JSI Tip 3301. How can I report the privileges granted to users or groups?


The Windows 2000 Server Resource Kit Supplement One contains Showpriv.exe, a new command-line tool that displays the users and group that have been granted a specified privilege.

The tool, which must be run locally, works on Windows 2000 and Windows NT 4.0.

The syntax is:

showpriv privilege

where privilege is one of the following case sensitive parameters:

SeTcbPrivilege
SeMachineAccountPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeSystemTimePrivilege
SeCreatePagefilePrivilege
SeCreateTokenPrivilege
SeCreatePermanentPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeRemoteShutdownPrivilege
SeAuditPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeSystemEnvironmentPrivilege
SeProfileSingleProcessPrivilege
SeSystemProfilePrivilege
SeUndockPrivilege
SeAssignPrimaryTokenPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege
SeTakeOwnershipPrivilege
SeSecurityPrivilege
Since this tool is privilege based, I have scripted a report to show ALL the privileges assigned to users and groups. ShowRights.bat has no parameters, and will generate a report file, ShowRights.txt, in the current folder. The report will look similar to the following:
Account                                 Privilege
----------------------------------------------------------------------
BUILTIN\Administrators                  SeAssignPrimaryTokenPrivilege   
                                        SeAuditPrivilege                
                                        SeBackupPrivilege               
                                        ...
                                        SeTcbPrivilege                  
                                        SeUndockPrivilege               
----------------------------------------------------------------------
BUILTIN\Backup Operators                SeBackupPrivilege               
                                        SeRestorePrivilege              
----------------------------------------------------------------------
Everyone                                SeChangeNotifyPrivilege         
----------------------------------------------------------------------
JSI005\Jerry                            SeBackupPrivilege               
----------------------------------------------------------------------
ShowRights.bat contains:
@echo off
setlocal
if exist %TEMP%\ShowRights.tmp del /q %TEMP%\ShowRights.tmp
if exist %TEMP%\ShowRights.tmp1 del /q %TEMP%\ShowRights.tmp1
for /f "Tokens=*" %%i in ('showpriv SeTcbPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeMachineAccountPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeBackupPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeChangeNotifyPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeSystemTimePrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeCreatePagefilePrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeCreateTokenPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeCreatePermanentPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeDebugPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeEnableDelegationPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeRemoteShutdownPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeAuditPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeIncreaseQuotaPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeIncreaseBasePriorityPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeLoadDriverPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeLockMemoryPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeSystemEnvironmentPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeProfileSingleProcessPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeSystemProfilePrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeUndockPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeAssignPrimaryTokenPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeRestorePrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeShutdownPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeSyncAgentPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeTakeOwnershipPrivilege') do call :parse "%%i"
for /f "Tokens=*" %%i in ('showpriv SeSecurityPrivilege') do call :parse "%%i"
sort %TEMP%\ShowRights.tmp /O %TEMP%\ShowRights.tmp1
del /q %TEMP%\ShowRights.tmp
set prevacct=                                           ##
set prevacct=%prevacct:~0,40%
set blank=%prevacct%
set under=----------------------------------------------------------------------
@echo Account                                 Privilege>ShowRights.txt
for /f "Tokens=*" %%i in (%TEMP%\ShowRights.tmp1) do call :parse1 "%%i"
del /q %TEMP%\ShowRights.tmp1
endlocal
goto end
:parse
set line=%1
set line=%line:"=%
set line=%line:)=%
if "%line:~0,23%" EQU "All accounts enumerated" goto end
if "%line:~0,38%" EQU "The specified privilege does not exist" goto end
if "%line:~0,1%" GTR "9" goto acct
if "%line:~0,1%" EQU "\" set line=%line:\=%&goto acct
if "%line:~0,1%" EQU "0" goto end
for /f "Tokens=5" %%j in ('@echo %line%') do set priv=%%j
set priv=%priv%                                            ##
goto end
:acct
set line=%line%                                            ##
set account=%line:~0,40%
set privs=%priv:~0,32%
@echo %account%%privs%>>%temp%\ShowRights.tmp
goto end
:parse1
set line=%1
set line=%line:"=%
set account=%line:~0,40%
set privs=%line:~40,32%
if "%prevacct%" EQU "%account%" goto prtb
@echo %under%>>ShowRights.txt
@echo %account%%privs%>>ShowRights.txt
set prevacct=%account%
goto end
:prtb
@echo %blank%%privs%>>ShowRights.txt
:end


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish