The Windows 2000 Server Resource Kit Supplement One contains Showpriv.exe, a new
command-line tool that displays the users and group that have been granted a specified privilege.
The tool, which must be run locally, works on Windows 2000 and Windows NT 4.0.
The syntax is:
showpriv privilege
where privilege is one of the following case sensitive parameters:
SeTcbPrivilege SeMachineAccountPrivilege SeBackupPrivilege SeChangeNotifyPrivilege SeSystemTimePrivilege SeCreatePagefilePrivilege SeCreateTokenPrivilege SeCreatePermanentPrivilege SeDebugPrivilege SeEnableDelegationPrivilege SeRemoteShutdownPrivilege SeAuditPrivilege SeIncreaseQuotaPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeLockMemoryPrivilege SeSystemEnvironmentPrivilege SeProfileSingleProcessPrivilege SeSystemProfilePrivilege SeUndockPrivilege SeAssignPrimaryTokenPrivilege SeRestorePrivilege SeShutdownPrivilege SeSyncAgentPrivilege SeTakeOwnershipPrivilege SeSecurityPrivilegeSince this tool is privilege based, I have scripted a report to show ALL the privileges assigned to users and groups. ShowRights.bat has no parameters, and will generate a report file, ShowRights.txt, in the current folder. The report will look similar to the following:
Account Privilege ---------------------------------------------------------------------- BUILTIN\Administrators SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeBackupPrivilege ... SeTcbPrivilege SeUndockPrivilege ---------------------------------------------------------------------- BUILTIN\Backup Operators SeBackupPrivilege SeRestorePrivilege ---------------------------------------------------------------------- Everyone SeChangeNotifyPrivilege ---------------------------------------------------------------------- JSI005\Jerry SeBackupPrivilege ----------------------------------------------------------------------ShowRights.bat contains:
@echo off setlocal if exist %TEMP%\ShowRights.tmp del /q %TEMP%\ShowRights.tmp if exist %TEMP%\ShowRights.tmp1 del /q %TEMP%\ShowRights.tmp1 for /f "Tokens=*" %%i in ('showpriv SeTcbPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeMachineAccountPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeBackupPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeChangeNotifyPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeSystemTimePrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeCreatePagefilePrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeCreateTokenPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeCreatePermanentPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeDebugPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeEnableDelegationPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeRemoteShutdownPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeAuditPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeIncreaseQuotaPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeIncreaseBasePriorityPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeLoadDriverPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeLockMemoryPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeSystemEnvironmentPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeProfileSingleProcessPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeSystemProfilePrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeUndockPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeAssignPrimaryTokenPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeRestorePrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeShutdownPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeSyncAgentPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeTakeOwnershipPrivilege') do call :parse "%%i" for /f "Tokens=*" %%i in ('showpriv SeSecurityPrivilege') do call :parse "%%i" sort %TEMP%\ShowRights.tmp /O %TEMP%\ShowRights.tmp1 del /q %TEMP%\ShowRights.tmp set prevacct= ## set prevacct=%prevacct:~0,40% set blank=%prevacct% set under=---------------------------------------------------------------------- @echo Account Privilege>ShowRights.txt for /f "Tokens=*" %%i in (%TEMP%\ShowRights.tmp1) do call :parse1 "%%i" del /q %TEMP%\ShowRights.tmp1 endlocal goto end :parse set line=%1 set line=%line:"=% set line=%line:)=% if "%line:~0,23%" EQU "All accounts enumerated" goto end if "%line:~0,38%" EQU "The specified privilege does not exist" goto end if "%line:~0,1%" GTR "9" goto acct if "%line:~0,1%" EQU "\" set line=%line:\=%&goto acct if "%line:~0,1%" EQU "0" goto end for /f "Tokens=5" %%j in ('@echo %line%') do set priv=%%j set priv=%priv% ## goto end :acct set line=%line% ## set account=%line:~0,40% set privs=%priv:~0,32% @echo %account%%privs%>>%temp%\ShowRights.tmp goto end :parse1 set line=%1 set line=%line:"=% set account=%line:~0,40% set privs=%line:~40,32% if "%prevacct%" EQU "%account%" goto prtb @echo %under%>>ShowRights.txt @echo %account%%privs%>>ShowRights.txt set prevacct=%account% goto end :prtb @echo %blank%%privs%>>ShowRights.txt :end
0 comments
Hide comments