.NET library for managing local security policy (User Rights Assignment). This library was written to use in PowerShell Module SecurityPolicy providing easy way to manage local security policy.
| ConstantName | Group Policy Setting |
|---|---|
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller |
| SeNetworkLogonRight | Access this computer from the network |
| SeTcbPrivilege | Act as part of the operating system |
| SeMachineAccountPrivilege | Add workstations to domain |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process |
| SeInteractiveLogonRight | Allow log on locally |
| SeRemoteInteractiveLogonRight | Allow log on through Remote Desktop Services |
| SeBackupPrivilege | Back up files and directories |
| SeChangeNotifyPrivilege | Bypass traverse checking |
| SeSystemtimePrivilege | Change the system time |
| SeTimeZonePrivilege | Change the time zone |
| SeCreatePagefilePrivilege | Create a pagefile |
| SeCreateTokenPrivilege | Create a token object |
| SeCreateGlobalPrivilege | Create global objects |
| SeCreatePermanentPrivilege | Create permanent shared objects |
| SeCreateSymbolicLinkPrivilege | Create symbolic links |
| SeDebugPrivilege | Debug programs |
| SeDenyNetworkLogonRight | Deny access to this computer from the network |
| SeDenyBatchLogonRight | Deny log on as a batch job |
| SeDenyServiceLogonRight | Deny log on as a service |
| SeDenyInteractiveLogonRight | Deny log on locally |
| SeDenyRemoteInteractiveLogonRight | Deny log on through Remote Desktop Services |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system |
| SeAuditPrivilege | Generate security audits |
| SeImpersonatePrivilege | Impersonate a client after authentication |
| SeIncreaseWorkingSetPrivilege | Increase a process working set |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority |
| SeLoadDriverPrivilege | Load and unload device drivers |
| SeLockMemoryPrivilege | Lock pages in memory |
| SeBatchLogonRight | Log on as a batch job |
| SeServiceLogonRight | Log on as a service |
| SeSecurityPrivilege | Manage auditing and security log |
| SeRelabelPrivilege | Modify an object label |
| SeSystemEnvironmentPrivilege | Modify firmware environment values |
| SeDelegateSessionUserImpersonatePrivilege | Obtain an impersonation token for another user in the same session |
| SeManageVolumePrivilege | Perform volume maintenance tasks |
| SeProfileSingleProcessPrivilege | Profile single process |
| SeSystemProfilePrivilege | Profile system performance |
| SeUndockPrivilege | Remove computer from docking station |
| SeAssignPrimaryTokenPrivilege | Replace a process level token |
| SeRestorePrivilege | Restore files and directories |
| SeShutdownPrivilege | Shut down the system |
| SeSyncAgentPrivilege | Synchronize directory service data |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects |
using System;
using LocalSecurityEditor;
namespace TestApp {
internal class Program {
static void Main() {
string[] accounts;
Console.WriteLine("[*] Accessing server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper()) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Adding Account to the Server");
using (LsaWrapper lsa = new LsaWrapper()) {
lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
Console.WriteLine("[*] Accessing server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper()) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Accessing server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper()) {
lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
using (LsaWrapper lsa = new LsaWrapper("")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
}
}
}using System;
using LocalSecurityEditor;
namespace TestApp {
internal class Program {
static void Main() {
string[] accounts;
Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Adding Account to the Server");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
}
}
}string serviceName = "ADSync";
string serviceExpectedSid = "S-1-5-80-3245704983-3664226991-764670653-2504430226-901976451";
string serviceSid = NTService.GenerateSID(serviceName);
Console.WriteLine($"The SID for the service '{serviceName}' is: {serviceSid} {serviceExpectedSid} {(serviceSid == serviceExpectedSid)}");This library was created based on help from mutliple sources. Without those, it wouldn't be possible.