user rights assignment missing

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates
• containerapps

• Programming
• Virtualization
• Productivity

Understanding User Rights Assignment - How to lock down or unlock your user's actions

Final notes

• https://www.experts-exchange.com/articles/3360/Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user's-actions.html copy
• Active Directory

Comments (1)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

The Original Tech Community

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Can't edit Local Security Policy

I'm trying to add users to the Access this computer from the network User Rights Assignment policy but the 'Add' button is disabled:

I'm connecting to the machine via RDP using the local Administrator account (not a domain user). I've also tried to do the same with a domain user that is in the Administrators group but the result is the same.

How can I add a user to this policy?

The machine is running Windows 7.

• remote-desktop
• administrator
• group-policy

• You need to be using a domain user in the Administrator user group –  Ramhound Commented Aug 27, 2015 at 12:38
• I am using it (the built-in account..), but I login via RDP. does it matter? –  etaiso Commented Aug 27, 2015 at 12:38
• Your not using one, you indicated your using the local Administrator account, you need to be using a user connected to the domain with Administrator permissions. –  Ramhound Commented Aug 27, 2015 at 12:44
• I also tried that . it's the same –  etaiso Commented Aug 27, 2015 at 12:46
• Update your question; If I had know that; I could have saved time responding. –  Ramhound Commented Aug 27, 2015 at 12:51

You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy.

To modify this policy, either:

• Modify the policy in the applicable domain Group Policy Object.
• Prevent any domain-based GPOs from specifying this setting, then edit the computer's Local Group Policy.
• where can I find this policy in the GPO? –  marijnr Commented Jun 13, 2018 at 13:15
• 2 Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment –  I say Reinstate Monica Commented Jun 13, 2018 at 13:16

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows security remote-desktop administrator group-policy ..

• The Overflow Blog
• Detecting errors in AI-generated code
• Where developers feel AI coding tools are working—and where they’re missing...
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• Does Newton's third law violate the law of energy conservation?
• Can I stack deck floor frames on top of each other?
• Why is China not mentioned in the Fallout TV series despite its significant role in the games' lore?
• Should punctuation (comma, period, etc.) be placed before or after the inches symbol when listing heights?
• Can Inductors be thought of as storing voltage?
• Looking for a book where a boy is transported to another world by a beam of light
• Identifying logical fallacy: X are Y but if you are X that doesnt do Y then this statement does not apply to you
• Why should an attacker perform a clickjacking attack when he can simulate the click with JavaScript?
• Why can’t acceleration in GR be defined the same way as in EM?
• Does AI use lots of water?
• The product of Jacobian determinants
• How to create repetitive coffee beans surface in relief?
• Measurement in the eigenbasis of the Hadamard gate
• Name of a Teen Sci Fi about convicts from different planets being dumped on a planet together
• What kind of Fibonacci subword at this offset?
• Firefox isn't upgraded on Debian: its ESR has 1.5 years old, ensuring it being discarded. How to ask a global upgrade from Debian or Mozilla team?
• "immer noch" meaning "still"
• How can I avoid gaps at the intersection of two lines in TikZ? Or is there a better way to draw them?
• Align equation to first row of matrix
• Is creating my own gods better than using existing ones?
• Execute 'Iterate Feature Selection' in ModelBuilder only if Features are Selected
• zener diode 1n4733a exceeds zener voltage
• How to decide which spline to use when conducting g-computation after weighting?
• How can an RS-422 transceiver not have a negative voltage rail?

  Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

In this article, we will look at several ways to manage non-admin user permissions to restart or shutdown Windows workstations or servers. By default, non-privileged users can only reboot and shut down desktop versions of Windows, and cannot restart a Windows Server host (shutdown and restart buttons are not available in the Start Menu). Is it possible to allow a user without local administrator privileges to restart Windows Server?  There is also a reverse task – how to prevent users from restarting a computer with Windows 10 or 11, which is used as an information kiosk, dispatch console, etc.

How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO

Allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .

