files and folders in a directory on my F:\ drive and force the permissions to propagate and not change any existing permissions

Windows Server PowerShell Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language. 5,500 questions Sign in to follow Follow

You can do it with icacls.exe.

Or with Powershell cmdlets.

If you have folders that do not inherit permissions from their parent folder, the access will not be applied to them.

As always, try this on a test folder first.

Thank you very much for your time and effort this worked perfectly

0 additional answers

How to Make an Account an Administrator Using PowerShell in Windows 11

by Edward van Biljon | Apr 2, 2024 | PowerShell

Windows 11 provides several ways to manage user accounts and their permissions. One powerful tool for managing user accounts is PowerShell, a command-line shell and scripting language. In this guide, we will walk you through the steps to make an account an administrator using PowerShell in Windows 11.

Before we begin, it’s important to note that making an account an administrator gives that user full control over the system, including the ability to install software, modify system settings, and access sensitive data. Therefore, it is crucial to exercise caution when granting administrator privileges to an account.

To make an account an administrator using PowerShell, follow these steps:

• Open PowerShell with administrative privileges. You can do this by right-clicking on the Start button and selecting “Windows PowerShell (Admin)” from the context menu.
• Once PowerShell is open, you need to identify the user account that you want to make an administrator. You can do this by running the following command:

Get-LocalUser -Name "username"

Replace “username” with the actual username of the account you want to promote to administrator. This command will display information about the specified user account.

• After identifying the user account, you can proceed to make it an administrator by running the following command:

Add-LocalGroupMember -Group "Administrators" -Member "username"

Replace “username” with the actual username of the account you want to make an administrator. This command adds the specified user account to the “Administrators” group, granting it administrator privileges.

Once you have executed the command, PowerShell will display a confirmation message indicating that the user account has been added to the “Administrators” group. You can verify the changes by running the following command:

Get-LocalGroupMember -Group "Administrators"

This command will list all the members of the “Administrators” group, including the newly added user account.

It’s important to note that you need to have administrative privileges yourself to make changes to user accounts using PowerShell. If you are not already logged in as an administrator, you may be prompted to enter the administrator password or provide confirmation.

Remember, granting administrator privileges to an account should be done with caution. It is recommended to only give administrator access to trusted users who require it for specific tasks. Regular user accounts should be used for everyday tasks to minimize the risk of accidental system modifications or unauthorized access to sensitive data.

By following the steps outlined in this guide, you can easily make an account an administrator using PowerShell in Windows 11. This method provides a convenient and efficient way to manage user accounts and their permissions, giving you control over who has administrative access to your system.

Step 1: Open PowerShell

The first step is to open PowerShell. There are a few different ways to do this:

• Press the Windows key, type “PowerShell,” and click on the “Windows PowerShell” app that appears in the search results.
• Right-click on the Start button, select “Windows PowerShell” from the menu.
• Press the Windows key + X, then select “Windows PowerShell” from the menu.

Once you have opened PowerShell, you will see a command line interface where you can input commands and execute them. PowerShell is a powerful tool that allows you to automate tasks, manage system configurations, and perform various administrative tasks on your Windows computer. It is based on the .NET framework and offers a wide range of features and functionalities.

PowerShell uses a scripting language that is similar to other programming languages, such as C# and VB.NET. It supports variables, loops, conditional statements, and other programming constructs, making it a versatile tool for both simple and complex tasks. With PowerShell, you can interact with various components of the operating system, such as the file system, registry, services, and more.

One of the key advantages of PowerShell is its ability to work with objects. Unlike traditional command-line interfaces, which typically output text, PowerShell outputs objects that can be manipulated and processed. This object-oriented approach allows for more flexible and powerful scripting, as you can easily filter, sort, and format the output to suit your needs.

In addition to its core functionality, PowerShell also supports the use of modules, which are collections of cmdlets (pronounced “command-lets”) that extend the capabilities of the shell. These modules can be used to perform specific tasks, such as managing Active Directory, working with databases, or interacting with cloud services.

Overall, PowerShell is a versatile and powerful tool that can greatly enhance your productivity as a Windows user or administrator. Whether you are a beginner or an experienced user, learning PowerShell can open up new possibilities and help you automate repetitive tasks, troubleshoot issues, and manage your system more efficiently.

Step 2: Run PowerShell as Administrator

Once you have opened PowerShell, you need to run it as an administrator to have the necessary permissions to make changes to user accounts. To do this:

• Right-click on the “Windows PowerShell” app in the taskbar or Start menu.
• Select “Run as administrator” from the context menu.

Running PowerShell as an administrator is crucial when performing tasks that require elevated privileges. By running PowerShell with administrative rights, you gain access to system-level settings and can make changes that affect all users on the computer. When you run PowerShell as an administrator, you are essentially executing commands with full control over the system. This allows you to modify user accounts, install software, configure system settings, and perform other administrative tasks that are otherwise restricted to standard user accounts. Running PowerShell as an administrator is a straightforward process. Once you have located the “Windows PowerShell” app either in the taskbar or the Start menu, simply right-click on it. This action will open a context menu with various options. From the context menu, select “Run as administrator.” Upon selecting this option, a User Account Control (UAC) prompt may appear, asking you to confirm your action. The UAC prompt is a security feature designed to prevent unauthorized changes to the system. To proceed, click “Yes” on the UAC prompt. After successfully running PowerShell as an administrator, you will notice a change in the PowerShell window’s title bar. The title bar will now display “Administrator: Windows PowerShell” to indicate that you have elevated privileges. It is important to note that running PowerShell as an administrator should be done with caution. With great power comes great responsibility, and executing commands with administrative rights can have significant consequences if not used properly. Always double-check your commands and ensure that you understand the potential impact before proceeding. In summary, running PowerShell as an administrator grants you elevated privileges and allows you to perform administrative tasks on your computer. By following the simple steps outlined above, you can easily run PowerShell with administrative rights and take control of your system’s settings and user accounts.

Once you have executed the PowerShell command Get-LocalUser and obtained the list of local user accounts on your Windows 11 system, it’s time to identify the specific user account that you want to elevate to administrator status.

Take a close look at the list of usernames displayed in the PowerShell output. Each username represents a distinct user account on your system. It is essential to choose the correct account to ensure that you grant administrator privileges to the intended user.

To identify the user account, you can refer to various attributes associated with each username. These attributes may include the account’s full name, description, and account type. By examining these details, you can ensure that you are selecting the correct account for elevation.

Additionally, it is worth noting that the PowerShell command Get-LocalUser provides valuable information about each user account, such as the account’s SID (Security Identifier), status (enabled or disabled), and whether it requires a password. These details can further assist you in identifying the desired user account.

Once you have identified the username of the account you wish to make an administrator, make sure to note it down accurately. This username will be crucial in the subsequent steps of granting administrator privileges to the user account.

Step 4: Make the Account an Administrator

Now that you have identified the username of the account you want to make an administrator, you can use the following PowerShell command to grant it administrator privileges:

Replace “username” with the actual username of the account you want to make an administrator. For example, if the username is “JohnDoe,” the command would be:

After running the command, PowerShell will add the specified user account to the “Administrators” group, granting it administrator privileges.

Granting administrator privileges to a user account is an important step in managing the security and access control of a computer system. By making an account an administrator, you are giving it elevated privileges that allow it to perform tasks that are typically restricted to regular users. This can include installing software, modifying system settings, and accessing sensitive files and folders.

However, it is important to exercise caution when granting administrator privileges, as it can also pose security risks if not managed properly. With great power comes great responsibility, and administrators should be aware of the potential consequences of their actions. It is recommended to only grant administrator privileges to trusted users who require it for their job responsibilities.

By using the PowerShell command mentioned above, you can easily add a user account to the “Administrators” group, which is a built-in group in Windows that has full control over the system. This group is typically reserved for system administrators who need unrestricted access to perform their duties.

Once the user account is added to the “Administrators” group, the user will have the ability to perform administrative tasks on the computer. This includes installing and uninstalling software, managing user accounts, modifying system settings, and accessing restricted files and folders.

It is worth noting that granting administrator privileges should be done with caution and only when necessary. Giving unrestricted access to a user account can increase the risk of security breaches and unauthorized system changes. It is important to regularly review the list of users with administrator privileges and remove any accounts that no longer require such access.

Additionally, it is recommended to use strong and unique passwords for all administrator accounts to prevent unauthorized access. Regularly changing passwords and implementing multi-factor authentication can further enhance the security of administrator accounts.

In conclusion, making an account an administrator is a powerful action that should be taken with care. By following the steps outlined above and being mindful of the potential risks, you can effectively manage user privileges and maintain the security of your computer system.

Step 5: Verify the Account’s Administrator Status

To verify that the account has been successfully made an administrator, you can use the following PowerShell command:

This command will list all the members of the “Administrators” group, including the account you just added. Make sure that the account you wanted to make an administrator is listed.

