How to list windows privileges for any user
You can use AccessChk in accomplish this task.
Accesschk “domain\user” -a *
will list all the permissions of a given domain user.
You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about.
For anybody looking for a PowerShell script, this ought to do it:
gwmi Win32_UserProfile | foreach-object {
$sid = New-Object System.Security.Principal.SecurityIdentifier($_.SID)
$user = $sid.Translate([System.Security.Principal.NTAccount])
$username = $user.Value
$username
$chkCmd = "accesschk """ + $username + """ -a * -q"
iex $chkCmd
""
}
It gets the list of users who have a profile on the local machine, determines their names from the SID, and invokes accesschk
- as recommended by Ramhound - on them. Each user's record starts with the username in DOMAIN\user
format, contains each right on a line, and ends with a blank line. (SID translation courtesy of this article.) You can dump its stuff to a file with the redirection operator, >
.
A caveat of AccessChk is that it seems to produce an empty list for domain users that don't have local admin rights. Therefore, this version that produces the above information for every known user in the domain and on the machine is a little lame, but may become useful with a future version of the tool:
gwmi Win32_UserAccount | foreach-object {
$username = $_.Caption
$username
$chkCmd = "accesschk """ + $username + """ -a * -q"
iex $chkCmd
""
}
If you're wondering what secedit
is talking about, it's just getting the list of principals (in SID form) to which the rights have been assigned in User Rights Assignment (see secpol.msc
). Therefore, you'll usually see the SIDs for groups like Users or Administrators rather than specific people.
This script may help you. It offers the following functions, all using pure PowerShell:
- Grant-UserRight
- Revoke-UserRight
- Get-UserRightsGrantedToAccount
- Get-AccountsWithUserRight
- Grant-TokenPrivilege
- Revoke-TokenPrivilege