On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

• Administrators
• Backup Operators
• Server Operators
• Print Operators

If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

If you want to allow a specific user (without administrator rights) to restart your Windows Server, you need to add their account to this policy and update the GPO settings on the computer .

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent a user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

• Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet.  Add users to the group;

• Set the GPO name ( gpoAllowReboot ) and edit it;
• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;

• Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;

You can allow some non-admin users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges, permission to log on through Remote Desktop (RDP) , or local logon permissions ( if this sign-in method is not allowed )

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

shutdown -m \\hamb-rds01 -r -f -t 0

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to the WMI namespace, an error will appear:

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

• Open the Registry Editor ( regedit.exe );
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in the Start Menu and Windows sign-in screen:

• Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
• Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
• Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
• To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.

Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .

As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.

You can get information about recent Windows shutdown events using the same Event ID 1076 :

Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

Fix: Can’t Extend Volume in Windows

Fix: windows needs your current credentials pop-up message, related reading, how to cast/mirror android screen to windows pc, get started with docker on windows (wsl2) without..., adding multiple alternate dns names for a windows..., how to hide or show the ‘safely remove..., enable hyper-v on windows 10/11 pro and home....

So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.

FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown

Thanks, but even so an advanced user would know to turn it off using other ways.

Thank you MT.. this helped..

On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?

I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

• Skip to primary navigation
• Skip to main content
• Skip to primary sidebar
• Skip to footer

SuperTekBoy

Practical Help for Exchange & Office 365

Exchange does not have Audit Security Privilege on the domain controller

January 6, 2018 By Gareth Gudger 9 Comments

While reviewing the event logs on your Exchange server you could encounter the following error.

We ran into this recently at a customer. This was an odd error because the description specified the name of one of our domain controllers as an “Exchange Computer”. That aside, my customer was receiving this error for two of their three domain controllers (dc02 & dc03). The error was also repeated across all their Exchange servers.

To make matters worse if the customer shut down the only domain controller not reported in these errors (dc01) Exchange would become completely unavailable. As the error stated, dc02 and dc03 were definitely not being used by the Exchange Active Directory Provider.

Further analysis of the event logs also revealed informational alert MSExchange ADAccess 2080. In this alert, we could see our three domain controllers with one striking difference.

In the eighth column (highlighted), dc01 was reporting a 1 whereas dc02 and dc03 were reporting a 0. All other column data was identical between the three servers. The words in parenthesis are actually the column headers. They don’t line up very well in event viewer but if we count to the eighth word we see the column is titled “SACL right”. What this means is that the Exchange servers are missing the SACL right on the domain controllers marked with a zero.  Or more specifically, Exchange is missing the right to manage the security and audit logs of those two domain controllers.

We actually discussed this same root cause back in September  for a different problem. In that article, the missing SACL right was preventing an Exchange schema update (and in turn a cumulative update) from completing. Needless to say, the fix in that article is the same for this error.

Fixing ‘MSExchange ADAccess Event ID 2112’

We discovered that the Default Domain Controllers Policy  (which is a group policy assigned to the domain controllers OU) had been deleted. It was uncertain when this may have happened but it was clear that the policy existed for dc01 but had been deleted prior to the existence of dc02 and dc03. The absence of this policy was not an issue. More-so it was a setting that comes predefined by that policy. The error we were receiving was due to the absence of the User Rights Assignment, Manage auditing and security logs . This right is granted to the Exchange Servers and Administrators  builtin groups.

The fix was to create a new policy with these permissions defined. Let’s explore those steps.

Note: Alternatively, you can replace the entire missing Default Domain Controller Policy by running the DCGPOFIX command: dcgpofix /ignoreschema /target:dc Special Thanks:   Michael B. Smith

From the Group Policy Management Console , expand the domain and right-click on the Domain Controllers OU. From the context menu select Create a GPO in this domain, and Link it here. Give the new policy a name and click Ok. In our case, we called it User Rights Assignment for Exchange .

Right-click on the new policy and select Edit . This will launch the  Group Policy Management Editor . Expand the following nodes.

