Handle LSA Account Rights

Hi !

How assign to a service account  (local or domain) local rights ? Obviously multi scenarios ! This is the cool. The first one is to make it manually, but let be clear, this is not what you/me are looking for, our goal in life is to automatize EVERYTHING possible.

No need to speicify but many privileges can be granted to services running on close systems, this is a little list about those rights:

  • SeAssignPrimaryTokenPrivilege
  • SeAuditPrivilege
  • SeBackupPrivilege
  • SeBatchLogonRight
  • SeChangeNotifyPrivilege
  • SeCreatePagefilePrivilege
  • SeCreatePermanentPrivilege
  • SeCreateTokenPrivilege
  • SeDebugPrivilege
  • SeIncreaseBasePriorityPrivilege
  • SeIncreaseQuotaPrivilege
  • SeInteractiveLogonRight
  • SeLoadDriverPrivilege
  • SeLockMemoryPrivilege
  • SeMachineAccountPrivilege
  • SeNetworkLogonRight
  • SeProfileSingleProcessPrivilege
  • SeRemoteShutdownPrivilege
  • SeRestorePrivilege
  • SeSecurityPrivilege
  • SeServiceLogonRight
  • SeShutdownPrivilege
  • SeSystemEnvironmentPrivilege
  • SeSystemProfilePrivilege
  • SetSystemtimePrivilege
  • SeTakeOwnershipPrivilege
  • SeTcbPrivilege
  • SeUnsolicitedInputPrivilege

 

At first glance, this is not possible by default in all PowerShell version. All bing search send me in only 3 ways:

  • ntrights.exe
  • Set-Privilege (from PSCX module)
  • LsaAddAccountRights (C# API)

Let’s have a look about how it works

 

 

NTRights.exe

The simplest solution, this legacy utility was firstly publied in Windows Ressource Kit, but it works perfectly in Windows 2008 R2… didn’t know about 2012.. but why not.

Microsoft says that you use it from cmd line like this

 

In PowerShell it could be something like this

 

Honestly this method is really simple, but who wants to use third party legacy utilities in their script if it’s not mandatory ?

 

PSCX / Set-Privilege

Module Powershell everyone should have ! it adds many powerfull features to your PowerShell. You can download it here. This is a module, so again you need to add it to your script… But let’s see how it works… nothing more simple !

We gather privileges for current user, we enable a strict privilege and we assign privileges. The is always the WindowsIdentity parameter we can be use to provide to specific user as a target ! But there is a cooler method 🙂

 

LsaAddAccountRights

For me the best ! This Windows API contains multiple functions to handle accounts privileges and by default it’s a part of advapi32.dll que l’on trouve au minimum sur Windows 2008 R2 (not tested on 2012+) ! I’m not gonna make a training about how use Windows API, but i’ll show you about how compile an assembly to use it on your scripts 🙂

 

Here we go! For me this is the best solution to assign LSA rights without any thirt party or legacy utilities. 

Regards