You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Client Behavior
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Details
Each privilege may be the symbolic name or the value, expressed as a 64-bit
integer. If the name is not a predefined privilege, Lsa addpriv resolves the
name with the remote LSA.
This command cannot be used to grant a user right.
Note that the LSA tracks accounts separate from the SAM. Even for local
accounts, you make need to create the LSA account first.
Examples
Example 1 - Add SeLoadDriverPrivilege and SeTcbPrivilege to Administrators
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Client Behavior
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Details
By default, the output only includes the SIDs of the accounts. Use
-OutputFields if you want additional information such as the account or domain
name. The additional fields require another RPC call to the server.
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Client Behavior
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Details
Each privilege may be the symbolic name or the value, expressed as a 64-bit
integer. If the name is not a predefined privilege, Lsa rmpriv resolves the
name with the remote LSA. For predefined privilege names (those in the help
text), you are not required to append Privilege to the name.
To remove all privileges, use *. Note that you may have to escape this
depending on which shell you are using.
This command cannot be used to remove a user right.
Note that the LSA tracks accounts separate from the SAM. Even for local
accounts, you make need to create the LSA account first.
Examples
Example 1 - Remove SeTcbPrivilege from Administrators
Sets the system access rights granted to an account
Synopsis
Lsa setsysaccess [options] <ServerName> <Rights>
Parameters
Name
Aliases
Value
Description
<ServerName>
<String>
RPC server to interact with
<Rights>
<SystemAccessRights[]>
Access rights to grant
Possible values:
None
SeInteractiveLogonRight
SeNetworkLogonRight
SeBatchLogonRight
SeServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyNetworkLogonRight
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeRemoteInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight
Options
Name
Aliases
Value
Description
-Reset
<SwitchParam>
Clears any rights already set on the account
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
Value
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-BySid
<SecurityIdentifier>
SID of account
-ByName
<String>
Account name
-Spnego
<SwitchParam>
Uses SP-NEGO for authentication
-AuthEpm
<SwitchParam>
Authenticates EP mapper requests
-EncryptEpm
<SwitchParam>
Encrypts EP mappend requests
-EncryptRpc
<SwitchParam>
Encrypts RPC messages
-PreferSmb
<SwitchParam>
If the interface supports named pipes, attempt to connect over the named pipe instead of TCP
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
Client Behavior
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Details
By default, the specified access rights are added to the rights already granted
to the account. Use -Reset to clear existing access rights and only grant the
rights specified. To reset all access rights currently granted, use -Reset and
specify a single right of 0