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Under  User Rights Assignments  double-click Manage auditing and security log .

Check the box  Define these policy settings . Click Add User or Group  and then  Browse . From the  Select Users and Computers  dialog add Exchange Servers . Repeat this process to add  Administrators . Click  Ok .

Allow time for Active Directory to replicate. You may also want to speed up the addition of the new policy by running GPUPDATE /FORCE from the command line on the problem domain controllers.

Once applied, this should mitigate error “MSExchange ADAccess  2112”. You should also see informational alert 2080 update the domain controller entries with a 1 in the SACL column.

We would love to hear from you. Have you seen any of these errors before? What did you do to fix it? Drop a comment below or come join the conversation on Twitter  @SuperTekBoy .

About Gareth Gudger

Gareth is a former Microsoft MVP (2016-2024) specializing in Exchange and Office 365. Gareth previously contributed to the Office 365 for IT Pros book, which is updated monthly with new content. Find Gareth on LinkedIn , X , or, Facebook .

Reader Interactions

Want to stay up to date.

Join thousands of IT professionals and get the latest Exchange & Office 365 tips and tutorials direct to your inbox

June 3, 2024 at 6:18 am

Thanks! Worked!

April 16, 2021 at 2:46 pm

Thank you! Helped me too.

August 31, 2020 at 6:10 am

Thanks a lot!!! This really saved me today.

July 17, 2020 at 3:09 pm

2020 checking in to say thank you.

September 4, 2019 at 11:36 am

thank you very much. saved our ass today 😉

July 12, 2019 at 2:23 pm

Worked on 2016 Exchange

January 17, 2019 at 12:32 pm

Great post, I also had this same problem and solved it perfectly. Thank you!

November 9, 2018 at 1:41 pm

Nice article Gareth! I just ran into the same issue after upgrading from 2013 CU 11 to CU 21. I had just added a new child domain and the exchange server was receiving errors about the new domain controllers not having the audit security privilege.

October 16, 2018 at 11:45 pm

thanks a lot .its worked

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Site Navigation

• Subscribe to blog
• About SuperTekBoy
• Privacy & Cookies

Join the conversation

UserRights Policy Deployment Using Intune | Group Policy Replacement

In this post, you will learn how to deploy UserRights policies successfully. I am grateful to my colleague Mark Thomas for helping me fix the issue.

You can use Intune to deploy security policies using out-of-box templates or Windows 10 custom policy CSP (UserRights Policy).

I checked Intune Administrative templates , Security baselines , and box Device restriction policies to find options to deploy Windows 10 UserRights settings. I couldn’t see any out-of-box policies related to UserRights settings.

• Manage Zoom Settings Using Intune Administrative Templates HTMD Blog (anoopcnair.com)
• Import Custom ADMX Administrative Templates In Intune MEM Portal HTMD Blog (anoopcnair.com)

I have two options to deploy UserRights settings:

Sign up to get the best of How To Manage Devices straight to your inbox!

• Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
• Custom Windows 10 policy CSP using Intune for Azure AD joined devices.

Custom Windows 10 Policy CSP

In this post, you shall take an example of the specific policy CSP called:

“./Device/Vendor/MSFT/Policy/Config/ UserRights / AccessFromNetwork “

I’m trying to provide “access from network” access to two user groups called “ Administrators ” and “ Remote Desktop Users .”

XML Format – First Try

I tried custom policy CSP using the Microsoft document recommendation here .

• Created custom Intune policy CSP using – Data Type -> String (XML File)

Sample XML for UserRights/AccessFromNetwork settings to add Remote Desktop UsersAdministrators (  note this symbol) groups

The Data Type string (xml file) policy CSP settings failed with following error :

String Option – UserRight/AccessFromNetwork

As you saw above, the string XML file option to deploy policy CSP failed. Next, try Data Type -> String with Windows 10 policy CSP.

I tried to look at the GitHub thread and use the following settings to deploy the UserRight/ AccessFromNetwork policy CSP.

