none
Get-WMIObject RSOP_UserPrivilegeRight RRS feed

  • Question

  • Hi,

    I am trying to find the permission "Manage Auditing and Security Log". I want to find out this for remote computers. 

    I have written a code using Get-WMIObject RSOP_UserPrivilegeRight

    Main line of code is $Output = Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer -ComputerName $computer | Where {$_.UserRight -eq $URName -and $_.precedence -eq 1} | select -property PSComputername, @{Name=’AccountList’;Expression={[string]::join(“;”, ($_.AccountList))}} 

    However, it seems some bug or Get-Wmiobject does not successfully retrieve this permission details from Windows 2012. 

    Somehow, some other permission like shutdown computer and all can be returned by WMI query, but Auditing permission is not returned by WMI query.

    i have seen some other forums and someone says it needs custom code and WMI is not solution for it.

    Please help if any clue you have.

    Tuesday, April 23, 2019 10:43 AM

Answers

  • No. It is locally added right through local group policy. It doesnt go away even if in enforce GP apply on server. 

    The local policy will not go away.  Domain GP will overwrite the results.  Domain GP does not change local GP settings it just gets the last say.

    Look at the full results to see what policies are being applied.

    This is not a PowerShell issue.  It is a GP issue.

    Run gpresult to get a full, readable, report.


    \_(ツ)_/

    Tuesday, April 23, 2019 12:38 PM

All replies

  • Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer -Filter 'userright = "SeAuditPrivilege"' -ComputerName $computer


    \_(ツ)_/

    Tuesday, April 23, 2019 11:55 AM
  • No.

    Command runs. 

    It doesnt return anything. I can see the right is assigned in Local Group Policy editor to a domain account.


    Tuesday, April 23, 2019 12:17 PM
  • That is a GP issue.  In a domain this can be overwritten by the domain applied policy.


    \_(ツ)_/

    Tuesday, April 23, 2019 12:20 PM
  • No. It is locally added right through local group policy. It doesnt go away even if in enforce GP apply on server. 

    Tuesday, April 23, 2019 12:34 PM
  • No. It is locally added right through local group policy. It doesnt go away even if in enforce GP apply on server. 

    The local policy will not go away.  Domain GP will overwrite the results.  Domain GP does not change local GP settings it just gets the last say.

    Look at the full results to see what policies are being applied.

    This is not a PowerShell issue.  It is a GP issue.

    Run gpresult to get a full, readable, report.


    \_(ツ)_/

    Tuesday, April 23, 2019 12:38 PM
  • Hi,

    I faced the same issue and my finding is that the "Get-WMIObject RSOP_UserPrivilegeRight" only display the UserRight which is defined in the GPO/or the required rights "i.e Manage Auditing and Security Log" etc... have been assigned to some users.

    Can try this command.

    Get-WMIObject RSOP_UserPrivilegeRight -namespace root\rsop\computer -ComputerName CompName | Select UserRight, AccountList

    it will display all the defined userRight and Accountlist


    • Edited by Nawaz Khan Wednesday, July 22, 2020 1:30 PM
    Wednesday, July 22, 2020 1:29 PM