Get-AdComputers AdUser has rights to logon?

Welcome Forums General PowerShell Q&A Get-AdComputers AdUser has rights to logon?

Viewing 2 reply threads
  • Author
    Posts
    • #198584
      Participant
      Topics: 16
      Replies: 21
      Points: 56
      Rank: Member

      Recently i was pondering if it is possible to determine all computers a specific aduser has rights to logon to in the domain? I wasnt sure if i should start with retrieving all adcomputers or find all groups the user is a member of then compare?
      I assumed in ad there was some way to have it tell me this aduser object does not have logon rights to this adcomputer without querying the machine directly.

      Any suggestions would be great.

    • #198602
      Participant
      Topics: 12
      Replies: 1489
      Points: 1,987
      Helping Hand
      Rank: Community Hero

      Logon rights are provided on the computer:

      https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-locally

      As the kb mentions, typically rights are by default assigned to these local server groups:

      By default, the members of the following groups have this right on workstations and servers:

      Administrators
      Backup Operators
      Users

      Then a user or group is typically added to these groups, normally ‘Administrators’. Some companies will create Local\Global Active Directory groups and then assign the group so that Active Directory can be queried, but by default there isn’t a method to determine what resources are assigned to a user. It’s actually one of the biggest issues in IT security is there is no link to fully determine what is assigned to a user, solutions need to be built to create as much audit capabilities.

    • #198605
      Participant
      Topics: 16
      Replies: 21
      Points: 56
      Rank: Member

      Thank you Rob,

      I was afraid of that, I had known i could evaluate the groups on the local machine but hoped maybe there was something else i hadnt thought of.

       

Viewing 2 reply threads
  • You must be logged in to reply to this topic.