Windows provides the secedit.exe tool for this and or custom code, as per the link provided in my comment to you.
Also, did you check the mspowershellgallery.com site for modules that assist with local user security policy?
Find-Module -Name '*sec*pol*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
2.10.0.0 SecurityPolicyDsc PSGallery This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments
1.3.2 Indented.SecurityPolicy PSGallery Security management functions and resources
0.0.12 SecurityPolicy PSGallery Module that allows getting, adding and removing User Rights Assignment without using secedit.exe
#>
and
Find-Module -Name '*rights*'
# Results
<#
Version Name Repository Description
------- ---- ---------- -----------
1.0.2 cUserRightsAssignment PSGallery The cUserRightsAssignment module contains the cUserRight DSC resource ...
1.0.0 UserRightsAssignment PSGallery Analyze the effective User Rights Assignments on a computer and compare results
1.0.1 KMaks.ActiveDirectoryRights PSGallery This module helps with ActiveDirectory ACL auditing.
#>
Update as per '@Vomit IT - Chunky Mess Style', suggestion.
# Doing this with Secedit and Powershell - something I used in the past
#Get SID from current user
$objUser = New-Object System.Security.Principal.NTAccount("$ENV:userdomain\$ENV:username")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$MySID = $strSID.Value
#Get list of currently used SIDs
secedit /export /cfg tempexport.inf
$curSIDs = Select-String .\tempexport.inf -Pattern "SeShutdownPrivilege "
$Sids = $curSIDs.line
copy .\LogOnAsAService.inf .\LogOnAsAServiceTemplate.inf
add-content .\LogOnAsAServiceTemplate.inf "$Sids,*$MySID"
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
secedit /import /db secedit.sdb /cfg "$scriptPath\LogOnAsAServiceTemplate.inf"
secedit /configure /db secedit.sdb
gpupdate /force
The more succinct/elegant option.
# Using one of the modules - just replace the right needed.
Find-Module -Name 'SecurityPolicy' |
Install-Module -Force
Get-Command -Module 'SecurityPolicy'
# Results
<#
CommandType Name Version Source
----------- ---- ------- ------
Function Add-UserRightsAssignment 0.0.12 SecurityPolicy
Function Get-SecurityPolicy 0.0.12 SecurityPolicy
Function Get-UserRightsAssignment 0.0.12 SecurityPolicy
Function Remove-UserRightsAssignment 0.0.12 SecurityPolicy
Function Set-SecurityPolicy 0.0.12 SecurityPolicy
Function Set-UserRightsAssignment 0.0.12 SecurityPolicy
#>
Get-Help -Name 'Add-UserRightsAssignment' -Examples
# Results
<#
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Add-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"
#>
FYI --- Update for '@Vomit IT - Chunky Mess Style'.
Using the PS_LSA.Wrapper
Add-Type @'
lots of library code here
'@
$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)
$LocalUserRights |
Get-Member
# Results
<#
TypeName: PS_LSA.LsaWrapper
Name MemberType Definition
---- ---------- ----------
AddPrivilege Method void AddPrivilege(string account, PS_LSA.Rights privilege)
...
EnumerateAccountPrivileges Method PS_LSA.Rights[] EnumerateAccountPrivileges(string account)
EnumerateAccountsWithUserRight Method string[] EnumerateAccountsWithUserRight(PS_LSA.Rights privilege)
...
RemovePrivilege Method void RemovePrivilege(string account, PS_LSA.Rights privilege)
...
#>
# Examples:
$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)
$LocalUserRights.AddPrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")
$LocalUserRights.RemovePrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")