A Powershell module that stands on the shoulders of the original NetCease and SAMRi10 work and rolls them up into one, with some added functionality.
For a great overview on these two originating scripts and their intentions check out this Stealthbits blogpost.
I'm lucky enough to do this for a living. Any donations will be passed on to my local foodbank, animal sanctuary and animal rescue centres.
To view the settings applied to your local machine use:
Get-SessionEnumPermissions | Format-Table
If you are working with an existing Group Policy Object and want to translate the hex value that is set use the following, swapping the hex string to the one set at Computer Configuration/Preferences/Windows Settings/Registry/SrvSvcSessionInfo/General:
Get-SessionEnumPermissions -gpostring "010004801400000020000000000000002c00000001010000000000051200000001010000000000051200000002008c000600000000001400ff011f0001010000000000050300000000001400ff011f0001010000000000050400000000001400ff011f000101000000000005060000000000180013000f00010200000000000520000000200200000000180013000f00010200000000000520000000230200000000180013000f0001020000000000052000000025020000" | Format-Table
To add or remove a user or group to or from the Session Enumeration permissions set in the local registry use the following. This will display a new hex string that can be set in a GPO setting at Computer Configuration/Preferences/Windows Settings/Registry/SrvSvcSessionInfo/General:
Add-SessionEnumUser -user "domain.com\user1" -fromreg
Remove-SessionEnumUser -user "domain.com\group1" -fromreg
To perform the same action but instead of displaying the new hex string set the new permission in the local registry use the -toreg parameter.
Powershell will need to be running with elevated privileges to set registry values.
Add-SessionEnumUser -user "domain.com\user1" -fromreg -toreg
The above cmdlets can also take input as a hexstring instead of the local registry. This can be used if you have already deployed permissions by GPO but want to add users to the value displayed at Computer Configuration/Preferences/Windows Settings/Registry/SrvSvcSessionInfo/General.
The output will be the new hex string.
Add-SessionEnumUser -user "domain.com\group2" -gpostring "010004801400000020000000000000002c00000001010000000000051200000001010000000000051200000002008c000600000000001400ff011f0001010000000000050300000000001400ff011f0001010000000000050400000000001400ff011f000101000000000005060000000000180013000f00010200000000000520000000200200000000180013000f00010200000000000520000000230200000000180013000f0001020000000000052000000025020000"
To view the settings applied to your local machine you can use the following command. This displays the local settings as an ACL and also an SDDL string:
Get-RemoteSamPermissions
If you are working with an existing Group Policy Object and want to translate the SDDL string that is set use the following command, swapping the SDDL string to the one set at "Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Other/Network access: Restrict clients allowed to make remote calls to SAM":
Get-RemoteSamPermissions -gpostring "O:BAG:BAD:(A;;RC;;;BA)"
To add or remove a user or group to or from the Remote SAM Enumeration permissions set in the local registry use the following. This will display a new SDDL string that can be set in a GPO setting at "Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Other/Network access: Restrict clients allowed to make remote calls to SAM":
Add-RemoteSAMUser -user "domain.com\user1" -fromreg
Remove-RemoteSAMUser -user "domain.com\group2" -fromreg
To perform the same action but instead of displaying the new SDDL string set the new permission in the local registry use the -toreg parameter.
Powershell will need to be running with elevated privileges to set registry values.
Add-RemoteSAMUser -user "domain.com\user1" -fromreg -toreg
The above cmdlets can also take input as an SDDL string instead of the local registry. This can be used if you have already deployed permissions by GPO but want to add users to the value displayed at "Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/Other/Network access: Restrict clients allowed to make remote calls to SAM" The output will be the new SDDL string.
Add-RemoteSAMUser -user "domain.com\user2" -gpostring "O:BAG:BAD:(A;;RC;;;BA)"