Grant multiple privileges with Powershell

I had to learn how to grant local security privileges programmatically. I found a solution (Script Grant “Log on as a service” rights by using PowerShell []) for granting one privilege.

I needed to grant multiple privileges to a service account, so I added a simple array and loop through them. I’m sure it’s inefficient, but for modifying under 10 lines from the original script, I can live with it.

And yes, of course I know that domain group policy can handle this better. This was just a quick-and-dirty fix for testing. And there’s nothing more permanent than temporary!

#written by Ingo Karstein,
#  v1.0, 01/03/2014
#  v1.1 2020-03-04

# References
#    script found at
#    why to run this at all
#    additional priv names

## <--- Configure here if( [string]::IsNullOrEmpty($accountToAdd) ) { Write-Host "no account specified" exit } ## ---> End of Config

$sidstr = $null
try {
	$ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
	$sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
	$sidstr = $sid.Value.ToString()
} catch {
	$sidstr = $null

Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

if( [string]::IsNullOrEmpty($sidstr) ) {
	Write-Host "Account not found!" -ForegroundColor Red
	exit -1

Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

$tmp = [System.IO.Path]::GetTempFileName()

Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
secedit.exe /export /cfg "$($tmp)" 

$c = Get-Content -Path $tmp 

$RightsToGrant = @( "SeServiceLogonRight", "SeBatchLogonRight", "SeImpersonatePrivilege" )
$currentSetting = ""

ForEach ($thisRight in $RightsToGrant) {
	ForEach ($s in $c) {
		if( $s -like "$thisRight*") {
			$x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
			$currentSetting = $x[1].Trim()

	if( $currentSetting -notlike "*$($sidstr)*" ) {
		Write-Host "Modify Setting ""$thisRight""" -ForegroundColor DarkCyan
		if( [string]::IsNullOrEmpty($currentSetting) ) {
			$currentSetting = "*$($sidstr)"
		} else {
			$currentSetting = "*$($sidstr),$($currentSetting)"
		Write-Host "$currentSetting"
		$outfile = @"
[Privilege Rights]
$($thisRight) = $($currentSetting)

		$tmp2 = [System.IO.Path]::GetTempFileName()
		Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
		$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

		#notepad.exe $tmp2
		Push-Location (Split-Path $tmp2)
		try {
			secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
			#write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
		} finally {	
	} else {
		Write-Host "NO ACTIONS REQUIRED! Account already in ""$thisRight""" -ForegroundColor DarkCyan


Write-Host "Done." -ForegroundColor DarkCyan

Getting Firefox and Java to work with jnlp files

If you are having trouble opening a jnlp file (e.g., for IPMI console access) you can try some of these steps.

Tell Firefox to allow pop-up windows for this site

Tell Firefox how to handle the filetype .jnlp

Tell it to open it with /usr/bin/javaws

Tell Java to allow the site to run applications

If you get “Application Blocked by Java Security” you can fix that by editing an exceptions list.

Modify file ~/.java/deployment/security/exception.sites

Each line in this file should be a protocol and domain name or IP address for the exception, e.g.:



Audit sudo docker usage


grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'


One way to secure docker is to allow users to run it with sudo. Alternatively, you can add users to a group named “docker,” but this doesn’t provide the auditing that sudo has by default.

So you can whip up a nice, neat little sudoers.d file similar to:

User_Alias CONT_POC_USERS = %container_sudoers@ADDOMAIN
Runas_Alias CONT_POC_RUNAS = root
Host_Alias CONT_POC_HOSTS = cn-node-5*, cn-node-5*
Cmnd_Alias CONT_POC_CMNDS = /usr/bin/docker *

With a security posture where you will not allow anything to run in a container as root, you can audit compliance with a few regular expressions.

grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'

I haven’t figured out how to have the negative and positive searches in one string, so any input there would be appreciated!

Also, I have not figured out how to actually enforce running the docker exec command only with a -u username flag, without writing a much more complicated whitelist of docker build *, docker commit *, docker container *, docker cp * et al statements which seems like a lot of work but might ultimately be necessary.

sshd_config match negate address


Match Address *,!

Negating address in match statement in sshd_config

I was locking down my ssh server configuration on a host, so that it will not accept password auth from outside a certain IP address range.
I had to learn how to get the Match Address directive to work with a negation. To make it work, you need to insert a wildcard before you then state the exclusion.

Match Address *,!

And then I added the directives for this matched IP address range.

   AuthenticationMethods publickey
   PubkeyAuthentication yes
   PasswordAuthentication no
   X11Forwarding no




Man pages

  1. sshd_config
  2. ssh_config