The above setting was successfully applied on the Windows 10 device, but Intune shows an error -2016281112 (Remediation failed) . These error details are also explained in the above GitHub thread.

ASCII Value (  ) Issues with UserRights CSP

This is the option where my colleague Mark Thomas came to the rescue. Mark helped me FIX the Windows 10 custom policy CSP ASCII character-related issue.

NOTE – This ASCII value (  ) mismatch is also discussed in the GitHub thread.

String Value to provide “UserRight/AccessFromNetwork” access to the following groups:

• Administrators
• Remote Desktop Users

The following are the third and final options that were successful.

Policy CSP Settings Intune:

Results – UserRights Policy Deployment Using Intune | Group Policy Replacement

The Windows 10 custom policy CSP was successfully deployed without group policy settings. Happy modern management!

We are on WhatsApp . To get the latest step-by-step guides and news updates, Join our Channel.  Click here  – HTMD WhatsApp .

Anoop C Nair  is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

10 thoughts on “UserRights Policy Deployment Using Intune | Group Policy Replacement”

Works like a charm, thanks for going through all the pain for us. 🙂

Great to know … thank you for the feedback

Hi, where and how do I find the endpoint settings defined from Intune? For GPO, were the tools gpresults and rsop? Is there something similar for Intune? Thanks David

Diagreport from the client might help you

Hi Anoop, I am trying to restrict few user groups from interactive login to AzureAd joined devices and was exploring UserRights/DenyLocalLogOn. I did give the objectID of the azure ad group in the string but it didn’t work. Have you tried this? Also, is there any other better way to handle this?

Did you ever find a way to deny a local login using a CSP? I was trying to limit anyone in the local Guests group on the machine from logging in. This was my final setting that applied successfully after reading this article.

Name: DenyInteractiveLogonRight OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn Data type: String Value: Guests

Do you know if there is a way to include multiple domain users in this userrights CSP?

I tried with the separators included in this article but it is not working.

Thanks a lot

How do I add an Azure AD group to this list? I have tried just about everything, and cannot figure out how to do it.

Same for me, I was able to add specific AAD user but not an AAD group.. Tried with SID but does not work

It doesn’t appear to be possible to use a AAD group in the assignment which is terrible really. This should be a standard function

Leave a Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How can I locate Registry key for Group policy settings?

How can I locate the registry entry for the below values

• Perform volume maintenance tasks
• Lock pages in memory

under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\User Rights Management .

I tried the below 3 ways.

• Find the Registry key for corresponding Group Policy : (1)Final Link broken (2)Couldn't locate above in reference guide or MSDN doc.
• Which Registry Settings a Group Policy Object Modifies : No policy-related registry key located in Procmon
• How Settings are Stored : Nothing insightful in the .ini file.

End goal is to automate configuration thru Powershell [ Set-ItemProperty ]

• group-policy
• windows-server-2016

3 Answers 3

As you can see in the Group Policy Settings Reference Guide (see your 1st link; in particular, Windows10andWindowsServer2016PolicySettings.xlsx document ), most of security settings (e.g. User Rights , Password Policy , Audit Policy etc.) are not registry keys . Those are stored in the Secedit.sdb database.

For your task, you can use Microsoft's secedit command line tool (at least, export and import):

secedit Configures and analyzes system security by comparing your current configuration to specified security templates. Syntax secedit [/analyze /db <database file name> /cfg <configuration file name> [/overwrite] /log <log file name> [/quiet]] [/configure /db <database file name> [/cfg <configuration filename>] [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]] [/export /db <database file name> [/mergedpolicy] /cfg <configuration file name> [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>]] [/generaterollback /db <database file name> /cfg <configuration file name> /rbk <rollback file name> [/log <log file name>] [/quiet]] [/import /db <database file name> /cfg <configuration file name> [/overwrite] [/areas [securitypolicy | group_mgmt | user_rights | regkeys | filestore | services]] [/log <log file name>] [/quiet]] [/validate <configuration file name>] Parameters Secedit: analyze Allows you to analyze current systems settings against baseline settings that are stored in a database. The analysis results are stored in a separate area of the database and can be viewed in the Security Configuration and Analysis snap-in. Secedit: configure Allows you to configure a system with security settings stored in a database. Secedit: export Allows you to export security settings stored in a database. Secedit: generaterollback Allows you to generate a rollback template with respect to a configuration template. Secedit: import Allows you to import a security template into a database so that the settings specified in the template can be applied to a system or analyzed against a system. Secedit: validate Allows you to validate the syntax of a security template.

