SQL Server / Local Security Policies & PowerShell – Using PowerShell Community Extensions

Introduction

Attempting to use “PowerShell Community Extensions” to augment user’s “Local Security Policies“.

 

What Is?

What is “PowerShell Community Extensions”?

Here
PowerShell Community Extensions (PSCX) is aimed at providing a widely useful set of additional cmdlets, providers, aliases, filters, functions and scripts for Windows PowerShell that members of the community have expressed interest in.

Download

Let us download PowerShell Community Extensions from here.

The current version is 3.2 and it was released way back in 2014-Oct-23.

 

Install

License Agreement

licenseagreement

 

User Account Control

useraccountcontrol

 

Completed

completed

 

Usage

Introspection

Introduction

Let us look at the PSCX Module and see what commands are available for dealing with Privileges.

Code

Set-StrictMode -Version 2

# Import Module
Import-Module PSCX

$filterName = "Privilege"
$filterNameWildcard = "*" + $filterName + "*"


function getPSCXCommandsMatchingPrivilege()
{

	Write-Host "Module pscx // Commands like Privilege"
	Get-Command|where { ( ( $_.modulename -eq "pscx") -and  ($_.name -like $filterNameWildcard) )} |% {$_.name}

	Write-Host 
	Write-Host 

}
	
function getParmsForGetPrivilege()
{

	# get parameters for Get-Privilege
	$privGet = gcm Get-Privilege
	$parmListGet = $privGet.ParameterSets[0] | select -ExpandProperty parameters

	# display Parm List for Get-Privilege
	Write-Host "Parm List for Get-Privilege"
	$parmListGet

	Write-Host 
	Write-Host 
}

function getParmsForSetPrivilege()
{

	# get parameters for Set-Privilege
	$privSet = gcm Set-Privilege
	$parmListSet = $privSet.ParameterSets[0] | select -ExpandProperty parameters

	# display Parm List for Set-Privilege
	Write-Host "Parm List for Set-Privilege"
	$parmListSet

	Write-Host 
	Write-Host 

}


getPSCXCommandsMatchingPrivilege

getParmsForGetPrivilege

getParmsForSetPrivilege

Local Security Privileges Get / Set

Introduction

Let us see how to read/set privileges

Code




param
(
     [Parameter(Mandatory=$true)]
     [String]$account
	 
     ,[Parameter(Mandatory=$true)]
     [String]$method      
)
     
Set-StrictMode -Version 2

[String]$log="";
[String]$privilegeSetOutput="";

[String]$CHAR_LINEBREAK = "===================================================================================="  

$log = "$env:PSModulePath is {0}" -f $env:PSModulePath
Write-Host $Log

<# Method has to be get or set #>
if ($method -eq $null)
{
	Write-Error "Method is required.  Please specify as get or set"
	exit -1
}


if ( ($method -ne "get") -and ($method -ne "set") )
{
	Write-Error "Method is required.  Please specify as get or set"
	exit -1
}

$sidstr = $null
try {
	$ntprincipal = new-object System.Security.Principal.NTAccount "$account"
	$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
	$sidstr = $sid.Value.ToString()
} catch {
	$sidstr = $null
}

Write-Host "Account: $($account)" -ForegroundColor DarkCyan

if( [string]::IsNullOrEmpty($sidstr) ) {
	
	#Write-Host "Account not found!" -ForegroundColor Red
	
	$errLog = "Account ({0}) Not Found "-f $account
	Write-Host $errLog -ForegroundColor Red
	
	exit -1	
	
}

Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

# Get Windows dentify from account
$userTargeted = new-object system.security.principal.windowsidentity($account)

if ($userTargeted -eq $null)
{

	$errLog = "Account ({0}) Not Found "-f $account
	
	Write-Host $errLog -ForegroundColor Red
	
	exit -2
	
}

# Import Module
Import-Module PSCX

if ($method -eq "get")
{


	Write-Host ""
	$log = "Write out privileges for {0} {1} - Before" -f $account, $userTargeted.Name

	Write-Host $log

	Get-Privilege -Identity $userTargeted
	
	Write-Host ""
	Write-Host ""

}
elseif ($method -eq "set")
{

	Write-Host ""
	$log = "Write out privileges for {0} {1} - Before" -f $account, $userTargeted.Name
	Write-Host $log
	Get-Privilege -Identity $userTargeted
	
	
	Write-Host $CHAR_LINEBREAK
	

	# Instanciate Pscx.Interop.TokenPrivilegeCollection
	$privilegeSet = new-object  Pscx.Interop.TokenPrivilegeCollection

	# Add Pscx.Interop.TokenPrivilegeCollection - SeManageVolumePrivilege
	$priv = 'SeManageVolumePrivilege'
	$objPriv = New-object Pscx.Interop.TokenPrivilege($priv, $true) 
	$privilegeSet.Add($objPriv)
	
		
	$log = "Add privileges ...." 
	Write-Host $log

	
	$log = "`tAdd privilege for {0}" -f $priv
	Write-Host $log

	# Add Pscx.Interop.TokenPrivilegeCollection - SeLockMemoryPrivilege
	$priv = 'SeLockMemoryPrivilege'
	$objPriv = New-object Pscx.Interop.TokenPrivilege($priv, $true) 
	$privilegeSet.Add($objPriv)

	$log = "`tAdd privilege for {0}" -f $priv
	Write-Host $log

	#http://windowsitpro.com/powershell/save-output-powershell-pipeline-variable
	Set-Privilege -Identity $userTargeted -Privileges $privilegeSet  -outvariable privilegeSetOutput

	Write-Host $CHAR_LINEBREAK
	
	Write-Host ""
	$log = "Write out privileges -outvariable [{0}] " -f $privilegeSetOutput
	Write-Host $log


	$log = "Write out privileges for {0} {1} - After" -f $account, $userTargeted.Name
	Write-Host $log

	Write-Host ""
	Write-Host ""

	Get-Privilege -Identity $userTargeted

}
Write-Host ""

Invocation

Read Privileges

Code

set "_account=daniel.adeniji"
set "_method=get"

powershell ./LocalSecurityPolicies_PSCX.ps1 -account %_account%   -method %_method%

Output

usage-get-20161105-0918am

 

 

Set Privileges

Code

set "_account=daniel.adeniji"
set "_method=set"

powershell ./LocalSecurityPolicies_PSCX.ps1 -account %_account%   -method %_method%

Output

setprivileges-20161105-0921am

Explanation
  1. Tried adding the following Local Security Policies
    • SeManageVolumePrivilege
    • SeLockMemoryPrivilege
  2. But, even though error not reported, privileges are not added

Source Control

GitHub

Here is the code’s link

 

Closing

Please help!….

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s