Windows Server - Enumerate Machine Effective User Rights Assignments

Asked By Terry on 29-Apr-07 12:36 PM
I know this question is not directly related to ADSI, but I thought perhaps
the WinNT provider may have what I need or there is a provider I am not aware
of.  I push out many settings to my Windows 2000 servers using group
policies.  I now need a way to very compliance by querying all machines and
comparing the effective settings to the policies.  Most settings are a no
brainer like specific registry values, directory/file ACLs and Services
configurations.  I just can not locate a way to enumerate the effective user
rights assignments of the machine.  I thought maybe WMI would have a class
but came up empty there as well.  Does anyone know how I can do this?

Paul Williams [MVP] replied on 03-May-07 06:46 PM
Interesting question.  You need access to the token really.  What are you
planning on using to access this information?  .NET?  Script?  .NET has some
nice classes for pulling info. from tokens.  If Scripting, consider wrapping
something round DUMPSEC or maybe SHOWPRIV.

I'm shooting from the hip here though, as I've not really considered what
you're trying to do.

Paul Williams
Microsoft MVP - Windows Server - Directory Services  |
Terry replied on 06-May-07 11:07 AM
I plan to use visual basic on .net 2.0.  The application will run on my
XP(SP2) desktop and visit 100 Windows 2000 servers to get settings which then
will be compared to my policy.

I have a number of Group Policy objects that apply our security
specifications and  I am required to perform a monthly audit of these servers
to verify that the settings are indeed compliant with my security
specifications.  Most are easy as I just query a registry value and compare
it to what the value should be (most being strings and DWords.)  However, I
am not sure how I can get the [Security Settings\Local Policies\User Rights
Assignment] portion of the Policy.

What I am looking for is an API to get the data that shows up on the Local
Security Policy MMC.  I am not looking for the privileges for a specific
user, which I assume the token would contain, but the list of all privileges
on a machine and what security principal they apply to, eg. Restore Files and
Directories = Administrators, Backup Operators.

I just thought that perhaps a higher level API could get this for me,
perhaps with the WinNT ADSI provider or maybe WMI.
Thanks - Terry
Paul Williams [MVP] replied on 08-May-07 05:31 AM
OK, I've had a dig around and I can't find much in terms of an interface
into this.  There's some command line stuff that you can wrap around as
already mentioned, but that's not ideal for what you want to do.  The best
I've come across, but have been unable to test as I don't have it locally,
is this WMI class:

root\ RSOP\ Computer\ ms_409\ RSOP_UserPrivilegeRight

It would appear that this might only be available from NT5.1 onwards though

However, there's some other example code (VBS) that suggests that this class
(RSOP_UserPrivilegeRight) is also under:

root\ RSOP\ Computer

Best bet is to Google around for RSOP_UserPrivilegeRight and see if you can
do anything with it.

Sorry if that's not much help.

Paul Williams
Microsoft MVP - Windows Server - Directory Services  |
Paul Williams [MVP] replied on 08-May-07 07:28 AM
Yeah, that WMI class does the job for privileges set by GPO (not local
policy).  Here's a quick C# method to illustrate.

public void RSOP_UserPrivilegeRight_Test() {

string hostName = @"\\.\root\rsop\computer";

string query = "select UserRight,AccountList,Precedence from

try {

ObjectQuery wmiQuery = new ObjectQuery(query);

ManagementScope wmiMgmtScope = new ManagementScope(hostName);


if(wmiMgmtScope.IsConnected) {

ManagementObjectSearcher searcher = new
ManagementObjectSearcher(wmiMgmtScope, wmiQuery);

using(ManagementObjectCollection mgmtColl = searcher.Get()) {

string header = String.Format("\n{0,25}{1,25}\n{2}\n", "Privilege",


foreach(ManagementObject item in mgmtColl) {

Console.Write("{0,25}", item["userRight"].ToString());

foreach(string account in item["AccountList"] as string[]) {

Console.Write("{0,-25}{1,-25}\n", "", account);




} else {

Console.WriteLine("\nNot bound to a namespace. Exiting\n");


} catch (ManagementException e) {

Console.WriteLine("\n{0}\n{1}\n{2}\n", e.ErrorCode, e.Message,

} catch (Exception e) {

Console.WriteLine("\n{0}\n", e.ToString());



I'm unsure as to how you can pull the local settings yet...

Paul Williams
Microsoft MVP - Windows Server - Directory Services  |
matthewb replied on 31-May-07 01:25 PM
I'm also trying to do this...

The a similar solution to the solution posted above, at least for me,
returns no results (ManagementObjectCollection.Count == 0).  However, after
many hours of searching for a solution, the WMI interface is the only one
I've found to even come close to getting this information.

Still unresolved for me...