Share via

How to set Deny Logon Localy in PS Script?

  • Article

Question

Tuesday, July 29, 2014 12:07 PM

Hello,

in the past I used "secedit" and an INF file in a CMD script to set "SeDenyRemoteInteractiveLogonRight" and "SeDenyInteractiveLogonRight" for an local user account on a local Server. Now I have to Switch my script to Power Shell and I did not find a solution for my problem in the www.

Do have anyone an idea?

regards Stephan

All replies (3)

Thursday, July 31, 2014 3:20 PM âś…Answered

Hello,

in the past I used "secedit" and an INF file in a CMD script to set "SeDenyRemoteInteractiveLogonRight" and "SeDenyInteractiveLogonRight" for an local user account on a local Server. Now I have to Switch my script to Power Shell and I did not find a solution for my problem in the www.

Do have anyone an idea?

regards Stephan

Okay I made some changes and enhancements, with more thorough credit to authors where appropriate.  Since this forum seems to like eating code, I have it preformatted on my weblog: http://jordanmills.wordpress.com/2014/07/31/change-local-user-rights-assignment-from-powershell/

Thursday, July 31, 2014 12:28 AM | 1 vote

Hello,

in the past I used "secedit" and an INF file in a CMD script to set "SeDenyRemoteInteractiveLogonRight" and "SeDenyInteractiveLogonRight" for an local user account on a local Server. Now I have to Switch my script to Power Shell and I did not find a solution for my problem in the www.

Do have anyone an idea?

regards Stephan

It is convoluted, to say the best. You'll need to load your own class and invoke it to do what you need. I think I have it working (from code someone else wrote), but I haven't tested it extensively.

get the code from http://www.roelvanlisdonk.nl/?p=1151 Note that there are errors in the powershell invocation of it.

Put the c# code in a variable:

$nativecode = @'

code here

'@

Then add the type:

Add-Type $nativecode;

Then call the AddPrivileges function with the computer\username and right parameters:

[MyLsaWrapper.LsaWrapper]::AddPrivileges("computername\username", "right");

For example:

[MyLsaWrapper.LsaWrapper]::AddPrivileges("jordan1-pc\serviceaccount", "SeServiceLogonRight");

Or:

[MyLsaWrapper.LsaWrapper]::AddPrivileges("jordan1-pc\localuser", "SeDenyRemoteInteractiveLogonRight");

[MyLsaWrapper.LsaWrapper]::AddPrivileges("jordan1-pc\localuser", "SeDenyInteractiveLogonRight");

Thursday, July 31, 2014 3:35 PM

I didn't get a chance to try your code, but it looks useful.  You could also just use ntrights.exe from the Windows Server 2003 Resource Kit, it is still useful with current Windows versions.

I hope this post has helped!