none
Powershell to get User Rights and Permissions at OS Level. RRS feed

  • Question

  • Hello Team,

    The requirement is to script out all the Rights and Permissions assigned to a Specific user (both domain and local account) at OS level. 

    Ex: Extracting the information from gpedit, filesystem, and other locations where the user is part of. 

    being a novice at powershell, need help in getting information. 

    Monday, August 12, 2019 6:38 PM

Answers

  • The problem is, what does "query the rights on servers for specifc accounts" mean, exactly?

    The question is vague and unspecific. As jrv noted, "rights" has a specific meaning in Windows security and is a separate concept from "permissions."

    Without correct use of terms, it's not possible to give guidance, because there's no way to know whether the answer given has a valid relationship to the question.

    And aside from that, even if we did understand the question, this is not a security advice or a script request forum (which has already been noted in the very first reply in this thread).

    This is a good example of what has sometimes been called an unanswerable drive-by question.


    -- Bill Stewart [Bill_Stewart]


    Friday, August 16, 2019 4:59 PM
    Moderator

All replies

  • Please read the very first post at the top of this forum:

    This forum is for scripting questions rather than script requests


    -- Bill Stewart [Bill_Stewart]

    Monday, August 12, 2019 7:07 PM
    Moderator
  • I got it, being a DBA, any direction you can guide me to extract OS level.
    Tuesday, August 13, 2019 3:47 PM
  • I got it, being a DBA, any direction you can guide me to extract OS level.

    I suggest that you search for help on this.

    Rights are assigned on a per server basis.  You will have to query all servers for all users rights then filter things as needed.  THreeis no command or script to do this.  You will have to learn how this works and write a script to do this as needed.

    Here is the tool that you will need: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit


    \_(ツ)_/

    Tuesday, August 13, 2019 3:53 PM
  • apologies for late reply,

    Thanks Jrv, yup, I want per server only for specific user account/group. (Domain or Local). for example if a user is part of replace a process level token. I just want to display the same as output.

    I just found a article on file level permissions, so working on it.

    But will be glad, if you have any sample powershell script so that I can take care from there.

    Thursday, August 15, 2019 3:43 PM
  • The problem is that the scope of your request is extremely broad. What is it you really want to know, and why? And also, why do you think there's a script that can answer all of your questions?

    You really need to narrow in on what precise information you are really looking for. I'm not sure your question is really a good fit for this forum in the first place.


    -- Bill Stewart [Bill_Stewart]

    Thursday, August 15, 2019 3:49 PM
    Moderator
  • "Rights" are not part of the file system.  They are applied at system level per system and are not directly readable.

    RUnning as a user "whami" will return the current users rights by testing all rights to see if they are available and applied.

    "Permissions" are per object (file, folder, driver, device, etc.)and can only be gleaned by querying each device or object for the ACL and testing for the user.

    There are third party tools that can do this.  They are not free.


    \_(ツ)_/

    Thursday, August 15, 2019 4:22 PM
  • The first step in asking a good question is to understand the scope of the question one is asking. It doesn't do much good to say "tell me everything," because often you're just creating extra work for no reason.

    Example: When you are looking for more information, it helps to say what you need the information for


    -- Bill Stewart [Bill_Stewart]


    Thursday, August 15, 2019 4:40 PM
    Moderator
  • Also, uder current NT nomenclature, "rights" are all "Privileges".
    "A user is granted the privilege (right) to logon or "Debug programs".  Many "privileges" are inherited from the groups a user is a member of.

    For objects we have "permissions".  an object "permits" something.  Permission is granted to groups and users (account objects).

    If permissions are managed correctly in the file system or registry then users are not directly referenced.  Instead the permissions are granted to a group and the user is added to the group.

    As Bill has noted - it is necessary to first understand the scope of you problem.  To understand the scope we must first obtain the correct terms and the full technical context.  

    I have always taught my programmers and techs to start by doing the research to learn the terminology and context until they can formulate a clear technical question. This will also help them to determine the scope of the issue.  Research is always the first place to start.  The path of the research is dependent on the issue.  For many things it is a simple as reading the help file(s).

    Consultants are like doctors.  They talk to you - the patient - and attempt to decode through dialog the issue you seek to resolve.  The consultant then performs the research when necessary.  This is why forums cannot act as consultants.  The format of a forum is not conducive to the dialog that needs to occur to extract a clear understanding of the problem.  Unfortunately, for untrained techs, it is hard to understand this issue since lack of training means that a tech does not now how to do the basic research needed to ask a simple, forum ready, question.

    Do a bit of research and narrow your scope to something that is less than a complete solution and you will find answers faster.


    \_(ツ)_/

    Thursday, August 15, 2019 5:10 PM
  • sure, I Understand Bill, just asked whether we have any in built powershell cmdlet to query the rights on servers for specifc accounts. If it has to be done in hard way, I just asked for guidance. Anyways, as part of audit requirement we want to develop a tool to control and monitor rights on server.
    Friday, August 16, 2019 3:54 PM
  • yes, you are absolutely correct jrv, I will do some insight and will visit again.
    Friday, August 16, 2019 3:58 PM
  • sure, I Understand Bill, just asked whether we have any in built powershell cmdlet to query the rights on servers for specifc accounts. If it has to be done in hard way, I just asked for guidance. Anyways, as part of audit requirement we want to develop a tool to control and monitor rights on server.

    There is no built in PS tool to get "Rights".  

    You can use SECEDIT to extract the rights settings from the system.

    https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/secedit

    I still don't think you understand what this is and what you are asking.  As noted above - you will need to obtain a third party tool to do the auditing you are asking about.

    Here are some scripts that mange and report rights/privileges in various ways.

    https://gallery.technet.microsoft.com/site/search?query=get%20privileges&f%5B0%5D.Value=get%20privileges&f%5B0%5D.Type=SearchText&ac=5


    \_(ツ)_/

    Friday, August 16, 2019 4:04 PM
  • The problem is, what does "query the rights on servers for specifc accounts" mean, exactly?

    The question is vague and unspecific. As jrv noted, "rights" has a specific meaning in Windows security and is a separate concept from "permissions."

    Without correct use of terms, it's not possible to give guidance, because there's no way to know whether the answer given has a valid relationship to the question.

    And aside from that, even if we did understand the question, this is not a security advice or a script request forum (which has already been noted in the very first reply in this thread).

    This is a good example of what has sometimes been called an unanswerable drive-by question.


    -- Bill Stewart [Bill_Stewart]


    Friday, August 16, 2019 4:59 PM
    Moderator