Powershell output to test file not readable using managed property

Andy.stratford · January 15, 2025, 11:11am

Hi people
I am trying to find out how wide the issue is where a number or servers have lost logon as a service right. The username has reverted to a SID so rights are not being applied. Th account is a local admin account on all servers and right is applied to customer OU only.

When i run the following script:-
BODY { FONT-SIZE: 12px; OVERFLOW: auto; FONT-FAMILY: Segoe UI; FONT-WEIGHT: 400; FONT-STYLE: normal } .relevanceDefault{font-family: Courier New;font-size: 10pt;color:#000000;background:#ffffff;} .relevanceKeyword{font-family: Courier New;font-size: 10pt;color:#0000ff;background:#ffffff;} .relevanceIgnored{font-family: Courier New;font-size: 10pt;color:#a9a9a9;background:#ffffff;} .relevanceOperator{font-family: Courier New;font-size: 10pt;color:#0000ff;background:#ffffff;} .relevanceString{font-family: Courier New;font-size: 10pt;color:#008080;background:#ffffff;} .relevanceConstant{font-family: Courier New;font-size: 10pt;color:#800080;background:#ffffff;} .relevanceMatchingParen{font-weight: bold;font-family: Courier New;font-size: 10pt;color:#ffffff;background:#ff9632;} .relevanceUnmatchedParen{font-weight: bold;font-family: Courier New;font-size: 10pt;color:#ffffff;background:#ff0000;} .relevanceQuestion{font-family: Courier New;font-size: 10pt;color:#ff0000;background:#ffffff;} .relevanceAnswer{font-family: Courier New;font-size: 10pt;color:#ff0000;background:#ffffff;} .relevanceIllegalCharacter{font-family: Courier New;font-size: 10pt;color:#ffffff;background:#ff0000;} .relevanceComment{font-family: Courier New;font-size: 10pt;color:#008000;background:#ffffff;} .relevanceItColorized{font-family: Courier New;font-size: 10pt;color:#000000;background:#afffaa;}

Createfile until EOF # Export the security policy to a temporary file $tempFile = “$env:TEMP\secpol.inf” secedit /export /cfg $tempFile # Read the contents of the file $secpolContent = Get-Content -Path $tempFile # Find the line that contains the “Logon As A Service” right $logonAsServiceLine = $secpolContent | Select-String -Pattern “SeServiceLogonRight” # Display the value if ($logonAsServiceLine) { $logonAsServiceValue = $logonAsServiceLine -replace "SeServiceLogonRight = ", “” Write-Output “Logon As A Service right is assigned to: $logonAsServiceValue” } else { Write-Output “No ‘Logon As A Service’ right found in the security policy.” } # Clean up the temporary file Remove-Item -Path $tempFile EOF copy __createfile c:\temp\ServiceLogonUers.ps1 //Run script to create file with list of users\groups that have ‘logon as a service rights’ runhidden cmd.exe /c powershell.exe -ExecutionPolicy Bypass “c:\temp\ServiceLogonUers.ps1 | Out-File -FilePath C:\temp\LogonUsers.log”

I get correct output in the file logonUsers.log as follows:-

Line 1= blank for some reason
Line2=The task has completed successfully.
line3=See log %windir%\security\logs\scesrv.log for detail info.
line4=Logon As A Service right is assigned to: *S-1-5-21-1281000843-3793813838-1924240112-1001,*S-1-5-21-1613761897-167951834-1983490406-500

So I am trying a managed property with following syntax:-
line 4 of files “C:\temp\LogonUsers.log”
in relevance debugger the output is
%00

Any ideas what i am doing wrong??

vk.khurava · January 15, 2025, 1:00pm

Could you please share your log file? I replicated your scenario by copying your logs into a test file and using the same relevance, and it correctly retrieves the 4th line without any issues. The problem might be related to how your file is being processed or its formatting.

Q: line 4 of file "C:\Temp\Test.txt"
A: Logon As A Service right is assigned to: *S-1-5-21-1281000843-3793813838-1924240112-1001,*S-1-5-21-1613761897-167951834-1983490406-500
T: 0.860 ms

JasonWalker · January 15, 2025, 1:45pm

It’s likely that the PowerShell script is outputting the file in some different UTF encoding or is inconsistent, and the way you’re pasting the text here in the Forum doesn’t make it easy to reproduce.

I’d try a couple of things in the debugger - first just retrieve ‘lines of file’ instead of just line 4, so we can see what the content actually is. And paste that into the forum using the ‘Code Markup’ or ‘Preformatted Text’ button on the page edit so we don’t get HTML formatting issues on the Forum. The “%00” symbol that’s being returned indicates a NULL character in the output file.

The other thing I’d suggest, is to see whether pure Relevance works for this. We do have an inspector that lists accounts with the “Logon as a Service” right (SeServiceLogonRight). We can retrieve them as either resolved names (the default output for ‘sid’) or as the SID Component Strings.

q: sids of accounts with privilege "SeServiceLogonRight"
A: NT SERVICE\MSSQLSERVER
A: NT SERVICE\SQLSERVERAGENT
A: NT SERVICE\SQLTELEMETRY
A: NT SERVICE\ALL SERVICES
A: BES-ROOT\Administrator
A: BES-ROOT\SQLServer2005SQLBrowserUser$BES-ROOT
T: 234.903 ms
I: plural security identifier

q: component strings of sids of accounts with privilege "SeServiceLogonRight"
A: S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003
A: S-1-5-80-344959196-2060754871-2302487193-2804545603-1466107430
A: S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
A: S-1-5-80-0
A: S-1-5-21-3836661096-1201878488-1650927155-500
A: S-1-5-21-3836661096-1201878488-1650927155-1001
T: 233.544 ms
I: plural string

My Recollection is that if an account or group was assigned rights, but then that account has been deleted from Active Directory, the name no longer resolves and the ‘sid’ property shows the SID component string instead of the deleted account name - but I’m not positive on that so test it out.

On one of the machines where the user was removed, can you give the results from those two queries above?