none
ntrights.exe Windows 2008 R2 Resource Kit Tool? Does it exist or is there something similar I can use?

    Question

  • I am running Windows Server 2008 R2 Standard as a DC

    I am trying to add users/groups to the following local policies through a GPO, however I need to script it out using something similar to ntrights.exe. I do not want to do it through the GUI because this is going to be a re-occurring process.

    Below are the policies I am trying to configure via some kind of command prompt. I do not think I can do this with PowerShell 2.0 even with the import-module grouppolicy cmdlets.

     

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon through Remote Desktop Services

     

    Would it be safe to copy the Windows Server 2003 ntrights.exe resource kit tool and try it on Windows Server 2008 R2? I am working on a virtual test lab environment so I can actually take a snapshot before hand but wanted your expert thoughts on it first.

     

    Thank you in advance.

    Wednesday, August 18, 2010 9:29 PM

Answers

  • I found the solution.....You can actually use "quoted" host names in the templates instead of the SIDs. Make sure that for Domain User Accounts you specify the Domain prefix. For Local User accounts you can just specify the local user name.

    The filename of the template that I made is LOCAL_SEC_TEMPLATE.inf

     

    Here's what's inside that LOCAL_SEC_TEMPLATE.inf template:

     

     

    [Unicode]

    Unicode=yes

    [Registry Values]

    [Privilege Rights]

    SeInteractiveLogonRight = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeDebugPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeRemoteShutdownPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeSystemtimePrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins","LOCAL SERVICE"

    SeShutdownPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeRemoteInteractiveLogonRight = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins","Remote Desktop Users"

    [Version]

    signature="$CHICAGO$"

    Revision=1

    [Profile Description]

    Description=Local Security Template

     

    Here's how I applied the template to the Local Security Policy: (You can use PowerShell or the regular command prompt)

     

    SECEDIT /configure /db secedit.sdb /cfg "c:\LOCAL_SEC_TEMPLATE.inf"

     

    Here's the link on using SECEDIT >> http://www.appdeploy.com/tips/detail.asp?id=23

     

    Thanks for your help Gunter, this issue is solved.

     

     

     

     


     

    • Marked as answer by Jason G.. _ Thursday, August 19, 2010 4:10 PM
    Thursday, August 19, 2010 4:10 PM

All replies

  • Hi,

    you could also use the Security Configuration Tool Set (step-by-step guide here: http://technet.microsoft.com/en-us/library/bb742512.aspx) create an INF file with these user right assignment options and then use the secedit.com command to apply the INF file via a scipt.

    would this be an option in your situation?

    regards,

    Gunter

    Thursday, August 19, 2010 8:28 AM
  • Here's the current test INF file:

     

    [Unicode]

    Unicode=yes

    [Version]

    signature="$CHICAGO$"

    Revision=1

    [Registry Values]

    MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1

    [Privilege Rights]

    SeInteractiveLogonRight = *S-1-5-21-1653610456-3489481221-515528056-512,I,*S-1-5-32-544

    SeDebugPrivilege = S-1-5-21-111656231-2377771670-4204916773-500,*S-1-5-32-544

    SeRemoteShutdownPrivilege = *S-1-5-21-1653610456-3489481221-515528056-512,*S-1-5-21-1653610456-3489481221-515528056-1115,*S-1-5-32-544

    SeShutdownPrivilege = *S-1-5-21-1653610456-3489481221-515528056-512,*S-1-5-21-1653610456-3489481221-515528056-1115,*S-1-5-32-544

     

     

    Using SECEDIT, this same INF file will be deployed among many other domains with different domain names, same user account names, but they will still have different SIDs.

    What do I have to do in PowerShell (or anywhere) in order to get the SIDs for the user accounts that I can specify using names like "Administrator" and so forth and replace the INF file with the correct SIDs? Do I have to use an XML for this?

    My problem is now the SIDs, I need to grab the current SIDs for the accounts in the domain and replace them automatically in the INF file or some way where I can easily create the INF file with the right SIDs.

     

    Thank you Gunter.

    Thursday, August 19, 2010 2:27 PM
  • I found the solution.....You can actually use "quoted" host names in the templates instead of the SIDs. Make sure that for Domain User Accounts you specify the Domain prefix. For Local User accounts you can just specify the local user name.

