PowerShell Script to provide Group Policy (local security policy) for a Windows group / user

 A generic PowerShell script to provide group policy security setting to user / group - defaults to "SeInteractiveLogonRight" and tested against the same. 

Useful in scenario wherein you want to execute a windows scheduler task and a domain user must be attached to a windows group and then the windows group can be given a security setting like "SeInteractiveLogonRight" or logon locally permission for the domain account. Or, in other words, the domain account has now capability to access the computer resources and the domain resources.

Should be tested against others in this list:

Group Policy Setting	Constant Name
Access Credential Manager as a trusted caller	SeTrustedCredManAccessPrivilege
Access this computer from the network	SeNetworkLogonRight
Act as part of the operating system	SeTcbPrivilege
Add workstations to domain	SeMachineAccountPrivilege
Adjust memory quotas for a process	SeIncreaseQuotaPrivilege
Allow log on locally	SeInteractiveLogonRight
Allow log on through Remote Desktop Services	SeRemoteInteractiveLogonRight
Back up files and directories	SeBackupPrivilege
Bypass traverse checking	SeChangeNotifyPrivilege
Change the system time	SeSystemtimePrivilege
Change the time zone	SeTimeZonePrivilege
Create a pagefile	SeCreatePagefilePrivilege
Create a token object	SeCreateTokenPrivilege
Create global objects	SeCreateGlobalPrivilege
Create permanent shared objects	SeCreatePermanentPrivilege
Create symbolic links	SeCreateSymbolicLinkPrivilege
Debug programs	SeDebugPrivilege
Deny access to this computer from the network	SeDenyNetworkLogonRight
Deny log on as a batch job	SeDenyBatchLogonRight
Deny log on as a service	SeDenyServiceLogonRight
Deny log on locally	SeDenyInteractiveLogonRight
Deny log on through Remote Desktop Services	SeDenyRemoteInteractiveLogonRight
Enable computer and user accounts to be trusted for delegation	SeEnableDelegationPrivilege
Force shutdown from a remote system	SeRemoteShutdownPrivilege
Generate security audits	SeAuditPrivilege
Impersonate a client after authentication	SeImpersonatePrivilege
Increase a process working set	SeIncreaseWorkingSetPrivilege
Increase scheduling priority	SeIncreaseBasePriorityPrivilege
Load and unload device drivers	SeLoadDriverPrivilege
Lock pages in memory	SeLockMemoryPrivilege
Log on as a batch job	SeBatchLogonRight
Log on as a service	SeServiceLogonRight
Manage auditing and security log	SeSecurityPrivilege
Modify an object label	SeRelabelPrivilege
Modify firmware environment values	SeSystemEnvironmentPrivilege
Obtain an impersonation token for another user in the same session	SeDelegateSessionUserImpersonatePrivilege
Perform volume maintenance tasks	SeManageVolumePrivilege
Profile single process	SeProfileSingleProcessPrivilege
Profile system performance	SeSystemProfilePrivilege
Remove computer from docking station	SeUndockPrivilege
Replace a process level token	SeAssignPrimaryTokenPrivilege
Restore files and directories	SeRestorePrivilege
Shut down the system	SeShutdownPrivilege
Synchronize directory service data	SeSyncAgentPrivilege
Take ownership of files or other objects	SeTakeOwnershipPrivilege

#######################################################

<#

.Synopsis

  Grant interactive logon to a local user/group.

.Parameter grpname

  Defines the username/grpname under which the service should run.

.Example

  Usage:

  .\GrantSecurityRight.ps1  -grpname "logonlocally"

#>

param(  

  [string] $grpname,

  [string] $logonright="SeInteractiveLogonRight"

)

 

  $tempPath = [System.IO.Path]::GetTempPath()

  $import = Join-Path -Path $tempPath -ChildPath "import.inf"

  if(Test-Path $import) { Remove-Item -Path $import -Force }

  $export = Join-Path -Path $tempPath -ChildPath "export.inf"

  if(Test-Path $export) { Remove-Item -Path $export -Force }

  $secedt = Join-Path -Path $tempPath -ChildPath "secedt.sdb"

  if(Test-Path $secedt) { Remove-Item -Path $secedt -Force }

  try {

Write-Host "Granting $logonright to user group: $grpname."

    

    $sid = ((New-Object System.Security.Principal.NTAccount($grpname)).Translate([System.Security.Principal.SecurityIdentifier])).Value

    secedit /export /cfg $export

    $sids = (Select-String $export -Pattern "$logonright").Line

    foreach ($line in @("[Unicode]", "Unicode=yes", "[System Access]", "[Event Audit]", "[Registry Values]", "[Version]", "signature=`"`$CHICAGO$`"", "Revision=1", "[Profile Description]", "Description=GrantLogOnAsAService security template", "[Privilege Rights]", "$sids,*$sid")){

      Add-Content $import $line

    }

    secedit /import /db $secedt /cfg $import

    secedit /configure /db $secedt

    gpupdate /force

    Remove-Item -Path $import -Force

    Remove-Item -Path $export -Force

    Remove-Item -Path $secedt -Force

Write-Host "Granted $logonright to user group: $grpname."

  } catch {

 Write-Host "Failed to grant $logonright to user group: $grpname. $_"  

      exit 1

  }

#######################################################

Calling Script:

param(

  [Parameter(Mandatory=$true)]

  [string] $GrpName,

  [Parameter(Mandatory=$true)]

  [string] $GrpDescription  

)

# create local group: LogonLocally

New-LocalGroup -Name $GrpName -Description $GrpDescription

Out-Log "[INFO] $GrpName created"

# grant security privilege (by default, local logon) to the group

.\GrantSecurityRight.ps1 -grpname $GrpName

#######################################################

Note that a domain user is associated with a SID, which is a unique id across the domain and this id can be assigned to the group as follows:

Add-LocalGroupMember -Group $GrpName -Member $BatchAccountSid -ErrorAction Stop

Get SID for a Windows domain user:

Get-AdUser -Identity $username | select Name, SID, USerPrincipalName