User rights assignment in Group Policy Object using powershell?

Arpit Shivhare 1 Reputation point
2022-10-07T11:17:15.287+00:00

Not able to grant user rights assignment in group policy object using PowerShell
Is there any way or command to add user rights in group policy?

Manual steps:

  1. Open Group Policy Management
  2. Navigate to the following path in the Group Policy Object
  3. Select Policy
  4. Right click & Edit: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
  5. Add/remove the necessary users.

Image of rights which needs to be assigned

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,844 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,406 questions
{count} votes

2 answers

Sort by: Most helpful
  1. MotoX80 32,246 Reputation points
    2022-10-07T13:16:08.237+00:00

  2. Lein Baart 166 Reputation points
    2022-10-12T12:04:15.087+00:00

    Hi @ArpitShivhare-6858

    I've had to do something similar in the past with automatic GPO generation, and the below was the only way I could find to do so. It basically creates the GPO manually, but it should work for your purposes

    #Get details of user(s)   
    $user = Get-ADUser *username*  
      
    #Create text required for GptTmpl.inf file for the GPO, inserting the SIDs of the user(s) found previously  
    $text = "[Unicode]  
    Unicode=yes  
    [Version]  
    signature=`"`$CHICAGO$`"  
    Revision=1  
    [Privilege Rights]  
    SeTcbPrivilege = *$($user.SID)  
    SeIncreaseQuotaPrivilege = *$($user.SID)  
    SeChangeNotifyPrivilege = *$($user.SID)  
    SeBatchLogonRight = *$($user.SID)  
    SeServiceLogonRight = *$($user.SID)  
    SeManageVolumePrivilege = *$($user.SID)  
    SeAssignPrimaryTokenPrivilege = *$($user.SID)"  
      
    #Get domain controller to run all commands against  
    $dc = Get-ADDomainController  
      
    #Create new GPO  
    $newGPO = New-GPO -Name "Your GPO Name" -Server $dc  
      
    #Create new SecEdit directory in the GPO folder in SYSVOL  
    New-Item "\\EXAMPLE.COM\SYSVOL\EXAMPLE.COM\Policies\{$($newGPO.id)}\Machine\Microsoft\Windows NT\SecEdit" -ItemType Directory  
      
    #Create GptTmpl.inf file in SecEdit folder  
    $text | Out-File "\\EXAMPLE.COM\SYSVOL\EXAMPLE.COM\Policies\{$($newGPO.id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"  
      
    #Set CSEs for new GPO - NB! otherwise settings won't be picked up by either the Group Policy Management console or the client  
    Set-ADObject "CN={$($newGPO.id)},CN=Policies,CN=System,DC=EXAMPLE,DC=COM" -Replace @{gPCMachineExtensionNames="[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"} -Server $dc  
      
    #Force AD to process new GPO  
    $newGPO | Set-GPRegistryValue -Key HKLM\SOFTWARE -ValueName "Default" -Value "" -Type String -Server $dc  
    $newGPO | Remove-GPRegistryValue -Key HKLM\SOFTWARE -ValueName "Default" -Server $dc  
    

    To add additional fields or users to the Local User Rights Assignments, I would recommend creating the GPO manually, then taking a look at the GptTmpl.inf file to see what format, values and syntax of the fields required. From my testing it uses SIDs, not the SamAccountName value, so you will have to pull the SID for each user that you need to add

    0 comments No comments