Skip to main content
The Lsa tool connects to the Local Security Authority on a remote Windows system and lets you translate account names to SIDs and back, enumerate LSA policy accounts and their privileges, create LSA accounts, and grant or revoke privileges and system access rights.
The LSA tracks accounts separately from the SAM. Even for local accounts, you may need to create an LSA policy account first with createaccount before granting privileges.

Subcommands

CommandDescription
whoamiGet the name and domain of the connected user
lookupnameGet the SID for one or more account names
lookupsidTranslate one or more SIDs to their account names
enumaccountsEnumerate LSA policy accounts
enumprivaccountsEnumerate accounts that have a specific privilege or user right
createaccountCreate an LSA policy account
getprivsGet the privileges assigned to an account
getrightsGet the user rights and privileges granted to an account
getsysaccessGet the system access rights granted to an account
setsysaccessSet the system access rights granted to an account
addprivAdd one or more privileges to an account
rmprivRemove one or more privileges from an account
For help on any subcommand, run Lsa <subcommand> -h.

Common options

All Lsa subcommands share these authentication and connection options:
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for pass-the-hash authentication.
-Anonymous
boolean
Use anonymous login.
-Kdc (-K)
host:port
KDC endpoint. Required to enable Kerberos.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-AesKey
HexString
AES-128 or AES-256 Kerberos key.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-UseTcp4Only (-4)
boolean
Use TCP over IPv4 only.
-UseTcp6Only (-6)
boolean
Use TCP over IPv6 only.
-EncryptRpc
boolean
Encrypt RPC messages.
-PreferSmb
boolean
Connect over a named pipe instead of TCP when supported.
-Socks5
host:port
SOCKS5 proxy endpoint.

whoami

Returns the name and domain of the user account used to authenticate to the LSA. 
Lsa whoami [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-OutputFields
string[]
Fields to display. Available: WireName, UserName, Realm, OriginalText, NameType, NamePartCount.

Examples

Lsa whoami LUMON-FS1 -UserName milchick -Password Br3@kr00m!

lookupname

Translates one or more account names to their SIDs. Accepts multiple names in a single call. 
Lsa lookupname [options] <ServerName> <AccountNames>
ServerName
string
required
RPC server to interact with.
AccountNames
string[]
required
One or more account names to look up.
-OutputFields
string[]
Fields to display. Available: AccountName, NameType, DomainName, DomainSid, AccountRid, AccountSid.

Examples

Lsa lookupname LUMON-FS1 -UserName milchick -Password Br3@kr00m! marks milchick

lookupsid

Translates one or more SIDs to their account names. Accepts multiple SIDs in a single call. 
Lsa lookupsid [options] <ServerName> <Sids>
ServerName
string
required
RPC server to interact with.
Sids
SecurityIdentifier[]
required
One or more SIDs to translate.
-OutputFields
string[]
Fields to display. Available: AccountName, NameType, DomainName, DomainSid, AccountRid, AccountSid.

Examples

Lsa lookupsid LUMON-FS1 -UserName milchick -Password Br3@kr00m! S-1-5-21-1752138614-393460150-3098146133-1103 S-1-5-21-1752138614-393460150-3098146133-1107

enumaccounts

Enumerates accounts in the LSA policy database. By default returns only SIDs. Use -OutputFields to include account and domain names, which requires additional RPC calls. 
Lsa enumaccounts [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-OutputFields
string[]
Fields to display. Available: Sid, AccountName, DomainName.

Examples

# List account SIDs only
Lsa enumaccounts LUMON-FS1 -UserName milchick -Password Br3@kr00m!

# Include account and domain names
Lsa enumaccounts LUMON-FS1 -UserName milchick -Password Br3@kr00m! -OutputFields Sid,AccountName,DomainName

enumprivaccounts

Enumerates accounts that hold a specific privilege or user right. 
Lsa enumprivaccounts [options] -Privilege <String> <ServerName>
ServerName
string
required
RPC server to interact with.
-Privilege
string
required
Name of the privilege or user right to search for. Examples: SeInteractiveLogonRight, SeDebugPrivilege, SeBackupPrivilege.
-OutputFields
string[]
Fields to display. Available: Sid, AccountName, DomainName.

Examples

Lsa enumprivaccounts LUMON-FS1 -UserName milchick -Password Br3@kr00m! -Privilege SeInteractiveLogonRight

createaccount

Creates an LSA policy account for the given SID. This is required before you can grant privileges or access rights to an account that doesn’t yet have an LSA entry. 
Lsa createaccount [options] <ServerName> <Sid>
ServerName
string
required
RPC server to interact with.
Sid
SecurityIdentifier
required
SID of the account to create.