Once you have executed the command, you will see a list of all the members of the “Administrators” group. This includes both local and domain accounts that have been granted administrative privileges on the system. It is important to ensure that the account you just added is present in this list, as it confirms that the account has been successfully added as an administrator.

If you do not see the account listed, double-check the steps you followed in the previous sections. Ensure that you entered the correct username and domain (if applicable) when adding the account. Additionally, make sure that you have the necessary permissions to modify the group membership.

Verifying the account’s administrator status is an essential step to ensure that the account has the necessary privileges to perform administrative tasks on the system. Without the appropriate administrative rights, the account may encounter restrictions and limitations when attempting to perform certain actions or access specific resources.

By confirming the account’s presence in the “Administrators” group, you can be confident that the account has the necessary permissions to effectively carry out administrative tasks and manage the system as required.

Hope you find it helpful.

Share this:

Discover more from everything-powershell.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

SharePoint Diary

Salaudeen Rajack's Experiences on SharePoint, PowerShell, Microsoft 365 and related products!

SharePoint Online: Change User Permissions using PowerShell

Requirement:   Edit user permissions in SharePoint Online.

How to change user permissions in SharePoint Online Site?

You want to change the user’s permission on a particular site/library/item in SharePoint Online. For example, once a particular project has been completed, you no longer want the team member to add or edit the project’s supporting documents, but only view them! SharePoint provides a flexible way to manage user or group permission changes. Here is how to update user permissions in SharePoint Online.

• To edit site permissions for a user, Navigate to the SharePoint Online site where the user has access. Click on the Settings gear and then Site Settings.
• On the Site Settings page, click on the “Site Permissions” link under the Users and Permissions group.

2 thoughts on “ SharePoint Online: Change User Permissions using PowerShell ”

How do you make this work with MFA login. can’t seem to make it work

Here you go: Connect to SharePoint Online using PowerShell with MFA (Multi-factor Authentication)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of new posts by email.

How to Easily Change Group Permissions in SharePoint (2024)

Last Updated on December 15, 2023

Need to change group permissions?

In this guide, I will show you how to change group permissions in three steps as well as using PowerShell as an alternative.

Let’s get started.

Table of Contents:

Prepare to Change Group Permissions

Step 1: access the advanced permissions page, step 2: identify the group, step 3: change the permissions, step 1: connect to sharepoint online, step 2: retrieve the group, step 3: assign permissions, regularly reviewing and updating group permissions, training staff on sharepoint permissions, using the minimal privilege principle.

Before you begin the process, it’s important to ensure you’re adequately prepared .

This involves understanding the current permissions structure, the changes to make, and having the necessary access rights.

Here are the steps you should take to prepare:

• Understand the current permissions structure: SharePoint uses a hierarchical permissions structure . At the top level, you have site permissions, followed by list or library permissions, and finally item or document permissions.
• Identify the changes you want to make: Before you start changing permissions, you should have a clear idea of what changes you want to make.
• Check your access rights: To change group permissions, you need to have the necessary access rights (typically site owner or full control permissions).
• Backup of important data: This is a precautionary measure in case something goes wrong during the permissions change process.
• Communicate the changes: It’s important to communicate these changes to the affected users to help avoid confusion and potential issues down the line.

Once you’ve completed these preparatory steps, you’re ready to start changing group permissions in SharePoint.

Related : SharePoint Permissions Explained: How Permission Levels Work

Sign up for exclusive updates, tips, and strategies

How to Change Group Permissions

Changing group permissions in SharePoint is a fundamental task for managing access to resources and maintaining security.

Here’s a step-by-step guide on how to do it:

For starters, get to the SharePoint site where the group is located.

Then do the following:

• Click the gear icon
• Click site permissions

This will open the basic permissions settings for the site.

Click the advanced permissions settings at the bottom:

This section allows you to view and manage who has access to the site and what level of access they have.

Note : You can also access this via the site settings page.

Within this page, you will see a list of groups and users who have access to the site.

Find the group whose permissions you want to change:

• Select that group using the check box (don’t click the name)
• Click the edit user permissions icon on the ribbon

Note : You can use the search function if your site collection has many groups.

You can review the current permissions assigned to the group on this page.

If you want to add/remove permissions, simply check/uncheck the boxes .

Don’t forget to click the ok button to save the changes.

In most cases, you might want to create a custom permission level that fits the needs of the group.

Related : How to Create a SharePoint Custom Permission Level (Guide)

Use PowerShell to change group permissions

Using PowerShell to change group permissions in SharePoint can be a powerful and efficient method.

