Allow log on through Remote Desktop Services PowerShell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<#
.SYNOPSIS
Test user rights assignments by user or by right.
.DESCRIPTION
Test to ensure that a specific account has particular rights assignments. You can specify to query either
by account, in which case your Should block will verify against the possible rights assigned to the account
being tested; or by right, in which case your Should block will verify against the possible accounts that
might have the right assigned to them.
.PARAMETER Qualifier
Whether to test one user account for all rights assigned to it (ByAccount) or to test one right
for all accounts which have it (ByRight).
.PARAMETER Target
The user right or account to test for. Possible user rights:
- SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
- SeNetworkLogonRight Access this computer from the network
- SeTcbPrivilege Act as part of the operating system
- SeMachineAccountPrivilege Add workstations to domain
- SeIncreaseQuotaPrivilege Adjust memory quotas for a process
- SeInteractiveLogonRight Allow log on locally
- SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
- SeBackupPrivilege Back up files and directories
- SeChangeNotifyPrivilege Bypass traverse checking
- SeSystemtimePrivilege Change the system time
- SeTimeZonePrivilege Change the time zone
- SeCreatePagefilePrivilege Create a pagefile
- SeCreateTokenPrivilege Create a token object
- SeCreateGlobalPrivilege Create global objects
- SeCreatePermanentPrivilege Create permanent shared objects
- SeCreateSymbolicLinkPrivilege Create symbolic links
- SeDebugPrivilege Debug programs
- SeDenyNetworkLogonRight Deny access this computer from the network
- SeDenyBatchLogonRight Deny log on as a batch job
- SeDenyServiceLogonRight Deny log on as a service
- SeDenyInteractiveLogonRight Deny log on locally
- SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
- SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
- SeRemoteShutdownPrivilege Force shutdown from a remote system
- SeAuditPrivilege Generate security audits
- SeImpersonatePrivilege Impersonate a client after authentication
- SeIncreaseWorkingSetPrivilege Increase a process working set
- SeIncreaseBasePriorityPrivilege Increase scheduling priority
- SeLoadDriverPrivilege Load and unload device drivers
- SeLockMemoryPrivilege Lock pages in memory
- SeBatchLogonRight Log on as a batch job
- SeServiceLogonRight Log on as a service
- SeSecurityPrivilege Manage auditing and security log
- SeRelabelPrivilege Modify an object label
- SeSystemEnvironmentPrivilege Modify firmware environment values
- SeManageVolumePrivilege Perform volume maintenance tasks
- SeProfileSingleProcessPrivilege Profile single process
- SeSystemProfilePrivilege Profile system performance
- SeUnsolicitedInputPrivilege "Read unsolicited input from a terminal device"
- SeUndockPrivilege Remove computer from docking station
- SeAssignPrimaryTokenPrivilege Replace a process level token
- SeRestorePrivilege Restore files and directories
- SeShutdownPrivilege Shut down the system
- SeSyncAgentPrivilege Synchronize directory service data
- SeTakeOwnershipPrivilege Take ownership of files or other objects
.PARAMETER Should
A Script Block defining a Pester Assertion.
.EXAMPLE
UserRightsAssignment ByRight 'SeNetworkLogonRight' { Should Be @("BUILTIN\Users","BUILTIN\Administrators") }
.EXAMPLE
UserRightsAssignment ByAccount 'BUILTIN\Users' { should Not Match "SeServiceLogonRight" }
.NOTES
Assertions: Be, BeExactly, BeNullOrEmpty, Match, MatchExactly
#>

functionUserRightsAssignment{
[CmdletBinding(DefaultParameterSetName="Default")]
param(
[Parameter(Mandatory,Position=1)]
[ValidateSet('ByRight','ByAccount')]
[string]$Qualifier,

[Parameter(Mandatory,Position=2)]
[Alias('Right')]
[string]$Target,

[Parameter(Mandatory,Position=3)]
[scriptblock]$Should
)

If(Test-RunAsAdmin){
If($Qualifier-eq"ByRight"){
$expression={Get-AccountsWithUserRight-Right'$Target'|Select-Object-ExpandPropertyAccount}
}ElseIf($Qualifier-eq"ByAccount"){
$expression={Get-UserRightsGrantedToAccount-Account'$Target'|Select-Object-ExpandPropertyRight}
}
}Else{
Throw"You must run as Administrator to test UserRightsAssignment"
}

$params=Get-PoshspecParam-TestNameUserRightsAssignment-TestExpression$expression@PSBoundParameters

Invoke-PoshspecExpression@params
}