LocalSecurityEditor 1.0.0
.NET 8.0
This package targets .NET 8.0. The package is compatible with this framework or higher.
.NET Standard 2.0
This package targets .NET Standard 2.0. The package is compatible with this framework or higher.
.NET Framework 4.7.2
This package targets .NET Framework 4.7.2. The package is compatible with this framework or higher.
dotnet add package LocalSecurityEditor --version 1.0.0
NuGet\Install-Package LocalSecurityEditor -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="LocalSecurityEditor" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="LocalSecurityEditor" Version="1.0.0" />
<PackageReference Include="LocalSecurityEditor" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add LocalSecurityEditor --version 1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: LocalSecurityEditor, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package LocalSecurityEditor@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=LocalSecurityEditor&version=1.0.0
#tool nuget:?package=LocalSecurityEditor&version=1.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
LocalSecurityEditor - .NET Library
-8.0%20%7C%209.0-512BD4){kind=icon}
.NET library for managing local security policy (User Rights Assignment). This library powers PowerShell module scenarios and general .NET automation for querying and modifying User Rights Assignments (LSA policy).
Supported User Rights Assignment
| ConstantName | Group Policy Setting |
|---|---|
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller |
| SeNetworkLogonRight | Access this computer from the network |
| SeTcbPrivilege | Act as part of the operating system |
| SeMachineAccountPrivilege | Add workstations to domain |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process |
| SeInteractiveLogonRight | Allow log on locally |
| SeRemoteInteractiveLogonRight | Allow log on through Remote Desktop Services |
| SeBackupPrivilege | Back up files and directories |
| SeChangeNotifyPrivilege | Bypass traverse checking |
| SeSystemtimePrivilege | Change the system time |
| SeTimeZonePrivilege | Change the time zone |
| SeCreatePagefilePrivilege | Create a pagefile |
| SeCreateTokenPrivilege | Create a token object |
| SeCreateGlobalPrivilege | Create global objects |
| SeCreatePermanentPrivilege | Create permanent shared objects |
| SeCreateSymbolicLinkPrivilege | Create symbolic links |
| SeDebugPrivilege | Debug programs |
| SeDenyNetworkLogonRight | Deny access to this computer from the network |
| SeDenyBatchLogonRight | Deny log on as a batch job |
| SeDenyServiceLogonRight | Deny log on as a service |
| SeDenyInteractiveLogonRight | Deny log on locally |
| SeDenyRemoteInteractiveLogonRight | Deny log on through Remote Desktop Services |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system |
| SeAuditPrivilege | Generate security audits |
| SeImpersonatePrivilege | Impersonate a client after authentication |
| SeIncreaseWorkingSetPrivilege | Increase a process working set |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority |
| SeLoadDriverPrivilege | Load and unload device drivers |
| SeLockMemoryPrivilege | Lock pages in memory |
| SeBatchLogonRight | Log on as a batch job |
| SeServiceLogonRight | Log on as a service |
| SeSecurityPrivilege | Manage auditing and security log |
| SeRelabelPrivilege | Modify an object label |
| SeSystemEnvironmentPrivilege | Modify firmware environment values |
| SeDelegateSessionUserImpersonatePrivilege | Obtain an impersonation token for another user in the same session |
| SeManageVolumePrivilege | Perform volume maintenance tasks |
| SeProfileSingleProcessPrivilege | Profile single process |
| SeSystemProfilePrivilege | Profile system performance |
| SeUndockPrivilege | Remove computer from docking station |
| SeAssignPrimaryTokenPrivilege | Replace a process level token |
| SeRestorePrivilege | Restore files and directories |
| SeShutdownPrivilege | Shut down the system |
| SeSyncAgentPrivilege | Synchronize directory service data |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects |
Example Local Computer (LSA wrapper)
using System;
using LocalSecurityEditor;
namespace TestApp {
internal class Program {
static void Main() {
string[] accounts;
Console.WriteLine("[*] Displaying current assignments (local)");
using (LsaWrapper lsa = new LsaWrapper()) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Granting right to an account");
