Revoke-Privilege
Revokes an identity's privileges to perform system operations and certain types of logons.
Syntax
Revoke-Privilege [-Identity] <String> [-Privilege] <String[]> [<CommonParameters>]
Description
Valid privileges are documented on Microsoft's website: Privilege Constants and Account Right Constants. Known values as of August 2014 are:
- SeAssignPrimaryTokenPrivilege
- SeAuditPrivilege
- SeBackupPrivilege
- SeBatchLogonRight
- SeChangeNotifyPrivilege
- SeCreateGlobalPrivilege
- SeCreatePagefilePrivilege
- SeCreatePermanentPrivilege
- SeCreateSymbolicLinkPrivilege
- SeCreateTokenPrivilege
- SeDebugPrivilege
- SeDenyBatchLogonRight
- SeDenyInteractiveLogonRight
- SeDenyNetworkLogonRight
- SeDenyRemoteInteractiveLogonRight
- SeDenyServiceLogonRight
- SeEnableDelegationPrivilege
- SeImpersonatePrivilege
- SeIncreaseBasePriorityPrivilege
- SeIncreaseQuotaPrivilege
- SeIncreaseWorkingSetPrivilege
- SeInteractiveLogonRight
- SeLoadDriverPrivilege
- SeLockMemoryPrivilege
- SeMachineAccountPrivilege
- SeManageVolumePrivilege
- SeNetworkLogonRight
- SeProfileSingleProcessPrivilege
- SeRelabelPrivilege
- SeRemoteInteractiveLogonRight
- SeRemoteShutdownPrivilege
- SeRestorePrivilege
- SeSecurityPrivilege
- SeServiceLogonRight
- SeShutdownPrivilege
- SeSyncAgentPrivilege
- SeSystemEnvironmentPrivilege
- SeSystemProfilePrivilege
- SeSystemtimePrivilege
- SeTakeOwnershipPrivilege
- SeTcbPrivilege
- SeTimeZonePrivilege
- SeTrustedCredManAccessPrivilege
- SeUndockPrivilege
- SeUnsolicitedInputPrivilege
Related Commands
Parameters
| Name |
Type |
Description |
Required? |
Pipeline Input |
Default Value |
| Identity |
String |
The identity to grant a privilege. |
true |
false |
|
| Privilege |
String[] |
The privileges to revoke. |
true |
false |
|
EXAMPLE 1
Revoke-Privilege -Identity Batcomputer -Privilege SeServiceLogonRight
Revokes the Batcomputer account's ability to logon as a service. Don't restart that thing!