We can use the ‘secedit.exe’ utility to retrieve & set user rights assignments.
secedit /export /cfg secedit.inf /areas USER_RIGHTS
exports the current User Rights assignments to a file that we can review. Sample output looks like
[Unicode]
Unicode=yes
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
....
[Version]
signature="$CHICAGO$"
Revision=1
“SeNetworkLogonRight” is the “Access this computer from the network” right. We can see the format is a “*” character plus the SID component strings. Some examples of building this in Relevance, and then excluding the “Everyone” sid (“S-1-1-0”) :
q: concatenation "," of (sids of accounts with privilege "SeNetworkLogonRight" as string)
A: S-1-5-32-551,BUILTIN\Users,BUILTIN\Administrators,Everyone
I: singular string
q: concatenation "," of component strings of sids of accounts with privilege "SeNetworkLogonRight" as string
A: S-1-5-32-551,S-1-5-32-545,S-1-5-32-544,S-1-1-0
I: singular string
q: concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)
A: *S-1-5-32-551,*S-1-5-32-545,*S-1-5-32-544
I: singular string
q: concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)
A: *S-1-5-32-551,*S-1-5-32-545,*S-1-5-32-544
I: singular string
For the Fixlet Relevance, we can use
exists sids whose (it as string = "Everyone") of accounts with privilege "SeNetworkLogonRight"
For the ActionScript to remove Everyone, we can use
action uses wow64 redirection {not x64 of operating system}
delete __createfile
createfile until EOF_EOF_EOF_EOF
[Unicode]
Unicode=yes
[Privilege Rights]
SeNetworkLogonRight = {concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)}
[Version]
signature="$CHICAGO$"
Revision=1
EOF_EOF_EOF_EOF
delete secedit.inf
move __createfile secedit.inf
waithidden secedit.exe /configure /db secedit.sdb /cfg secedit.inf