Answer : Look for the below keys/entries under [Privilege Rights] section in the exported configuration file (you can add/change them easy using Powershell):

• SeLockMemoryPrivilege     Lock pages in memory
• SeManageVolumePrivilege  Perform volume maintenance tasks

Read (and follow) Windows Security Baselines as well:

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

• Is there a way to read and write to Secedit.sdb using the Get-PolicyFileEntry cmdlet in the PolicyFileEditor module? –  Ayan Mullick Commented May 8, 2018 at 14:34
• 1 PolicyFileEditor module = commands and DSC resource for modifying Administrative Templates settings in local GPO registry.pol files. Nothing about Secedit.sdb afaik. –  JosefZ Commented May 8, 2018 at 19:37

While this answer isn't applicable for the policies specified in the question, I just wanted to throw https://admx.help in the ring for finding any registry keys relating to administrative templates policies. I prefer it over GPSearch mentioned by batistuta09 as it is much easier to read the information relating to the key/s, in my opinion.

To locate a desired key, scroll to and click on your OS of choice, then the policy categories trees for administrative templates we're all familiar with will appear on the right-hand side to be explored.

For example, I wanted to locate any keys associated with enabling the policy "Specify settings for optional component installation and component repair" locally on my Windows 10 machine (Local Computer Policy > Computer Configuration > Administrative Templates > System). On the website home page, you navigate as follows:

Windows 10 and Windows Server 2016 > Administrative Templates (Computers) > System > Specify settings for optional component installation and component repair

Once the policy is selected, any associated keys and their details are displayed clearly.

2022 edit: Updated url from getadmx.com to admx.help. Thanks, @Henke.

You can use GPSearch resource to get corresponding keys: https://gpsearch.azurewebsites.net/

Also, you can try to apply the policy and track the changes in the registry with Process Monitor: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

• The above policies don't show up on the GPSearch site probably since they aren't stored in the registry... –  Ayan Mullick Commented May 18, 2018 at 18:36

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged powershell group-policy windows-server-2016 automation ..

• The Overflow Blog
• Detecting errors in AI-generated code
• Where developers feel AI coding tools are working—and where they’re missing...
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• What determines the resistance with which MOSFETs fail short?
• Is creating my own gods better than using existing ones?
• Batch Apex: Why is Salesforce giving me an "Internal Salesforce.com Error" when I try to execute a batchable inner class?
• Pulling myself up with a pulley attached to myself
• Adjective separated from it's noun
• Is it possible that cohesive energy of a material is positive but the phonon dispersion curve have negative frequencies?
• An everyday expression for "to dilute something with two/three/four/etc. times its volume of water"
• Possible distinction between operator-valued scalar & vectors functions in QM
• Inverse Gaussian with small mean has unreliable sample mean
• Is there a way to have my iPhone register my car which doesn't have carplay, only for the "Car is parked at"-feature?
• Where did the baseball term "lace" come from?
• How control for the number of observations in the models?
• Is it even possible to build a beacon to announce we exist?
• What is the Kingdom of Heaven?
• Flight qs101 has been only flying butterflies over an airport recently. What is this about?
• Why is China not mentioned in the Fallout TV series despite its significant role in the games' lore?
• Can you algebraically prove that a hexagon with glued opposite edges is a torus?
• Does AI use lots of water?
• How to create repetitive coffee beans surface in relief?
• How do I link a heading containing spaces in Markdown?
• Could a Project like Orion be built today with non nuclear weapons?
• Non-complex smooth sub manifolds of a complex manifold - examples?
• How can the doctor measure out a dose (dissolved in water) of exactly 10% of a tablet?
• What school of magic would the upper class want their children to learn quickly?

