Post reply

Setting SeTcbPrivilege (act as part of OS) is not working.

  • December 15, 2019 at 11:25 pm

    #3708012

    Hi,

    I am trying to use the below script to set SeTcbPrivilege (Act as part of operating system), but it is not working.  No error message is thrown, it runs as it worked, but nothing changes and the account does not get the permission.

    Other permissions, like Logon as a batch job (SeBatchLogonRight), are working fine using the same logic.

    Any ideas?

    Thanks.

    param($accountToAdd)

    ## <--- Configure here

    if( [string]::IsNullOrEmpty($accountToAdd) ) {

    Write-Host "no account specified"

    exit

    }

    ## ---> End of Config

    $sidstr = $null

    try {

    $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"

    $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])

    $sidstr = $sid.Value.ToString()

    } catch {

    $sidstr = $null

    }

    Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

    if( [string]::IsNullOrEmpty($sidstr) ) {

    Write-Host "Account not found!" -ForegroundColor Red

    exit -1

    }

    Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

    $tmp = [System.IO.Path]::GetTempFileName()

    Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan

    secedit.exe /export /cfg "$($tmp)"

    $c = Get-Content -Path $tmp

    $currentSetting = ""

    foreach($s in $c) {

    ## Act as part of operating system

    if( $s -like "SeTcbPrivilege*") {

    $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)

    $currentSetting = $x[1].Trim()

    if( $currentSetting -notlike "*$($sidstr)*" ) {

    Write-Host "Modify Setting ""Act as part of operating system""" -ForegroundColor DarkCyan

    if( [string]::IsNullOrEmpty($currentSetting) ) {

    $currentSetting = "*$($sidstr)"

    } else {

    $currentSetting = "*$($sidstr),$($currentSetting)"

    }

    Write-Host "$currentSetting"

    $outfile = @"

    [Unicode]

    Unicode=yes

    [Version]

    signature="$CHICAGO$"

    Revision=1

    [Privilege Rights]

    SeTcbPrivilege = $($currentSetting)

    "@

    $tmp2 = [System.IO.Path]::GetTempFileName()

    Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan

    $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

    #notepad.exe $tmp2

    Push-Location (Split-Path $tmp2)

    Write-Host "Security: "

    Write-Host  $tmp2

    try {

    secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS

    #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "

    } finally {

    Pop-Location

    }

    } else {

    Write-Host "NO ACTIONS REQUIRED! Account already in ""Act as part of operating system""" -ForegroundColor DarkCyan

    }

    }

    }

    Write-Host "Done." -ForegroundColor DarkCyan

  • December 17, 2019 at 12:10 am

    #3708318

    Thanks for posting your issue and hopefully someone will answer soon.

    This is an automated bump to increase visibility of your question.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply