Merge pull request #12 from EvotecIT/Improve

Author: PrzemyslawKlys

Assets/README.MD

@@ -1,9 +1,16 @@
 # LocalSecurityEditor - .NET Library
 
-.NET library for managing local security policy (User Rights Assignment).
+[![NuGet Version](https://img.shields.io/nuget/v/LocalSecurityEditor)](https://www.nuget.org/packages/LocalSecurityEditor)
+[![NuGet Downloads](https://img.shields.io/nuget/dt/LocalSecurityEditor)](https://www.nuget.org/packages/LocalSecurityEditor)
+![.NET Framework 4.7.2](https://img.shields.io/badge/.NET%20Framework-4.7.2-512BD4)
+![.NET Standard 2.0](https://img.shields.io/badge/.NET%20Standard-2.0-512BD4)
+![.NET (Windows) 8.0 | 9.0](https://img.shields.io/badge/.NET%20(Windows)-8.0%20%7C%209.0-512BD4)
+![Platform Windows-only](https://img.shields.io/badge/Platform-Windows--only-blue)
 
+.NET library for managing local security policy (User Rights Assignment). This library powers PowerShell module scenarios and general .NET automation for querying and modifying User Rights Assignments (LSA policy).
 
-### Supported User Rights Assignement
+
+### Supported User Rights Assignment
 
 | ConstantName                              | Group Policy Setting                                               |
 | ----------------------------------------- | ------------------------------------------------------------------ |
@@ -53,7 +60,7 @@
 | SeSyncAgentPrivilege                      | Synchronize directory service data                                 |
 | SeTakeOwnershipPrivilege                  | Take ownership of files or other objects                           |
 
-### Example Local Computer
+### Example Local Computer (LSA wrapper)
 
 ```csharp
 using System;
@@ -64,7 +71,7 @@ namespace TestApp {
         static void Main() {
             string[] accounts;
 
-            Console.WriteLine("[*] Accessing  server - Displaying Current");
+            Console.WriteLine("[*] Displaying current assignments (local)");
 
             using (LsaWrapper lsa = new LsaWrapper()) {
                 accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
@@ -74,13 +81,13 @@ namespace TestApp {
                 Console.WriteLine(account);
             }
 
-            Console.WriteLine("[*] Adding Account to the Server");
+            Console.WriteLine("[*] Granting right to an account");
 
             using (LsaWrapper lsa = new LsaWrapper()) {
                 lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
             }
 
-            Console.WriteLine("[*] Accessing  server - Displaying Current");
+            Console.WriteLine("[*] Displaying current assignments (local)");
 
             using (LsaWrapper lsa = new LsaWrapper()) {
                 accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
@@ -90,13 +97,13 @@ namespace TestApp {
                 Console.WriteLine(account);
             }
 
-            Console.WriteLine("[*] Accessing  server - Displaying Current");
+            Console.WriteLine("[*] Removing a principal and listing again");
 
             using (LsaWrapper lsa = new LsaWrapper()) {
                 lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
             }
 
-            using (LsaWrapper lsa = new LsaWrapper("")) {
+            using (LsaWrapper lsa = new LsaWrapper()) {
                 accounts = lsa.GetPrivileges(UserRightsAssignment.SeBatchLogonRight);
             }
 
@@ -108,7 +115,7 @@ namespace TestApp {
 }
 ```
 
-### Example Remote Computer
+### Example Remote Computer (LSA wrapper)
 
 ```csharp
 using System;
@@ -129,7 +136,7 @@ namespace TestApp {
                 Console.WriteLine(account);
             }
 
-            Console.WriteLine("[*] Adding Account to the Server");
+            Console.WriteLine("[*] Granting right to an account");
 
             using (LsaWrapper lsa = new LsaWrapper("AD1")) {
                 lsa.AddPrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
@@ -145,7 +152,7 @@ namespace TestApp {
                 Console.WriteLine(account);
             }
 
-            Console.WriteLine("[*] Accessing AD1 server - Displaying Current");
+            Console.WriteLine("[*] Removing the principal and listing again");
 
             using (LsaWrapper lsa = new LsaWrapper("AD1")) {
                 lsa.RemovePrivileges("EVOTEC\\przemyslaw.klys", UserRightsAssignment.SeBatchLogonRight);
@@ -159,6 +166,75 @@ namespace TestApp {
                 Console.WriteLine(account);
             }
         }
-    }
 }
-```
+}
+```
+
+### Typed, OO API
+
+```csharp
+using LocalSecurityEditor;
+
+// Enumerate all rights (local)
+var all = UserRights.Get();
+foreach (var ura in all) {
+    Console.WriteLine($"{ura.ShortName}: {ura.Count} principals");
+}
+
+// Lazy streaming
+foreach (var ura in new UserRights().EnumerateLazy()) {
+    Console.WriteLine(ura);
+}
+
+// Single right as typed object with principals
+var svc = UserRightsAssignment.SeServiceLogonRight.Get();
+foreach (var p in svc.Principals) {
+    Console.WriteLine($"{p.AccountName} -> {p.SidString}");
+}
+
+// Remote machine catalog
+var allRemote = UserRights.Get("SERVER01");
+
+// Add/Remove/Set via fluent extensions
+UserRightsAssignment.SeBatchLogonRight.Add(@"DOMAIN\\svc_batch");
+UserRightsAssignment.SeBatchLogonRight.Remove(@"DOMAIN\\old_user");
+var result = UserRightsAssignment.SeDenyRemoteInteractiveLogonRight.Set(new[]{ @"DOMAIN\\contractor1", @"DOMAIN\\contractor2"});
+Console.WriteLine(result); // e.g., SeDenyRemoteInteractiveLogonRight: +1 -0
+
+// Batching with a manager (remote)
+using (var ur = new UserRights("SERVER01")) {
+    ur.Add(UserRightsAssignment.SeBatchLogonRight, new [] { @"DOMAIN\\svc_batch" });
+    var summary = ur.Set(UserRightsAssignment.SeServiceLogonRight, new [] { @"DOMAIN\\svc_svc" });
+    Console.WriteLine(summary);
+}
+
+```
+
+### Async APIs
+
+```csharp
+// Single right (local)
+var svc = await new UserRights().GetStateAsync(UserRightsAssignment.SeServiceLogonRight, ct);
+
+// Enumerate all (remote)
+var all = await new UserRights("SERVER01").EnumerateAsync(ct);
+
+// Fluent async extensions
+var svc2 = await UserRightsAssignment.SeServiceLogonRight.GetAsync("SERVER01", ct);
+```
+
+### Thread Safety
+
+- The library is safe to use from multiple tasks.
+- Internally it uses a reader–writer lock:
+  - Reads may run in parallel; writes are exclusive; dispose is exclusive.
+- Prefer reusing a single `UserRights` instance for batching, or create per-task instances for isolation.
+
+### Generate service SIDs
+
+```csharp
+string serviceName = "ADSync";
+string serviceExpectedSid = "S-1-5-80-3245704983-3664226991-764670653-2504430226-901976451";
+string serviceSid = NTService.GenerateSID(serviceName);
+Console.WriteLine($"The SID for the service '{serviceName}' is: {serviceSid} {serviceExpectedSid} {(serviceSid == serviceExpectedSid)}");
+```

CHANGELOG.MD

@@ -1,5 +1,15 @@
 #### LocalSecurityEditor Release History
 
+#### Unreleased
+- Target frameworks: add `net9.0-windows`, keep `net8.0-windows`, `netstandard2.0`; restore `net472` for classic .NET. Dropped obsolete TFMs.
+- Strict policy handling restored: `LsaOpenPolicy` uses `POLICY_ALL_ACCESS` and enumeration throws `UnauthorizedAccessException` on `ACCESS_DENIED` (empty only for `NO_MORE_ENTRIES`).
+- Added async APIs: `GetStateAsync`, `EnumerateAsync`, `GetByRightAsync`, `GetByShortNameAsync`, `AddAsync`, `RemoveAsync`, `SetAsync` and async extension helpers.
+- Performance: cache enum values for `Enumerate`/`GetByRight`/`GetByShortName` to avoid repeated allocations.
+- Naming: `Win32SecurityIdentifier.securityIdentifier` → `SecurityIdentifier` (PascalCase).
+- Thread-safety: mark dispose flags as `volatile` in `UserRights` and `Win32SecurityIdentifier`.
