Logon As Service Rights with PowerShell
In this post, we'll delve into the world of Windows security and explore a PowerShell script that helps administrators uncover the users who possess the coveted 'Logon As Service' rights. This powerful capability allows a user to log on to a service account, which can be crucial in certain scenarios, such as troubleshooting or maintenance tasks.
Prerequisites Before we dive into the script, ensure you have the following installed: * PowerShell 3 or later * Windows Server 2008 R2 or later (for secedit.exe functionality) The Script Let's break down the script into its logical sections. We'll examine each part and provide explanations to help you better understand what it does.
function Get-LOASGroupMembers() {
Clear-Host
$tmp = [System.IO.Path]::GetTempFileName()
Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)"
}
This section of the script starts by clearing the console host and creating a temporary file using the `GetTempFileName` method. It then exports the current local security policy to a configuration file using the `secedit.exe` command.
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach($s in $c) {
if( $s -like "SeServiceLogonRight*") {
$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
Here, the script reads the contents of the temporary file and initializes an empty string to store the current setting. It then loops through each line in the file and checks if it contains the 'SeServiceLogonRight' pattern using the `-like` operator. If a match is found, the script extracts the relevant information and assigns it to the `$currentSetting` variable.
Write-host "`nThe following user accounts have 'Logon As Service' rights`n" -ForegroundColor DarkCyan
$sids = $currentSetting.split(',')
$users = @()
foreach ($s in $sids) {
$sid = $s.replace("*","")
$objSID = New-Object System.Security.Principal.SecurityIdentifier("$sid")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$user = [pscustomobject] @{
username = $objUser.Value
sid = $sid
}
Write-host $user.username ":" $user.sid
$users += $user
}
In this section, the script processes the `$currentSetting` string to extract a list of SIDs (Security Identifiers) that have the 'Logon As Service' right. It then loops through each SID, creates a `SecurityIdentifier` object, translates it to an NTAccount object, and constructs a custom PowerShell object (`pscustomobject`) with the user's username and SID. The script writes the results to the console and stores them in an array.
Key Code Snippets
This is the main entry point of the script, which defines the `Get-LOASGroupMembers` function.
$sids = $currentSetting.split(',')
This line splits the `$currentSetting` string into an array of SIDs using the comma as a delimiter.
$user = [pscustomobject] @{
username = $objUser.Value
sid = $sid
}
This code creates a custom PowerShell object (`pscustomobject`) to store the user's information, including their username and SID.
Usage Examples
You can run this script in two ways:
* Run `Get-LOASGroupMembers` directly to retrieve all users with 'Logon As Service' rights.
* Pipe the output to a filtering command, such as `| where {$_.username -eq "Domain\username"}`, to find specific user accounts.
Conclusion
In this post, we explored the PowerShell script `Get-LOASGroupMembers` and its capabilities in revealing the users who possess 'Logon As Service' rights. By understanding the logic behind the script, you can use it to gain valuable insights into your organization's security settings.