How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell

Question

How to add a user group in the "Shut down the system" group policy in Windows Server by CMD or PowerShell

I've read some documentation on Microsoft and other sites. Some of them suggest GPRegistryValue for registry-based policies and other recommended third-party software.

The full path of the key is: "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment"

But in my case I cannot use other packages except CMD or PowerShell (UI not available).

Thanks

Answer 1

Windows provides the secedit.exe tool for this and or custom code, as per the link provided in my comment to you.

Also, did you check the mspowershellgallery.com site for modules that assist with local user security policy?

Find-Module -Name '*sec*pol*'
# Results
<#
Version  Name                    Repository Description                                                                                                
-------  ----                    ---------- -----------                                                                                                
2.10.0.0 SecurityPolicyDsc       PSGallery  This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments
1.3.2    Indented.SecurityPolicy PSGallery  Security management functions and resources                                                                
0.0.12   SecurityPolicy          PSGallery  Module that allows getting, adding and removing User Rights Assignment without using secedit.exe
#>

and

Find-Module -Name '*rights*'
# Results
<#
Version Name                        Repository Description
------- ----                        ---------- -----------
1.0.2   cUserRightsAssignment       PSGallery  The cUserRightsAssignment module contains the cUserRight DSC resource ...
1.0.0   UserRightsAssignment        PSGallery  Analyze the effective User Rights Assignments on a computer and compare results
1.0.1   KMaks.ActiveDirectoryRights PSGallery  This module helps with ActiveDirectory ACL auditing.
#>

Update as per '@Vomit IT - Chunky Mess Style', suggestion.

# Doing this with Secedit and Powershell - something I used in the past

#Get SID from current user
$objUser = New-Object System.Security.Principal.NTAccount("$ENV:userdomain\$ENV:username")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$MySID = $strSID.Value

#Get list of currently used SIDs
secedit /export /cfg tempexport.inf
$curSIDs = Select-String .\tempexport.inf -Pattern "SeShutdownPrivilege "
$Sids = $curSIDs.line
copy .\LogOnAsAService.inf .\LogOnAsAServiceTemplate.inf
add-content .\LogOnAsAServiceTemplate.inf "$Sids,*$MySID"

$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
secedit /import /db secedit.sdb /cfg "$scriptPath\LogOnAsAServiceTemplate.inf"
secedit /configure /db secedit.sdb

gpupdate /force

The more succinct/elegant option.

# Using one of the modules - just replace the right needed.
Find-Module -Name 'SecurityPolicy' | 
Install-Module -Force

Get-Command -Module 'SecurityPolicy'
# Results
<#
CommandType Name                        Version Source        
----------- ----                        ------- ------        
Function    Add-UserRightsAssignment    0.0.12  SecurityPolicy
Function    Get-SecurityPolicy          0.0.12  SecurityPolicy
Function    Get-UserRightsAssignment    0.0.12  SecurityPolicy
Function    Remove-UserRightsAssignment 0.0.12  SecurityPolicy
Function    Set-SecurityPolicy          0.0.12  SecurityPolicy
Function    Set-UserRightsAssignment    0.0.12  SecurityPolicy
#>

Get-Help -Name 'Add-UserRightsAssignment' -Examples
# Results
<#
    -------------------------- EXAMPLE 1 --------------------------
    
    PS C:\>Add-UserRightsAssignment -UserRightsAssignment SeBackupPrivilege -Identity "Evotec\Administrator"
#>

FYI --- Update for '@Vomit IT - Chunky Mess Style'. Using the PS_LSA.Wrapper

Add-Type @'
    lots of library code here
'@

$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)

$LocalUserRights | 
Get-Member
# Results
<#
   TypeName: PS_LSA.LsaWrapper

Name                           MemberType   Definition                                                      
----                           ----------   ----------                                                      
AddPrivilege                   Method       void AddPrivilege(string account, PS_LSA.Rights privilege)      
...                     
EnumerateAccountPrivileges     Method       PS_LSA.Rights[] EnumerateAccountPrivileges(string account)      
EnumerateAccountsWithUserRight Method       string[] EnumerateAccountsWithUserRight(PS_LSA.Rights privilege)
...                                                 
RemovePrivilege                Method       void RemovePrivilege(string account, PS_LSA.Rights privilege)   
...
#>

# Examples:

$LocalUserRights = New-Object PS_LSA.LsaWrapper($env:COMPUTERNAME)

$LocalUserRights.AddPrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")
$LocalUserRights.RemovePrivilege("$env:COMPUTERNAME\$env:USERNAME", "SeBatchLogonRight")