It’s especially useful for bulk changes or when integrating into scripts for automated management.

Here’s how to use PowerShell to change group permissions in SharePoint:

Use the Connect-SPOService cmdlet to establish a connection to your SharePoint Online service.

You will need to provide the URL of your SharePoint admin center.

The command looks like this:

After running this command, you will be prompted to enter your admin credentials for SharePoint Online.

Note : Don’t forget to run PowerShell in administrator mode.

Use the Get-PnPGroup cmdlet to retrieve the group you want to modify.

For instance:

To assign permissions to a group (like the contribute role), you have to use the role name .

For example:

If you’re not sure what role to give (or the role name), you can use the following command:

This command will display a list of all role definitions.

You can then verify that the permissions have been updated correctly by using Get-PnPGroupPermissions .

This cmdlet will show the current permissions of the group.

Best Practices for Managing SharePoint Group Permissions

Managing SharePoint group permissions effectively is important for maintaining the security and functionality of your SharePoint environment.

Here are some best practices to follow:

• Conduct regular audits: Regular audits of your SharePoint group permissions can help you identify any potential security risks, such as overly permissive groups or orphaned users. Use these audits to review who has access to what and make any necessary changes.
• Update permissions as needed: As your organization evolves, so too will your SharePoint permissions needs. When employees change roles or leave the company, be sure to update their group permissions accordingly. Similarly, when new projects or teams are formed, you may need to create new groups with specific permissions.
• Provide training: All SharePoint users must understand the basics of permissions and how they work. This can help prevent accidental breaches of security and ensure that everyone is using SharePoint effectively.
• Create clear guidelines: Develop and distribute clear guidelines on how permissions should be used in your SharePoint environment. This can help prevent confusion and misuse of permissions.
• Adhere to the principle of least privilege: This principle states that users should be given the minimum levels of access necessary to perform their jobs. This can help reduce the risk of accidental or malicious misuse of permissions.
• Use SharePoint groups: Rather than assigning permissions to individual users, it’s generally best to assign permissions to SharePoint groups. This makes it easier to manage permissions and ensures that users have consistent access levels.

Do you have any questions or need further clarification? Don’t hesitate to drop your questions in the comments.

For professional consultations or personalized assistance, kindly use the contact form . I’ll make sure to respond promptly.

Can we change default groups permissions like site owner, site members and site visitors group? which Access should we need to edit default permissions?

• Cisco Enterprise Core
• VMware vSphere: Install, Configure, Manage

Linux Professional Institute LPIC-2 Certificate

Linux Professional Institute LPIC-1 Certificate

Cisco Certified DevNet Associate Certificate

AWS Certified Cloud Practitioner Certificate

Fortinet NSE 4 – FortiOS 7.2 certificate

ITIL Foundation Certificate

Trending tags.

• IT SOLUTION
• Multiple Choice
• NSE4_FGT-7.2

HOTSPOT – You have an Azure AD tenant. You need to modify the Default user role permissions settings for the tenant. The solution must meet the following requirements: • Standard users must be prevented from creating new service principals. • Standard users must only be able to use PowerShell or Microsoft Graph to manage their own Azure resources. Which two settings should you modify? To answer, select the appropriate settings…

Please login or Register to submit your answer

Username or Email Address

Remember Me

HOTSPOT – You have an Azure AD tenant named adatum.com that contains the groups shown in the following table. Adatum.com contains the users shown in the following table. You assign an Azure Active Directory Premium P2 license to Group1 as shown in the following exhibit. Group2 is NOT directly assigned a license. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each…

You have an azure subscription that contains the resources shown in the following table. you need to ensure that data transfers between storage1 and vm1 do not traverse the internet what should you configure for storage1, related questions.

• HOTSPOT – You have an Azure subscription that contains three virtual networks named VNET1, VNET2, and VNET3. Peering for VNET1 is configured as shown in the following exhibit. Peering for VNET2 is configured as shown in the following exhibit. Peering for VNET3 is configured as shown in the following exhibit. How can packets be routed between the virtual networks? To answer, select the appropriate options in the answer area. NOTE:…
• Your company has three offices. The offices are located in Miami, Los Angeles, and New York. Each office contains datacenter. You have an Azure subscription that contains resources in the East US and West US Azure regions. Each region contains a virtual network. The virtual networks are peered. You need to connect the datacenters to the subscription. The solution must minimize network latency between the datacenters. What should you create?
• HOTSPOT – You have a Microsoft Entra tenant that contains the groups shown in the following table. The tenant contains the users shown in the following table. Which users and groups can you delete? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
• You have an Azure subscription named Subscription1 that contains an Azure Log Analytics workspace named Workspace1. You need to view the error events from a table named Event. Which query should you run in Workspace1?
• Overview – Litware, Inc. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York. The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees. All the resources used by Litware are hosted on-premises. Litware creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named litware.onmicrosoft.com….