using (LsaWrapper lsa = new LsaWrapper()) {
lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
Console.WriteLine("[*] Displaying current assignments (local)");
using (LsaWrapper lsa = new LsaWrapper()) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Removing a principal and listing again");
using (LsaWrapper lsa = new LsaWrapper()) {
lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
using (LsaWrapper lsa = new LsaWrapper()) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
}
}
}
Example Remote Computer (LSA wrapper)
using System;
using LocalSecurityEditor;
namespace TestApp {
internal class Program {
static void Main() {
string[] accounts;
Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Granting right to an account");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
Console.WriteLine("[*] Removing the principal and listing again");
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
}
using (LsaWrapper lsa = new LsaWrapper("AD1")) {
accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
}
foreach (var account in accounts) {
Console.WriteLine(account);
}
}
}
}
Typed, OO API
using LocalSecurityEditor;
// Enumerate all rights (local)
var all = UserRights.Get();
foreach (var ura in all) {
Console.WriteLine($"{ura.ShortName}: {ura.Count} principals");
}
// Lazy streaming
foreach (var ura in new UserRights().EnumerateLazy()) {
Console.WriteLine(ura);
}
// Single right as typed object with principals
var svc = UserRightsAssignment.SeServiceLogonRight.Get();
foreach (var p in svc.Principals) {
Console.WriteLine($"{p.AccountName} -> {p.SidString}");
}
// Remote machine catalog
var allRemote = UserRights.Get("SERVER01");
// Add/Remove/Set via fluent extensions
UserRightsAssignment.SeBatchLogonRight.Add(@"DOMAIN\\svc_batch");
UserRightsAssignment.SeBatchLogonRight.Remove(@"DOMAIN\\old_user");
var result = UserRightsAssignment.SeDenyRemoteInteractiveLogonRight.Set(new[]{ @"DOMAIN\\contractor1", @"DOMAIN\\contractor2"});
Console.WriteLine(result); // e.g., SeDenyRemoteInteractiveLogonRight: +1 -0
// Batching with a manager (remote)
using (var ur = new UserRights("SERVER01")) {
ur.Add(UserRightsAssignment.SeBatchLogonRight, new [] { @"DOMAIN\\svc_batch" });
var summary = ur.Set(UserRightsAssignment.SeServiceLogonRight, new [] { @"DOMAIN\\svc_svc" });
Console.WriteLine(summary);
}
Async APIs
// Single right (local)
var svc = await new UserRights().GetStateAsync(UserRightsAssignment.SeServiceLogonRight, ct);
// Enumerate all (remote)
var all = await new UserRights("SERVER01").EnumerateAsync(ct);
// Fluent async extensions
var svc2 = await UserRightsAssignment.SeServiceLogonRight.GetAsync("SERVER01", ct);
Thread Safety
- The library is safe to use from multiple tasks.
- Internally it uses a reader–writer lock:
- Reads may run in parallel; writes are exclusive; dispose is exclusive.
- Prefer reusing a single
UserRightsinstance for batching, or create per-task instances for isolation.
Generate service SIDs
string serviceName = "ADSync";
string serviceExpectedSid = "S-1-5-80-3245704983-3664226991-764670653-2504430226-901976451";
string serviceSid = NTService.GenerateSID(serviceName);
Console.WriteLine($"The SID for the service '{serviceName}' is: {serviceSid} {serviceExpectedSid} {(serviceSid == serviceExpectedSid)}");
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net8.0-windows7.0 is compatible. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net9.0-windows7.0 is compatible. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
| .NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
| .NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 is compatible. net48 was computed. net481 was computed. |
| MonoAndroid | monoandroid was computed. |
| MonoMac | monomac was computed. |
| MonoTouch | monotouch was computed. |
| Tizen | tizen40 was computed. tizen60 was computed. |
| Xamarin.iOS | xamarinios was computed. |
| Xamarin.Mac | xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
.NETFramework 4.7.2
- No dependencies.
-
.NETStandard 2.0
- System.Security.Principal.Windows (>= 5.0.0)
-
net8.0-windows7.0
- No dependencies.
-
net9.0-windows7.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
TFMs: net472, net8.0-windows, net9.0-windows, netstandard2.0. Added extensive XML docs. Fixed CA1416 warnings and license metadata.