PrivMan is a Windows console (text-based, command-line) program that provides privilege/right management functions.
Bill Stewart - bstewart at iname dot com
PrivMan is covered by the GNU Public License (GPL). See the file LICENSE
for details.
PrivMan is an open-source alternative to the ntrights utility found in the Windows Resource Kit. The main differences between PrivMan and ntrights are as follows:
-
PrivMan supports adding and removing multiple privileges/rights, whereas ntrights only supports one privilege/right at a time.
-
PrivMan can test whether an account has one or more privileges/rights, but ntrights cannot.
-
PrivMan can list accounts with a specified privilege/rights, but ntrights cannot.
-
PrivMan can report on all accounts and assigned privileges/rights, but ntrights cannot.
Please note the following:
- Command-line parameters (e.g.,
-g
,-r
,-t
,--displayname
, etc.) are case-sensitive. - Names of privileges and rights (e.g.,
SeServiceLogonRight
, etc.) are not case-sensitive. - The
-q
parameter suppresses status and error messages. - The
-c
parameter specifies to take the action on a remote computer. A remote computer name can start with two backslashes (\\
) or not. - The
"
privileges"
parameter specifies a space-delimited list of privileges and/or rights, enclosed within"
characters. - Most commands require administrative permissions (i.e., "Run as administrator").
- Accounts can be specified by name or SID (e.g., S-1-5-32-544).
PrivMan -a
account [-g
|-r
] "
privileges"
[-c
computername] [-q
]
For the specified account, grants (-g
) or revokes (-r
) one or more privileges/rights. Examples:
PrivMan -a MyServiceAcct -g SeServiceLogonRight
PrivMan -a AdminUser -r "SeServiceLogonRight SeNetworkLogonRight"
PrivMan -a DOMAIN\testsvcacct -r SeServiceLogonRight -c computer2
PrivMan -a
account --revokeall
[-c
computername] [-q
]
This command removes all privileges/rights from the specified account. It's recommended to find out what privileges/rights were assigned to the account before using this command, so you can restore any privileges/rights that might have broken something. USE WITH CAUTION.
PrivMan -a
account -t
"
privileges"
[-c
computername] [-q
]
Returns an exit code of 0 if the account does not have all specified privileges/rights, or 1 if the account has all specified privileges/rights. Any other exit code indicates an error.
PrivMan -a
account --list
[-c
computername]
Example: PrivMan -a S-1-5-32-544 --list
lists all privileges/rights granted to the Administrators group on the current computer.
PrivMan --privilegeaccounts
privilege [-c
computername]
Example: PrivMan --privilegeaccounts SeServiceLogonRight
outputs a list of accounts on the current computer that have the "Log on as a service" right.
PrivMan --displayname
privilege
Example: PrivMan --displayname SeServiceLogonRight
outputs "Log on as a service".
PrivMan --listall
This command outputs a comma-delimited (CSV) list of all privileges/rights and display names. The first column is the privilege/right name (e.g., SeServiceLogonRight
), and the second column is the U.S. English display name (e.g., "Log on as a service").
PrivMan --csvreport
[-c
computername]
This command outputs a comma-delimited report of all accounts and privileges/rights assigned to each account. The first column is the computer name, the second column is the privilege/right name, and the third column is the privilege/right's U.S. English display name.