set user rights assignment command line

Set Allow Log On Locally User Rights via Powershell, C# and CMD

Description:.

In this article, I am going to explain about how to set or configure Allow Log on Locally User rights/permission/privilege using Local Security Policy , Powershell , C# and Command Line tool.

Configure Allow log on locally user rights via Local Security Policy GUI

• Grant Allow log on locally user rights via Powershell
• Set Allow log on locally user rights via Command Line
• Set Allow log on locally user permission using C#

Follow the below steps to set Allow log on locally user rights via Local Security Policy

1. Open the Run window by pressing ‘ Windows’ + ‘ R’   keys. 2. Type the command secpol.msc in the text box and click OK.

3. Now the Local Security Policy window will be open, in that window navigate to the node User Rights Assignment ( Security Settings -> Local Polices ->User Rights Assignment ). In right side pane, search and select the policy Allow log on locally .

4. Double-click on the policy Allow log on locally , in the opened window click the button Add User or Group, select the user account you want to set Allow log on locally rights and click OK, and click Apply button to finish.

Set or Grant Allow log on locally user rights via Powershell

 We can set the  Allow log on locally user rights using Powershell by importing the third party DLL ( Carbon  ). Before you run the below script you need to the download latest Carbon files from here Download Carbon DLL .

Steps to follow to set Allow log on locally user rights  via Powershell  :

  1. Download latest Carbon files from here Download Carbon DLL .   2. If you have downloaded the files, extract the zip file and you could see the Carbon DLL inside bin folder (In my case: C:UsersAdministratorDownloadsCarbonbinCarbon.dll ).   3. Copy the below Powershell script commands and place it notepad or textfile.   4. Now you can replace your Carbon DLL path in following script for the variable $CarbonDllPath   5. You can also replace the user identity that you are going to set log on locally user rights in the variable $Identity   6. Now run as Powershell window with Admin Privilege ( Run as Administrator )   7. Copy the edited Powershell script and Run it in Powershell to configure Allow log on locally user rights.

Powershell output :

Other web site links for Carbon DLL:   https://bitbucket.org/splatteredbits/carbon/downloads   http://pshdo.com/   http://get-carbon.org/help/Grant-Privilege.html

Set Allow log on locally user right via Command Line tool

You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3. Use the below command to set log on locally user right using cmd.

Refer: http://support.microsoft.com/kb/266280

Set Log on Locally user right

Revoke Log on Locally user right

Set or Grant Allo Log on locally right/permission to user using C#

You can use the below function GrantLogonLocallyRights to set log on locally rights to user using C# code. This function uses the class LsaWrapper.

LsaWrapper class file

Share this:

Related posts.

• Change local system user account password using Powershell
• Remove user from local Administrator group using PowerShell
• Unlock AD User Account using Powershell script
• Check if AD user exists with PowerShell
• Set Office 365 user password via Powershell

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.

Set and Check User Rights Assignment via PowerShell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on October 11th, 2024

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 558 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the PowerShell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your PowerShell ISE and press play.

Note You may edit line 494 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the PowerShell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User rights assignment in Group Policy Object using powershell?

Not able to grant user rights assignment in group policy object using PowerShell Is there any way or command to add user rights in group policy?

Manual steps:

• Open Group Policy Management
• Navigate to the following path in the Group Policy Object
• Select Policy
• Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
• Add/remove the necessary users.

Active Directory A set of directory-based technologies included in Windows Server. 6,619 questions Sign in to follow Follow

Windows Server PowerShell Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications. PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language. 5,544 questions Sign in to follow Follow

I realise this post is quite old, but there is a post that talks about a way you could do this by building up a GPO, the same way the export/import GPO works in Powershell: https://jigsolving.com/gpo-deep-dive-part-1/ Within that article, there's a bare bones example of this on Github: https://github.com/Jigsolving/powershell/blob/main/User%20Rights%20Assignment%20GPO/create-customURAGPO.ps1

It definitely works, and this is just one way it can be done. The article focuses on basically building up the raw bones of a GPO that resembles what an exported GPO looks like, and then imports it.

Give this a try.

https://learn-powershell.net/2015/06/03/managing-privileges-using-poshprivilege

Thanks @MotoX80 for sharing this module Tried this module but it didn't work as per my expectations I am looking to add user rights in group policy in group policy management of domain controller but this module gives user rights in local policy. If you have another module or command please share I also tried Set-GPPermission but it is giving user permission to edit settings, delete, modify security.

I no longer have access to an AD environment, so I am not able to test. Perhaps another forum user can provide assistance.

Have you seen this page?

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759177(v=ws.11)?redirectedfrom=MSDN

https://www.ntweekly.com/2020/08/07/configure-a-group-policy-with-powershell/

Yes, already seen these pages And as per https://www.microsoft.com/en-au/download/details.aspx?id=25250 this link/sheet user rights assignment don't have registry keys.

Random thoughts from a retired sysadmin....

Well it has to be stored somewhere on the DC.

https://techgenix.com/group-policy-settings-part1/

Make a change to one policy and then search the sysvol folder and see if you can find the file that contains your update. If that's a text based file (not in binary format) then you might be able to update the policy just like you would update the content of any other text file.

I assume that you have already done the "Import-Module GroupPolicy" and searched for "GP" related commands as that page described. If you haven't, then you should start there.

Hi @ArpitShivhare-6858

I've had to do something similar in the past with automatic GPO generation, and the below was the only way I could find to do so. It basically creates the GPO manually, but it should work for your purposes

To add additional fields or users to the Local User Rights Assignments, I would recommend creating the GPO manually, then taking a look at the GptTmpl.inf file to see what format, values and syntax of the fields required. From my testing it uses SIDs, not the SamAccountName value, so you will have to pull the SID for each user that you need to add

Your answer