January 1, 2012 at 12:00 am #5017
by willsteele at 2012-08-16 20:15:12
I need to find a way to determine if a user can log onto a given machine. The user may be either a local, workgroup or domain user. It doesn't have to be elaborate, maybe, just take a machine name (or IP) and user name.
by JeffH at 2012-08-17 06:07:18
It isn't too difficult to get a list of local user accounts from a computer. If the computer belongs to a domain, then every domain user should be able to log on, unless you've done something really exotic with Group Policy to restrict who can logon to a domain member. Other than looking at local members I'm not sure where you are going with this. I can't envision a scenario where a domain account couldn't logon to a machine.
by willsteele at 2012-08-17 06:13:41
It's a subroutine I'll be using to validate whether someone can write/modify files on a server. Just a quick permissions check to indicate if a given user will have issues running a particular set of scripts or not.
by DonJ at 2012-08-17 07:01:20
That's hard, actually. You're dealing with effective permissions, and there isn't a "native" PowerShell tool that can run the calculation for you (that I've heard of). I mean, think about it – you have to start at the root of the volume, enumerate groups, and make sure there isn't a Deny in the permissions chain somewhere, right?
by JeffH at 2012-08-17 07:37:01
Ah, that's really a different problem than your original post. As Don points out this is going to be difficult from a script. Sometimes scripting or PowerShell is not the answer to a problem. This sounds like one of those situations where a 3rd party product designed for managing permissions is the better choice. Perhaps something like this: http://scriptlogic.com/products/security-explorer/
Really comes down to the right tool for the job.
by coderaven at 2012-08-17 07:39:19
There are just a few things you would have to check I think.
Look in the Local Policy Effective Settings
1. Allow Log on Locally
2. Allow Log on through Remote Desktop Service (or Terminal Services depending on OS Version)
In addition you could check the AD User Account for the LogonWorkstations Attribute.
Sorry I do not have a script for you, but if you export the settings as HTML report and use a regular expression to find the setting, you should be set.
by willsteele at 2012-08-17 07:45:57
Thanks Jeff and Don. I had never tried to do this, so, I hadn't realized the in depth nature of the task. And, I can see how that would be a pretty in depth task. Appreciate the feedback.
You must be logged in to reply to this topic.