mbrownnycnyc/worksheet.ps1

## worksheet.ps1
#https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

$userrights_readable = "Access Credential Manager as a trusted caller","Access this computer from the network","Act as part of the operating system","Add workstations to domain","Adjust memory quotas for a process","Allow log on locally","Allow log on through Remote Desktop Services","Back up files and directories","Bypass traverse checking","Change the system time","Change the time zone","Create a pagefile","Create a token object","Create global objects","Create permanent shared objects","Create symbolic links","Debug programs","Deny access to this computer from the network","Deny log on as a batch job","Deny log on as a service","Deny log on locally","Deny log on through Terminal Services","Enable computer and user accounts to be trusted for delegation","Force shutdown from a remote system","Generate security audits","Impersonate a client after authentication","Increase a process working set","Increase scheduling priority","Load and unload device drivers","Lock pages in memory","Log on as a batch job","Log on as a service","Manage auditing and security log","Modify an object label","Modify firmware environment values","Perform volume maintenance tasks","Profile single process","Profile system performance","Remove computer from docking station","Replace a process level token","Restore files and directories","Shut down the system","Synchronize directory service data","Take ownership of files or other objects"
$userrights_constant = "SeTrustedCredManAccessPrivilege","SeNetworkLogonRight","SeTcbPrivilege","SeMachineAccountPrivilege","SeIncreaseQuotaPrivilege","SeInteractiveLogonRight","SeRemoteInteractiveLogonRight","SeBackupPrivilege","SeChangeNotifyPrivilege","SeSystemtimePrivilege","SeTimeZonePrivilege","SeCreatePagefilePrivilege","SeCreateTokenPrivilege","SeCreateGlobalPrivilege","SeCreatePermanentPrivilege","SeCreateSymbolicLinkPrivilege","SeDebugPrivilege","SeDenyNetworkLogonRight","SeDenyBatchLogonRight","SeDenyServiceLogonRight","SeDenyInteractiveLogonRight","SeDenyRemoteInteractiveLogonRight","SeEnableDelegationPrivilege","SeRemoteShutdownPrivilege","SeAuditPrivilege","SeImpersonatePrivilege","SeIncreaseWorkingSetPrivilege","SeIncreaseBasePriorityPrivilege","SeLoadDriverPrivilege","SeLockMemoryPrivilege","SeBatchLogonRight","SeServiceLogonRight","SeSecurityPrivilege","SeRelabelPrivilege","SeSystemEnvironmentPrivilege","SeManageVolumePrivilege","SeProfileSingleProcessPrivilege","SeSystemProfilePrivilege","SeUndockPrivilege","SeAssignPrimaryTokenPrivilege","SeRestorePrivilege","SeShutdownPrivilege","SeSyncAgentPrivilege","SeTakeOwnershipPrivilege"

$ntrights = @()

foreach ($item in $userrights_readable) {
  $tempobj = "" | select readable, constant

  $tempobj.readable = $item
  $tempobj.constant = $userrights_constant[$userrights_readable.indexof($item)]

  $ntrights += $tempobj
}


#here you can paste in readble privs and

$here = @"
Access this computer from the network
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create global objects
Create symbolic links
Debug programs
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Log on as a batch job
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
"@

$listtolookup = $here -split "`n"


#determine the location of each $listtolookup item in the $ntrights.readable array and replace '1's with tab characters (`t)
$locationstoreplace = @()
foreach ($item in $listtolookup) {
  $locationstoreplace += $userrights_readable.indexof($item) + 1

}

#this will help populate columns in a spreadsheet where all privs are listed in a row
  # you can create a risk score for each priv, then multiply by the item per row
  #this will allow for risk scoring per group or user, which will help set a threshold of risk for prived groups

$instring = ""
for ($i=1; $i -le $userrights_readable.count; $i++) {
  $i
  if ($locationstoreplace -contains $i) {
    $instring += "1`t"
  } else {
    $instring += "`t"
  }
}
	#https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

