Replace "Everyone" group from "Allow access to this computer from network"

Hello,

Requirement : Remove “Everyone” group from network logon rights on Windows systems.

I’m trying to replace the group “Everyone” from “Access this computer from network” under Local Computer Policy --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignments

I got the value for accounts with network logon rights by:
concatenation ", " of (account names of sids of accounts with privilege “SeNetworkLogonRight” as string)

Now I want to replace “Everyone” from this string and set that under “Access this computer from network”

Or if there are other fixlets under SCM that can accomplish this, I’ll be happy to use them.

Do you want to remove Everyone, or replace it with something else?

Hi Jason,
I would like to remove Everyone from the list.
Example :
If existing value is - Users, Everyone, Administrators
New value should be - Users, Administrators

Thank You !

We can use the ‘secedit.exe’ utility to retrieve & set user rights assignments.

secedit /export /cfg secedit.inf /areas USER_RIGHTS

exports the current User Rights assignments to a file that we can review. Sample output looks like

[Unicode]
Unicode=yes
[Privilege Rights]
SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551
SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544
....
[Version]
signature="$CHICAGO$"
Revision=1

“SeNetworkLogonRight” is the “Access this computer from the network” right. We can see the format is a “*” character plus the SID component strings. Some examples of building this in Relevance, and then excluding the “Everyone” sid (“S-1-1-0”) :

q: concatenation "," of (sids of accounts with privilege "SeNetworkLogonRight" as string)
A: S-1-5-32-551,BUILTIN\Users,BUILTIN\Administrators,Everyone
I: singular string

q: concatenation "," of component strings of sids of accounts with privilege "SeNetworkLogonRight" as string
A: S-1-5-32-551,S-1-5-32-545,S-1-5-32-544,S-1-1-0
I: singular string

q: concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)
A: *S-1-5-32-551,*S-1-5-32-545,*S-1-5-32-544
I: singular string

q: concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)
A: *S-1-5-32-551,*S-1-5-32-545,*S-1-5-32-544
I: singular string

For the Fixlet Relevance, we can use

exists sids whose (it as string = "Everyone") of accounts with privilege "SeNetworkLogonRight"

For the ActionScript to remove Everyone, we can use

action uses wow64 redirection {not x64 of operating system}

delete __createfile
createfile until EOF_EOF_EOF_EOF

[Unicode]
Unicode=yes
[Privilege Rights]
SeNetworkLogonRight = {concatenation "," of ("*" & it) of (component strings of sids whose (it as string != "Everyone") of accounts with privilege "SeNetworkLogonRight" as string)}
[Version]
signature="$CHICAGO$"
Revision=1
EOF_EOF_EOF_EOF

delete secedit.inf
move __createfile secedit.inf
waithidden secedit.exe /configure /db secedit.sdb /cfg secedit.inf
3 Likes

Thanks a lot Jason, this helps !