+- Docs: extensive XML documentation for public APIs; README and Assets README updated (targets badge, OO API prominence, async usage, batching tip).
+- Tests: add coverage for `PrincipalInfo.ToString()` and `Win32SecurityIdentifier` pinning (Windows-gated).
+
 #### 0.4.0
 - Add `Net 8.0` support
 - Add `Net 7.0` support
@@ -16,4 +26,4 @@
   - Fixes account/principal transformation that would sometimes cause an error.
 
 #### 0.1.0 - 2022.04.14
-  - First release
+  - First release

Docs/index.md

@@ -7,3 +7,11 @@
 [UserRightsAssignment](./localsecurityeditor.userrightsassignment.md)
 
 [Win32SecurityIdentifier](./localsecurityeditor.win32securityidentifier.md)
+
+## New (Typed) API
+
+[UserRights](./localsecurityeditor.userrights.md)
+
+[UserRightState](./localsecurityeditor.userrightstate.md)
+
+[PrincipalInfo](./localsecurityeditor.principalinfo.md)

Docs/localsecurityeditor.principalinfo.md

@@ -0,0 +1,24 @@
+# PrincipalInfo
+
+Namespace: LocalSecurityEditor
+
+Principal descriptor carrying both SID and name information.
+
+## Properties
+
+- `SidString` (`string`) — SID in SDDL format (e.g., `S-1-5-32-544`)
+- `Domain` (`string`) — may be empty
+- `Name` (`string`) — account name
+- `AccountName` (`string`) — domain-qualified `Domain\Name` when available
+- `Use` (`SidNameUse`) — classification (User, Group, etc.)
+
+## Example
+
+```csharp
+var ura = UserRightsAssignment.SeServiceLogonRight.Get();
+foreach (var p in ura.Principals)
+{
+    Console.WriteLine($"{p.AccountName} ({p.Use}) -> {p.SidString}");
+}
+```
+

Docs/localsecurityeditor.userrights.md

@@ -0,0 +1,45 @@
+# UserRights
+
+Namespace: LocalSecurityEditor
+
+High-level facade for listing and managing User Rights Assignments (URAs).
+
+## Static Methods
+
+`UserRights.Get()`
+
+- Returns: `IReadOnlyList<UserRightState>` — one object per user right with principals.
+
+`UserRights.Get(string systemName)`
+
+- Returns: `IReadOnlyList<UserRightState>` for a remote machine.
+
+## Instance Methods
+
+`Enumerate()` → `IReadOnlyList<UserRightState>`
+
+`GetState(UserRightsAssignment right)` → `UserRightState`
+
+`GetByRight()` → `Dictionary<UserRightsAssignment, UserRightState>`
+
+`GetByShortName(StringComparer comparer = null)` → `Dictionary<string, UserRightState>`
+
+`Add(UserRightsAssignment right, IEnumerable<string> principals)`
+
+`Remove(UserRightsAssignment right, IEnumerable<string> principals)`
+
+`Set(UserRightsAssignment right, IEnumerable<string> principals)` → `UserRightSetResult`
+
+## Examples
+
+```csharp
+// All URAs (local)
+var all = UserRights.Get();
+
+// Single URA
+var svc = new UserRights().GetState(UserRightsAssignment.SeServiceLogonRight);
+
+// Remote
+var allRemote = UserRights.Get("SERVER01");
+```
+

Docs/localsecurityeditor.userrightstate.md

@@ -0,0 +1,26 @@
+# UserRightState
+
+Namespace: LocalSecurityEditor
+
+Represents a configured User Right with its principals.
+
+## Properties
+
+- `Right` (`UserRightsAssignment`)
+- `ShortName` (`string`) — e.g., `SeServiceLogonRight`
+- `Name` (`string`) — friendly name
+- `Description` (`string`)
+- `Principals` (`IReadOnlyList<PrincipalInfo>`)
+- `Count` (`int`) — number of principals
+
+## Example
+
+```csharp
+var svc = UserRightsAssignment.SeServiceLogonRight.Get();
+Console.WriteLine($"{svc.Name} -> {svc.Count}");
+foreach (var p in svc.Principals)
+{
+    Console.WriteLine($"{p.AccountName} ({p.SidString})");
+}
+```
+

LocalSecurityEditor.Examples/LocalSecurityEditor.Examples.csproj

@@ -1,9 +1,19 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
-	<PropertyGroup>
-		<OutputType>Exe</OutputType>
-		<TargetFramework>net8.0</TargetFramework>
-	</PropertyGroup>
+		<PropertyGroup>
+			<OutputType>Exe</OutputType>
+			<TargetFrameworks>net472;net8.0-windows;net9.0-windows</TargetFrameworks>
+		</PropertyGroup>
+
+		<!-- Ensure restore produces runtime-specific assets for CI invoking win-x86 -->
+		<PropertyGroup Condition="'$(TargetFramework)' == 'net472'">
+			<RuntimeIdentifiers>win-x86;win-x64</RuntimeIdentifiers>
+			<LangVersion>latest</LangVersion>
+		</PropertyGroup>
+
+		<ItemGroup Condition="'$(TargetFramework)' == 'net472'">
+			<PackageReference Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.3" PrivateAssets="all" />
+		</ItemGroup>
 
 	<ItemGroup>
 		<ProjectReference Include="..\LocalSecurityEditor\LocalSecurityEditor.csproj" />