	$userrights_readable = "Access Credential Manager as a trusted caller","Access this computer from the network","Act as part of the operating system","Add workstations to domain","Adjust memory quotas for a process","Allow log on locally","Allow log on through Remote Desktop Services","Back up files and directories","Bypass traverse checking","Change the system time","Change the time zone","Create a pagefile","Create a token object","Create global objects","Create permanent shared objects","Create symbolic links","Debug programs","Deny access to this computer from the network","Deny log on as a batch job","Deny log on as a service","Deny log on locally","Deny log on through Terminal Services","Enable computer and user accounts to be trusted for delegation","Force shutdown from a remote system","Generate security audits","Impersonate a client after authentication","Increase a process working set","Increase scheduling priority","Load and unload device drivers","Lock pages in memory","Log on as a batch job","Log on as a service","Manage auditing and security log","Modify an object label","Modify firmware environment values","Perform volume maintenance tasks","Profile single process","Profile system performance","Remove computer from docking station","Replace a process level token","Restore files and directories","Shut down the system","Synchronize directory service data","Take ownership of files or other objects"
	$userrights_constant = "SeTrustedCredManAccessPrivilege","SeNetworkLogonRight","SeTcbPrivilege","SeMachineAccountPrivilege","SeIncreaseQuotaPrivilege","SeInteractiveLogonRight","SeRemoteInteractiveLogonRight","SeBackupPrivilege","SeChangeNotifyPrivilege","SeSystemtimePrivilege","SeTimeZonePrivilege","SeCreatePagefilePrivilege","SeCreateTokenPrivilege","SeCreateGlobalPrivilege","SeCreatePermanentPrivilege","SeCreateSymbolicLinkPrivilege","SeDebugPrivilege","SeDenyNetworkLogonRight","SeDenyBatchLogonRight","SeDenyServiceLogonRight","SeDenyInteractiveLogonRight","SeDenyRemoteInteractiveLogonRight","SeEnableDelegationPrivilege","SeRemoteShutdownPrivilege","SeAuditPrivilege","SeImpersonatePrivilege","SeIncreaseWorkingSetPrivilege","SeIncreaseBasePriorityPrivilege","SeLoadDriverPrivilege","SeLockMemoryPrivilege","SeBatchLogonRight","SeServiceLogonRight","SeSecurityPrivilege","SeRelabelPrivilege","SeSystemEnvironmentPrivilege","SeManageVolumePrivilege","SeProfileSingleProcessPrivilege","SeSystemProfilePrivilege","SeUndockPrivilege","SeAssignPrimaryTokenPrivilege","SeRestorePrivilege","SeShutdownPrivilege","SeSyncAgentPrivilege","SeTakeOwnershipPrivilege"

	$ntrights = @()

	foreach ($item in $userrights_readable) {
	$tempobj = "" \| select readable, constant

	$tempobj.readable = $item
	$tempobj.constant = $userrights_constant[$userrights_readable.indexof($item)]

	$ntrights += $tempobj
	}



	#here you can paste in readble privs and

	$here = @"
	Access this computer from the network
	Add workstations to domain
	Adjust memory quotas for a process
	Allow log on locally
	Allow log on through Remote Desktop Services
	Back up files and directories
	Bypass traverse checking
	Change the system time
	Change the time zone
	Create a pagefile
	Create global objects
	Create symbolic links
	Debug programs
	Enable computer and user accounts to be trusted for delegation
	Force shutdown from a remote system
	Impersonate a client after authentication
	Increase a process working set
	Increase scheduling priority
	Load and unload device drivers
	Log on as a batch job
	Manage auditing and security log
	Modify firmware environment values
	Perform volume maintenance tasks
	Profile single process
	Profile system performance
	Remove computer from docking station
	Restore files and directories
	Shut down the system
	"@

	$listtolookup = $here -split "`n"


	#determine the location of each $listtolookup item in the $ntrights.readable array and replace '1's with tab characters (`t)
	$locationstoreplace = @()
	foreach ($item in $listtolookup) {
	$locationstoreplace += $userrights_readable.indexof($item) + 1

	}

	#this will help populate columns in a spreadsheet where all privs are listed in a row
	# you can create a risk score for each priv, then multiply by the item per row
	#this will allow for risk scoring per group or user, which will help set a threshold of risk for prived groups

	$instring = ""
	for ($i=1; $i -le $userrights_readable.count; $i++) {
	$i
	if ($locationstoreplace -contains $i) {
	$instring += "1`t"
	} else {
	$instring += "`t"
	}
	}