    The filename of the template that I made is LOCAL_SEC_TEMPLATE.inf

     

    Here's what's inside that LOCAL_SEC_TEMPLATE.inf template:

     

     

    [Unicode]

    Unicode=yes

    [Registry Values]

    [Privilege Rights]

    SeInteractiveLogonRight = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeDebugPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeRemoteShutdownPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeSystemtimePrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins","LOCAL SERVICE"

    SeShutdownPrivilege = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins"

    SeRemoteInteractiveLogonRight = "Administrators","XXDIGIHD\DigiOps","XXDIGIHD\Domain Admins","Remote Desktop Users"

    [Version]

    signature="$CHICAGO$"

    Revision=1

    [Profile Description]

    Description=Local Security Template

     

    Here's how I applied the template to the Local Security Policy: (You can use PowerShell or the regular command prompt)

     

    SECEDIT /configure /db secedit.sdb /cfg "c:\LOCAL_SEC_TEMPLATE.inf"

     

    Here's the link on using SECEDIT >> http://www.appdeploy.com/tips/detail.asp?id=23

     

    Thanks for your help Gunter, this issue is solved.

     

     

     

     


     

    • Marked as answer by Jason G.. _ Thursday, August 19, 2010 4:10 PM
    Thursday, August 19, 2010 4:10 PM
  • Hello,

    I have a similar problem rolling out permissions across my domain.  I believe that applying the template above will over-write any existing permissions on the machine.  I'm trying to apply similar permissions for a single domain account across my entire domain, however I need to ensure that existing permissions are not lost, I simply want to append a single account.

    Can I use a security template to append permissions rather than over-write?

    Thanks,

    Duncan.

    Tuesday, April 5, 2011 12:57 PM
  • Having a similar issue as well.  Every time I apply a custom template, whatever users that were originally there get blown away and completely replaced by the users in the custom template.  I'm not finding any way to preserve the original users outside of:

    1) Exporting the original policy

    2) Appending my custom users to the newly exported policy

    3) Importing the new template into a custom db

    HOWEVER, this will produce an output with user entries in the [Privilege Rights] section that refer to “Classic .NET AppPool”, among others.  If you try to import and configure with this, you get “No mapping between account names and security IDs was done” in the error log.  Turns out you have to manually fix this by adding “IIS AppPool\” before the names of these AppPool entities.  There's no telling how many other accounts need fixing as well, so far I've found "Classic .NET AppPool", "DefaultAppPool", and some other services will not round trip when trying to import into a custom db.

    EDIT:

    So far, I have had to replace all instances of "Classic .NET AppPool" with "IIS AppPool\Classic .NET AppPool"
    "DefaultAppPool" with "IIS AppPool\DefaultAppPool"
    and  "ALL SERVICES" with "nt service\ALL SERVICES"

    Tuesday, April 5, 2011 2:34 PM
  • Hi guys,

    I have had a lot of luck using NTRIGHTS.exe from teh 2003 resource kit to accomplish this goal.  Right now I'm using a simple .bat file which I've tested on several machines.  Simply place NTRIGHTS.exe on a file share which is accessible by all your clients and run it from there.  I'm no scripting expert so this .bat file can definately be improved.  Right now I'm mapping a drive to the location of ntrights.exe, but can this be changed to run from UNC? 

    So far I have tested this method to set additional permissions without effecting existing permissions on 2003R2 x64 Server, 2008R2 x64 Server, and even Windows 7.

    Here's the contents of the bat file:

    net use k: \\sharename\splunkd
    k:
    ntrights -u mydomain\splunkd +r SeBatchLogonRight
    ntrights -u mydomain\splunkd +r SeServiceLogonRight
    ntrights -u mydomain\splunkd +r SeAssignPrimaryTokenPrivilege
    ntrights -u mydomain\splunkd +r SeTcbPrivilege
    ntrights -u mydomain\splunkd +r SeChangeNotifyPrivilege
    c:
    net use k: /delete

     

    • Proposed as answer by c.the.skeptic Friday, January 24, 2014 8:59 PM
    Thursday, April 7, 2011 7:34 PM
  • Although, this is way past the actual post date - Even then this helped ! I did not have the privilege of a shared drive so I used a combination of Robocopy and PSexec to make this work. Thank you !!

    P.S : I ran this on Server 2012 and it worked. 
    • Edited by c.the.skeptic Friday, January 24, 2014 9:03 PM Addition
    Friday, January 24, 2014 9:02 PM