def user_rights_policy(self, policy):
actual_users = []
granted = []
deleted = []
for val in win32security.LsaEnumerateAccountsWithUserRight(win32security.LsaOpenPolicy("", 25), policy["right_type"]):
actual_users.append(win32security.LookupAccountSid(None, val)[0])
file_users = policy["value_data"]
if (file_users == '' or file_users == "Undefined") and len(actual_users) != 0:
for user in actual_users:
try:
win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
deleted.append(user)
except Exception as e:
continue
return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
file_users = file_users.replace("'", "").replace('"', '').split('&&')
file_users = [user.strip() for user in file_users]
for user in file_users:
try:
if user not in actual_users:
win32security.LsaAddAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], [policy["right_type"]])
granted.append(user)
except Exception as e:
continue
for user in actual_users:
try:
if user not in file_users:
win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
deleted.append(user)
except Exception as e:
continue
return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
def remove_user_privilege(self, name, privilege):
try:
acc_sid = win32security.LookupAccountName(self.dcName, self.userName)[0]
win32security.LsaRemoveAccountRights(self._policy, acc_sid, 0, (privilege,))
except pywintypes.error as e:
return UserHelper.ACTION_FAILED, e.strerror
return UserHelper.ACTION_OK, "Privilege removed."
def user_rights_policy(self, policy, val):
granted = val["granted"]
deleted = val["deleted"]
for user in granted:
try:
win32security.LsaRemoveAccountRights(
win32security.LsaOpenPolicy("", 25),
win32security.LookupAccountName(None, user)[0], 0,
[policy["right_type"]])
except Exception as e:
continue
for user in deleted:
try:
win32security.LsaAddAccountRights(
win32security.LsaOpenPolicy("", 25),
win32security.LookupAccountName(None, user)[0],
[policy["right_type"]])
except Exception as e:
continue
return {"status": 0, "msg": "Success"}
win32con.SE_PRIVILEGE_ENABLED) ##doesn't seem to be in ntsecuritycon.py ?
)
ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(
ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES)
win32security.AdjustTokenPrivileges(th, 0, new_privs)
policy_handle = win32security.GetPolicyHandle('',
win32security.POLICY_ALL_ACCESS)
tmp_sid = win32security.LookupAccountName('', 'tmp')[0]
privs = [
ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME,
ntsecuritycon.SE_RESTORE_NAME, ntsecuritycon.SE_REMOTE_SHUTDOWN_NAME
]
win32security.LsaAddAccountRights(policy_handle, tmp_sid, privs)
privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
print(priv)
privs = [ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME]
win32security.LsaRemoveAccountRights(policy_handle, tmp_sid, 0, privs)
privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
print(priv)
win32security.LsaClose(policy_handle)