Recommended

Cisco ios popular commands.

• Privacy & Policy

ITexamsolutions.net Materials do not contain actual questions and answers from Cisco's Certification Exams. ITexamsolutions.net doesn't offer Real Microsoft Exam Questions. ITexamsolutions.net doesn't offer Real Amazon Exam Questions.

• IT QUESTION LIBRARY
• FREE IT COURSE
• IT CERTIFICATES

Insert/edit link

Enter the destination URL

Or link to existing content

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

User rights assignment in Group Policy Object using powershell?

Not able to grant user rights assignment in group policy object using PowerShell Is there any way or command to add user?

Manual steps:

• Open Group Policy Management
• Navigate to the following path in the Group Policy Object
• Select Policy
• Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
• Add/remove the necessary users

Click on image for details

Tried Set-GPPermission but didn't work it adds user in delegation refer to below image Result after using Set-GPPermission

• set-gppermission? –  js2010 Commented Oct 7, 2022 at 12:50
• @js2010 also used Set-GPPermission but it give edit, modify, etc rights which are mentioned in delegation tab of policy Added image in post for your reference –  Arpit Shivhare Commented Oct 7, 2022 at 13:03

Know someone who can answer? Share a link to this question via email , Twitter , or Facebook .

Your answer.

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Browse other questions tagged powershell or ask your own question .

• The Overflow Blog
• Where does Postgres fit in a world of GenAI and vector databases?
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• I'm trying to remember a novel about an asteroid threatening to destroy the earth. I remember seeing the phrase "SHIVA IS COMING" on the cover
• What to do when 2 light switches are too far apart for the light switch cover plate?
• How can these humans cross the ocean(s) at the first possible chance?
• Command-line script that strips out all comments in given source files
• Why is "on " the optimal preposition in this case?
• What is an intuitive way to rename a column in a Dataset?
• What would be non-slang equivalent of "copium"?
• Does Vexing Bauble counter taxed 0 mana spells?
• Reference request: acceleration/curvature of curve in metric space
• Using conditionals within \tl_put_right from latex3 explsyntax
• What is the name of this simulator
• Book or novel about an intelligent monolith from space that crashes into a mountain
• My visit is for two weeks but my host bought insurance for two months is it okay
• How can judicial independence be jeopardised by politicians' criticism?
• "TSA regulations state that travellers are allowed one personal item and one carry on"?
• What happens if all nine Supreme Justices recuse themselves?
• How do we reconcile the story of the woman caught in adultery in John 8 and the man stoned for picking up sticks on Sabbath in Numbers 15?
• Which programming language/environment pioneered row-major array order?
• about flag changes in 16-bit calculations on the MC6800
• Does a QGIS python script need to be licensed under GNU GPLv2+?
• A very interesting food chain
• Using Thin Lens Equation to find how far 1972 Blue Marble photo was taken
• Using "no" at the end of a statement instead of "isn't it"?
• Expected number of numbers that stay at their place after k swaps

'Project - Edit Assigned Task' access right lets the user edit unassigned Tasks in Modern UX

Article id: 375648, updated on:, issue/introduction.

Steps to Reproduce :   1. Create a User   2. Create a Project    3. Provide the following access rights to the User from Step 1:   ---Instance Rights--- (Over the Project from Step 2)     Project - Edit Assigned Tasks

  ---Global Rights---     Project - Edit Assigned Tasks     Project Management - Navigate     Projects - Navigate   4. Navigate to Modern UX. Create a Blueprint for Project object    5. Display the 'Task List' module in this Blueprint    6. Associate Project from step 2 to this Blueprint    7. Click into the Project. Click on the 'Task List' module    8. Create a Task - T1, and another Task - T2   9. Assign the User from Step 1 to T1   10. Login as this User into the Modern UX    11. Navigate to the Project from Step 2, and Task T1   12. Change the name of Task T1    13. Attempt to change the name of Task T2

Expected Results: Task T2 should not be editable Actual Results: Task T2 is editable in the Modern UX. It is not editable in Classic UI.

DE153235 is under review.