List all user rights assignment permissions in domain for specific account

This topic contains 5 replies, has 2 voices, and was last updated by Profile photo of Curtis Smith Curtis Smith 1 year, 1 month ago.

  • Author
    Posts
  • #32484
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    Hi, this might be an overwhelming task but it is good to know whether this is possible. I want to list all permissions which are given to specific account via GPOs (default domain policy and default domain controller policy). It is account used by backup software and in order to work properly this account had to be given bunch of permissions to (Create a token object, Log on as a batch job, etc.). Of course given permissions can be seen in Group Policy MMC but I am interested only in getting permissions given to that account and exporting these permissions to some file for the purpose of documenting them.

    Thanks in advance.

  • #32485
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    You are talking about UserRights Assignments, not permissions. With that said, here is a nice looking module someone wrote that can do what you are asking. I have not tested it, but looks very promising. Of course you should evaluate their code and confirm it will pose not threat to your environment before using anything taken from the internet.

    https://userrights.codeplex.com/

  • #32486
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    Maybe I am wrong but it seems this module does the job only for local user rights assignment on given computer (local security policy). I need PowerShell code to retrieve user rights assignments given to specific account via GPOs (rights assigned to account in both Default Domain Policy and Default Domain Controller Policy).

  • #32487
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Well, the rights on the local computer will be the culmination of the applied GPO's, so it would be the effective rights after the GPOs have applied. If you are wanting to specifically look at the GPOs themselves, you can use the GPO cmdlets. Specifically, if you are good at XML, you can use the Get-GPOReport cmdlet.

    [xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML

  • #32488
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    I know that Curtis :-), rights on local computer will be result of applied GPOs on that computer. If used, this module has to be copied to one domain member machine and one domain controller and tested on both of them. Since you can do virtually anything with PowerShell nowadays I assume there is some way to pull out user rights assignments from GPO and filter them based on specific account.

  • #32494
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    The only way I can think to get the gpo settings was in the second part of my previous statement.
    ...

    If you are wanting to specifically look at the GPOs themselves, you can use the GPO cmdlets. Specifically, if you are good at XML, you can use the Get-GPOReport cmdlet.

    [xml]$report = Get-GPOReport -Name "Default Domain Policy" -ReportType XML

You must be logged in to reply to this topic.