LogonSessionId account assigned Read access in new certificates?

Asked 17/2, 2016 at 22:3 Answered 14/4, 2023 at 5:58

windows powershell permissions certificate acl

I have a question that (hopefully) someone can shed some light on. I was writing a Powershell script that would import a certificate to the Local Machine store, and assign the Everyone group Read permissions to the private key's on the certificate.

Now, I do have a working script that does accomplish this, but I've noticed that I have an account called "LogonSessionId_0_some-random-number" assigned Read permissions to the ACL on the private keys as shown in the following image:

At first I thought this was my script maybe doing this, but when I manually import the certificate I get the same result.

Has anyone seen this before or know why this is happening? What exactly is this account and why are permissions being assigned? I've tried to search for some answers on this but have come up short.

Not sure if it helps, but this is the portion of my code that imports the certificate and assigns the permissions:


    $sslCert = gci Cert:\LocalMachine\My | WHERE {$_.Subject -match $getCerts}
    $sslCertPrivKey = $sslCert.PrivateKey
    $privKeyCertFile = Get-Item -path "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\*"  | WHERE {$_.Name -eq $sslCertPrivKey.CspKeyContainerInfo.UniqueKeyContainerName}
    $privKeyAcl = (Get-Item -Path $privKeyCertFile.FullName).GetAccessControl("Access")
    $permission = "Everyone","Read","Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
    $privKeyAcl.AddAccessRule($accessRule)
    Set-Acl $privKeyCertFile.FullName $privKeyAcl

I'm using Windows 10 Pro.

Any help/insight is greatly appreciated!

Bit answered 17/2, 2016 at 22:3 Comment(4)

You'd need to check the numerical form of the SID to be sure, but presumably that's a logon session SID. (S-1-5-5-X-Y.) Whenever you log on, or, more generally, whenever an interactive authentication occurs, a logon session ID and associated SID is generated. These are typically used to give all the processes in a particular logon session the access necessary to the window station and desktop objects they need to display a GUI. (I don't know why the logon session SID would be given access in this situation.) – Boot 18/2, 2016 at 4:42

Thanks Harry Johnston! I think this is what is happening, and I'm still not sure why this account is being given access either. I took a look on another one of my production servers and noticed the same thing happens when I import a certificate there as well...this is on a Win 2K8 R2 Os. Anyways, I think I will just have to manually edit this account as needed or just leave it be. – Bit 22/2, 2016 at 14:58

In this case, since you're giving read permission to Everyone, the extra permission is redundant. You may as well ignore it. – Boot 22/2, 2016 at 21:6

"You'd need to check the numerical form of the SID to be sure," Five years later, similar problem. But how do I get the SID? I have tried the usual wmic commands (e.g. wmic useraccount where name='LogonSessionId_0_401541' get sid), but all experiments lead only to something like No Instance(s) Available. (Unimportant detail: I need that user's SID because I have to replace that user in the ACLs in a large file tree). – Cupid 29/6, 2021 at 18:13

It's because you have different scopes. When you add something at the machine level, by default it gives all users read permissions. Everyone with access to that computer will be able to see the certificate. You don't need to explicitly give users read access for a machine level certificate. It's like when you install some programs they ask "Install for all users?" If you say yes, it installs at the machine level and everyone can use it, otherwise it will install for just you and logging in with a different user means they won't have access.

Comment out the user-specific part of your script to test what I'm saying, you'll notice all users are given read-only and things will work as expected.

Centuplicate answered 19/7, 2019 at 19:39 Comment(0)

change this $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission to this $accessRule = New-Object Security.AccessControl.FileSystemAccessRule $permission

Deserted answered 14/4, 2023 at 5:58 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Granger 20/4, 2023 at 21:51

Recommended topics

Hot tags