Hi, this might be an overwhelming task but it is good to know whether this is possible. I want to list all permissions which are given to specific account via GPOs (default domain policy and default domain controller policy). It is account used by backup software and in order to work properly this account had to be given bunch of permissions to (Create a token object, Log on as a batch job, etc.). Of course given permissions can be seen in Group Policy MMC but I am interested only in getting permissions given to that account and exporting these permissions to some file for the purpose of documenting them.
Thanks in advance.
You are talking about UserRights Assignments, not permissions. With that said, here is a nice looking module someone wrote that can do what you are asking. I have not tested it, but looks very promising. Of course you should evaluate their code and confirm it will pose not threat to your environment before using anything taken from the internet.
https://userrights.codeplex.com/
Maybe I am wrong but it seems this module does the job only for local user rights assignment on given computer (local security policy). I need PowerShell code to retrieve user rights assignments given to specific account via GPOs (rights assigned to account in both Default Domain Policy and Default Domain Controller Policy).
Well, the rights on the local computer will be the culmination of the applied GPO’s, so it would be the effective rights after the GPOs have applied. If you are wanting to specifically look at the GPOs themselves, you can use the GPO cmdlets. Specifically, if you are good at XML, you can use the Get-GPOReport cmdlet.
[xml]$report = Get-GPOReport -Name “Default Domain Policy” -ReportType XML
I know that Curtis :-), rights on local computer will be result of applied GPOs on that computer. If used, this module has to be copied to one domain member machine and one domain controller and tested on both of them. Since you can do virtually anything with PowerShell nowadays I assume there is some way to pull out user rights assignments from GPO and filter them based on specific account.
The only way I can think to get the gpo settings was in the second part of my previous statement.
…
If you are wanting to specifically look at the GPOs themselves, you can use the GPO cmdlets. Specifically, if you are good at XML, you can use the Get-GPOReport cmdlet.
[xml]$report = Get-GPOReport -Name “Default Domain Policy” -ReportType XML