Privileges/Revoke-Privilege.ps1
|
# Copyright 2012 Aaron Jensen # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. function Revoke-Privilege { <# .SYNOPSIS Revokes an identity's privileges to perform system operations and certain types of logons. .DESCRIPTION Valid privileges are documented on Microsoft's website: [Privilege Constants](http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716.aspx) and [Account Right Constants](http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671.aspx). Known values as of August 2014 are: * SeAssignPrimaryTokenPrivilege * SeAuditPrivilege * SeBackupPrivilege * SeBatchLogonRight * SeChangeNotifyPrivilege * SeCreateGlobalPrivilege * SeCreatePagefilePrivilege * SeCreatePermanentPrivilege * SeCreateSymbolicLinkPrivilege * SeCreateTokenPrivilege * SeDebugPrivilege * SeDenyBatchLogonRight * SeDenyInteractiveLogonRight * SeDenyNetworkLogonRight * SeDenyRemoteInteractiveLogonRight * SeDenyServiceLogonRight * SeEnableDelegationPrivilege * SeImpersonatePrivilege * SeIncreaseBasePriorityPrivilege * SeIncreaseQuotaPrivilege * SeIncreaseWorkingSetPrivilege * SeInteractiveLogonRight * SeLoadDriverPrivilege * SeLockMemoryPrivilege * SeMachineAccountPrivilege * SeManageVolumePrivilege * SeNetworkLogonRight * SeProfileSingleProcessPrivilege * SeRelabelPrivilege * SeRemoteInteractiveLogonRight * SeRemoteShutdownPrivilege * SeRestorePrivilege * SeSecurityPrivilege * SeServiceLogonRight * SeShutdownPrivilege * SeSyncAgentPrivilege * SeSystemEnvironmentPrivilege * SeSystemProfilePrivilege * SeSystemtimePrivilege * SeTakeOwnershipPrivilege * SeTcbPrivilege * SeTimeZonePrivilege * SeTrustedCredManAccessPrivilege * SeUndockPrivilege * SeUnsolicitedInputPrivilege .LINK Get-Privilege .LINK Grant-Privilege .LINK Test-Privilege .LINK http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716.aspx .LINK http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671.aspx .EXAMPLE Revoke-Privilege -Identity Batcomputer -Privilege SeServiceLogonRight Revokes the Batcomputer account's ability to logon as a service. Don't restart that thing! #> [CmdletBinding()] param( [Parameter(Mandatory=$true)] [string] # The identity to grant a privilege. $Identity, [Parameter(Mandatory=$true)] [string[]] # The privileges to revoke. $Privilege ) Set-StrictMode -Version Latest if( -not (Test-Identity -Name $Identity) ) { Write-Error -Message ('[Carbon] [Revoke-Privilege] Identity {0} not found.' -f $identity) ` -Category ObjectNotFound return } # Convert the privileges from the user into their canonical names. $cPrivileges = Get-Privilege -Identity $Identity | Where-Object { $Privilege -contains $_ } if( -not $cPrivileges ) { return } try { [Carbon.Lsa]::RevokePrivileges($Identity,$cPrivileges) } catch { Write-Error -Message ('Failed to revoke {0}''s {1} privilege(s).' -f $Identity,($cPrivileges -join ', ')) $ex = $_.Exception while( $ex.InnerException ) { $ex = $ex.InnerException Write-Error -Exception $ex } } } |