We are in the process of enforcing new security requirements that call for specific enforcement of user rights (Local Security Policy \ Security Settings \ Local Policies \ User Rights Assignment). We are trying to find a method of dumping rights configuration on every server so that we can identify those servers they can be quickly re-mediated with a base group policy, and those that will require extra work to ensure that servers with special rights considerations are preserved and documented. We are hoping to use the same script to validate that the settings we push out from group policy actually apply to the servers.
I am not looking for someone to write the script. I just cannot find a way to dump the policy in an efficient way. We have tried two WBEM Classes (RSOP_PolicySetting and RSOP_UserPrivilegeRight). Both would be fine if they showed the local configuration as well as the domain propagated settings. We need the combined answer, not just the group policy based settings.
I found a method of using PSEXEC to execute SECEDIT to dump the settings on a remote system, I would then need to script the recovery of the output and change SIDS to user / groups. The method is looking pretty kludgy. Is there a better way to get this data and compile it for review? Powershell or command line is fine as long as we can do it remotely. WinRM is not allowed at our site, so any method dependent on that wont work for our purposes.