• NIST 800-53
• Common Controls Hub

Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Default permissions and user rights for IIS 7.0 and later

• 7 contributors

This article describes the default permissions and user rights that are set on certain folders and files. These folders and files are installed with Microsoft Internet Information Services (IIS) 7.0 and later.

Original product version:   Internet Information Services 8.0 Original KB number:   981949

Permission changes in IIS 6.0, IIS 7.0, and later versions

In IIS 6.0, a local account ( IUSR_MachineName ) is created when IIS is installed. The IUSR_MachineName account is the default identity that is used by IIS when Anonymous authentication is enabled. Anonymous authentication is used by both the File Transfer Protocol (FTP) service and the HyperText Transfer Protocol (HTTP) service. IIS 6.0 also contains a group that is named IIS_WPG . The IIS_WPG group is used as a container for all Application Pool Identities.

In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. The IUSR_MachineName account is created and used only when the FTP 6 server that is included on the Windows Server 2008 DVD is installed. If the FTP 6 server isn't installed, the account isn't created.

Beginning in IIS 7.5, a new security feature is added that is called Application Pool Identities . This feature lets you run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

For more information about IIS 7.0 accounts and groups, visit Understanding built-in user and group accounts in IIS 7 .

For more information about Application Pool Identities, visit Application Pool Identities .

Default NTFS file system permissions

The tables in this section list the default New Technology File System (NTFS) permissions that are assigned to certain folders and files. These folders and files are installed together with IIS 7.0, IIS 7.5, IIS 8.0, IIS 8.5, and IIS 10.0.

\inetpub\AdminScripts

\inetpub\AdminScripts\0409

\inetpub\custerr

\inetpub\custerr\en-us

\inetpub\ftproot

\inetpub\history and subfolders

\inetpub\logs

\inetpub\logs\FailedReqLogFiles

\inetpub\logs\wmsvc

\inetpub\temp

\inetpub\temp\apppools.

\inetpub\temp\ASP Compiled Templates

\inetpub\temp\IIS Temporary Compressed Files

\inetpub\wwwroot

\inetpub\wwwroot\aspnet_client

%windir%\system32\inetsrv

%windir%\System32\inetsrv\0409

%windir%\System32\inetsrv\config

%windir%\System32\inetsrv\config\Export

%windir%\System32\inetsrv\config\schema

%windir%\System32\inetsrv\en-us

%windir%\System32\inetsrv\History

%windir%\System32\inetsrv\MetaBack

Default registry permissions.

The tables in this section list the default registry permissions that are assigned when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed. When Read permissions are listed for users, the following permissions are included:

• Query Value
• Enumerate Subkeys
• Read Control

HKEY_LOCAL_MACHINE\Software\Microsoft\Inetmgr

HKEY_LOCAL_MACHINE\Software\Microsoft\InetStp

Hkey_local_machine\software\microsoft\w3svc, hkey_local_machine\system\currentcontrolset\services\asp, hkey_local_machine\system\currentcontrolset\services\asp.net, hkey_local_machine\system\currentcontrolset\services\asp.net_2.0.50727, hkey_local_machine\system\currentcontrolset\services\aspnet_state, hkey_local_machine\system\currentcontrolset\services\http, hkey_local_machine\system\currentcontrolset\services\iisadmin, hkey_local_machine\system\currentcontrolset\services\w3svc, hkey_local_machine\system\currentcontrolset\services\was.

The WAS key is for the Windows Process Activation Service. This is a required dependency and is installed together with IIS.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMsvc

Default windows user rights assignments.

The table in this section lists the default local security policies and the users, the groups, or the users and groups that are assigned to the policy when IIS 7.0, IIS 7.5, IIS 8.0, or IIS 8.5 is installed.

Windows user rights that are assigned by local security policy

Was this page helpful?

Additional resources