前篇文章提到手動賦與 Power Users 群組 Debug Program 使用者權限(User Right)以識別 IIS 程序 AppPool 的做法,但內行人都知道,得轉成批次作業才符合實務需求,否則若一次部署幾百台機器,豈不要設到眼花手軟。

要設計 Windows 管理批次作業,PowerShell 自然是首選。官方沒有現成工具,但 Technet 指令碼中心已有開發者寫好強大的使用者權限管理模組,用過的都說讚,我也真心推薦!

使用方法很簡單,下載 UserRights.psm1,在 Cmder 或 PowerShell 命令列視窗先 Import-Module .\UserRights.psm1,就有多出四個好用指令:

  • Get-UserRightsGrantedToAccount 查詢特定帳號或群組被授與的使用者權限
  • Get-AccountsWithUserRight 查詢具有特定使用者權限的帳號或群組
  • Grant-UserRight 將指定使用者權限授與給特定帳號或群組
  • Revoke-UserRight 將指定使用者權限從特定帳號或群組身上移除

以下是完整示範:

  1. Import-Module
  2. 查詢 Power Users 所具有的權限,順手查詢 Users 具有的權限對照
  3. 查詢具有 SeDebugProvilege 權限的帳號或群組,原本只有 Administrators
  4. 用 Grant-UserRight 加上 Power Users,再查詢證明 Administrators 跟 Power Users 都有 SeDebugProvilege
  5. 用 Revoke-UserRight 移除 Power Users 權限再查一次,SeDebugProvilege 權限又只剩下 Administrators 有

除了在本機執行,加上參數-Host 機器名稱或IP; 可設定遠端機器,超級方便。

操作時需使用 SeDebugPrivilege 這種常數指定使用者權限,常數對照表可在 MS Doc 文件 找到,這裡一併附上方便參考:

Group Policy SettingConstant Name

Access Credential Manager as a trusted caller

SeTrustedCredManAccessPrivilege

Access this computer from the network

SeNetworkLogonRight

Act as part of the operating system

SeTcbPrivilege

Add workstations to domain

SeMachineAccountPrivilege

Adjust memory quotas for a process

SeIncreaseQuotaPrivilege

Allow log on locally

SeInteractiveLogonRight

Allow log on through Remote Desktop Services

SeRemoteInteractiveLogonRight

Back up files and directories

SeBackupPrivilege

Bypass traverse checking

SeChangeNotifyPrivilege

Change the system time

SeSystemtimePrivilege

Change the time zone

SeTimeZonePrivilege

Create a pagefile

SeCreatePagefilePrivilege

Create a token object

SeCreateTokenPrivilege

Create global objects

SeCreateGlobalPrivilege

Create permanent shared objects

SeCreatePermanentPrivilege

Create symbolic links

SeCreateSymbolicLinkPrivilege

Debug programs

SeDebugPrivilege

Deny access to this computer from the network

SeDenyNetworkLogonRight

Deny log on as a batch job

SeDenyBatchLogonRight

Deny log on as a service

SeDenyServiceLogonRight

Deny log on locally

SeDenyInteractiveLogonRight

Deny log on through Remote Desktop Services

SeDenyRemoteInteractiveLogonRight

Enable computer and user accounts to be trusted for delegation

SeEnableDelegationPrivilege

Force shutdown from a remote system

SeRemoteShutdownPrivilege

Generate security audits

SeAuditPrivilege

Impersonate a client after authentication

SeImpersonatePrivilege

Increase a process working set

SeIncreaseWorkingSetPrivilege

Increase scheduling priority

SeIncreaseBasePriorityPrivilege

Load and unload device drivers

SeLoadDriverPrivilege

Lock pages in memory

SeLockMemoryPrivilege

Log on as a batch job

SeBatchLogonRight

Log on as a service

SeServiceLogonRight

Manage auditing and security log

SeSecurityPrivilege

Modify an object label

SeRelabelPrivilege

Modify firmware environment values

SeSystemEnvironmentPrivilege

Perform volume maintenance tasks

SeManageVolumePrivilege

Profile single process

SeProfileSingleProcessPrivilege

Profile system performance

SeSystemProfilePrivilege

Remove computer from docking station

SeUndockPrivilege

Replace a process level token

SeAssignPrimaryTokenPrivilege

Restore files and directories

SeRestorePrivilege

Shut down the system

SeShutdownPrivilege

Synchronize directory service data

SeSyncAgentPrivilege

Take ownership of files or other objects

SeTakeOwnershipPrivilege

補充:Windows 內建帳號及群組清單

有了這組好用 PowerShell 工具,配合-Host 主機名稱參數跑迴圈能完成主機群組權限批次設定,還可查詢權限狀況並保留證據,權限部署作業將不再是問題。

Tips of how to use PowerShell to query, grant and revoke user rights.


Comments

# by Jun

請問哪邊可以下載得到UserRights.psm1 ? 謝謝。

# by Jeffrey

to Jun, Gallery 連結不知何故失效,我有在 Github 找到 https://github.com/MightyCrizo/cis-microsoft-windows-server-2016-benchmark-powershell/blob/master/UserRights.psm1

Post a comment