Examples

Lsa createaccount LUMON-FS1 -UserName milchick -Password Br3@kr00m! S-1-5-32-646

getprivs

Gets the privileges assigned to an account. Specify the account by SID (-BySid) or name (-ByName). One of these options is required. By default, only the names of well-known privileges are resolved. To retrieve names for all privileges, add PrivilegeName to -OutputFields. 
Lsa getprivs [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.
-OutputFields
string[]
Fields to display. Available: Privilege, Attributes, PrivilegeName.

Examples

# Look up by SID
Lsa getprivs LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-544

# Look up by name
Lsa getprivs LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrator

# Include resolved privilege names
Lsa getprivs LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrator -OutputFields Privilege,PrivilegeName

getrights

Gets all user rights and privileges granted to an account. Specify the account by SID (-BySid) or name (-ByName). 
Lsa getrights [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.
-OutputFields
string[]
Fields to display. Available: Name.

Examples

Lsa getrights LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-544
Lsa getrights LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrators

getsysaccess

Gets the system access rights granted to an account. Specify the account by SID (-BySid) or name (-ByName). 
Lsa getsysaccess [options] <ServerName>
ServerName
string
required
RPC server to interact with.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.
-OutputFields
string[]
Fields to display. Available: Value.

Examples

Lsa getsysaccess LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-544
Lsa getsysaccess LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrators

setsysaccess

Sets the system access rights granted to an account. By default, the specified rights are added to any already granted. Use -Reset to clear existing rights and grant only the rights specified. To remove all rights, use -Reset with 0. System access rights include logon rights such as SeInteractiveLogonRight and SeServiceLogonRight. 
Lsa setsysaccess [options] <ServerName> <Rights>
ServerName
string
required
RPC server to interact with.
Rights
SystemAccessRights[]
required
Access rights to grant. Possible values: SeInteractiveLogonRight, SeNetworkLogonRight, SeBatchLogonRight, SeServiceLogonRight, SeDenyInteractiveLogonRight, SeDenyNetworkLogonRight, SeDenyBatchLogonRight, SeDenyServiceLogonRight, SeRemoteInteractiveLogonRight, SeDenyRemoteInteractiveLogonRight.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.
-Reset
boolean
Clear any existing rights before applying the specified ones.

Examples

Lsa setsysaccess LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-544 SeBatchLogonRight
Lsa setsysaccess LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrators SeBatchLogonRight

addpriv

Adds one or more privileges to an account. Specify the account by SID (-BySid) or name (-ByName). Privilege names can be symbolic (e.g. SeLoadDriverPrivilege) or numeric 64-bit integers. For predefined privileges, you may omit the Privilege suffix (e.g. SeLoadDriver instead of SeLoadDriverPrivilege). If the name is not predefined, it is resolved with the remote LSA.
This command cannot be used to grant user rights (logon rights). Use setsysaccess for that.
Lsa addpriv [options] <ServerName> <Privileges>
ServerName
string
required
RPC server to interact with.
Privileges
string[]
required
Names or numeric values of the privileges to add. Examples: SeLoadDriverPrivilege, SeTcbPrivilege, SeDebugPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeImpersonatePrivilege.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.

Examples

# Add privileges by account name
Lsa addpriv LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrators SeLoadDriver SeTcb

# Add privileges by SID
Lsa addpriv LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-646 SeLoadDriver SeTcb

rmpriv

Removes one or more privileges from an account. To remove all privileges, specify * (escape as needed in your shell). Specify the account by SID (-BySid) or name (-ByName).
This command cannot be used to remove user rights (logon rights).
Lsa rmpriv [options] <ServerName> <Privileges>
ServerName
string
required
RPC server to interact with.
Privileges
string[]
required
Names or numeric values of the privileges to remove. Use * to remove all privileges.
-BySid
SecurityIdentifier
SID of the account.
-ByName
string
Name of the account.

Examples

# Remove a privilege by account name
Lsa rmpriv LUMON-FS1 -UserName milchick -Password Br3@kr00m! -ByName Administrators SeTcb

# Remove a privilege by SID
Lsa rmpriv LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-646 SeTcb

# Remove all privileges
Lsa rmpriv LUMON-FS1 -UserName milchick -Password Br3@kr00m! -BySid S-1-5-32-646 "*"
  • Sam — enumerate users, groups, and aliases from the SAM database
  • Kerb — Kerberos authentication operations

Build docs developers (and LLMs) love

Get started for freeTalk to us