Principle of Least Privilege, made practical.
Power Elevate is a PowerShell toolkit that helps Windows administrators provision, audit, and document user permissions using the minimum required access - rather than defaulting to local Administrator membership.
- Overview
- Prerequisites
- Repository Layout
- Quick Start
- Components
- Profile Schema
- Bundled Dependencies
- Contributing
- License
| Problem | Power Elevate Answer |
|---|---|
| "I don't know what permissions to give this service account." | PE-MAP — look up the role and get the exact privileges needed. |
| "I need to document a user's current permissions." | PE-PROF — export a live permission snapshot to JSON/YAML. |
| "Has this account drifted from its approved baseline?" | PE-PROF Compare-PEProfile — diff live state vs. saved profile. |
| "What does this user actually have access to on this machine?" | PE-SPY — full audit: local groups, privileges, NTFS, services, registry. |
| "Which users are over-privileged across my estate?" | PE-PG — multi-machine privilege graph with risk scoring. |
| "I want one place to launch all the tools." | PE-MAN — interactive console menu. |
| Requirement | Version |
|---|---|
| PowerShell | 5.1 or later (Windows PowerShell or PowerShell 7+) |
| Operating System | Windows 7 / Server 2008 R2 or later |
| Permissions | Standard user for read-only auditing; local Administrator for secedit privilege queries and service ACL reads |
Note: The bundled Carbon PowerShell module (
resources/bin/carbon) is loaded automatically on Windows when available. All core functions degrade gracefully if Carbon cannot be loaded (e.g., in CI environments).
PowerElevate/
├── README.md ← You are here
├── LICENSE
├── power_elevate/
│ ├── shared/
│ │ └── PE-Shared.psm1 ← Common helpers used by all tools
│ ├── spyglass/
│ │ ├── PE-SPY.psm1 ← PE-SPY module
│ │ └── PE-SPY.ps1 ← PE-SPY entry-point script
│ ├── profiler_tool/
│ │ ├── PE-PROF.psm1 ← PE-PROF module
│ │ └── PE-PROF.ps1 ← PE-PROF entry-point script
│ ├── mapping_tool/
│ │ ├── PE-MAP.psm1 ← PE-MAP module
│ │ ├── PE-MAP.ps1 ← PE-MAP entry-point script
│ │ └── roles-catalog.json ← Built-in role definitions
│ ├── privilege_graph/
│ │ ├── PE-PG.psm1 ← PE-PG module
│ │ └── PE-PG.ps1 ← PE-PG entry-point script
│ ├── management_centre/
│ │ └── PE-MAN.ps1 ← Interactive launcher
│ └── profiles/
│ └── example-backup-operator.json
└── resources/
└── bin/
└── carbon/ ← Carbon PowerShell module v2.11.2
# 1. Clone / download the repository
# 2. Open PowerShell as Administrator for full functionality
# Launch the interactive Management Centre
.\power_elevate\management_centre\PE-MAN.ps1
# — OR — use tools individually:
# Audit a user's permissions on the local machine
.\power_elevate\spyglass\PE-SPY.ps1 -Username jsmith
# Export a permission baseline profile
.\power_elevate\profiler_tool\PE-PROF.ps1 -Action Export `
-Username svc_backup -ProfileName BackupSvc `
-OutputPath C:\Profiles\backup.json
# Look up the least-privilege requirements for a role
.\power_elevate\mapping_tool\PE-MAP.ps1 -Action GetRole -RoleName BackupOperator
# Build a privilege graph for several users
.\power_elevate\privilege_graph\PE-PG.ps1 `
-Usernames jsmith,svc_backup `
-ComputerNames SRV01,SRV02 `
-Format HTML -OutputPath C:\Reports\graph.htmlFile: power_elevate/management_centre/PE-MAN.ps1
An interactive, menu-driven launcher for all PowerElevate tools. Run it with no arguments to enter the guided console UI.
.\power_elevate\management_centre\PE-MAN.ps1See management_centre/README.MD for full documentation.
Files: power_elevate/spyglass/PE-SPY.psm1, PE-SPY.ps1
Audits every permission dimension for a user on a given machine:
- Local group memberships
- Windows privilege/user-right assignments (via
secedit) - NTFS ACEs on key system paths
- Service security descriptors
- Registry key ACLs
Output formats: Console (coloured), JSON, HTML report.
# Console audit
Invoke-PESpyglass -Username jsmith
# Save an HTML report
Invoke-PESpyglass -Username svc_backup -Format HTML -OutputPath C:\Reports\spy.htmlSee spyglass/README.MD for full documentation.
Files: power_elevate/profiler_tool/PE-PROF.psm1, PE-PROF.ps1
Captures, stores, and compares permission profiles:
| Function | Purpose |
|---|---|
Export-PEProfile |
Snapshot a user's live permissions to JSON/YAML |
Import-PEProfile |
Load a saved profile from disk |
Compare-PEProfile |
Diff live permissions against a saved baseline |
New-PEProfile |
Create a blank profile template |
# Capture baseline
Export-PEProfile -Username svc_web -ProfileName WebApp -OutputPath .\web.json
# Compare after a change
Compare-PEProfile -Username svc_web -ProfilePath .\web.jsonSee profiler_tool/README.MD for full documentation.
Files: power_elevate/mapping_tool/PE-MAP.psm1, PE-MAP.ps1, roles-catalog.json
Answers "what permissions does this role actually need?" using a curated catalog of 10 built-in Windows roles:
BackupOperator · FileServerAdmin · PrintOperator · EventLogReader · DnsAdmin · SQLServiceAccount · IISApplicationPool · RemoteDesktopUser · TaskSchedulerAdmin · ServiceAccountGeneric
# List all roles
Get-PEAllRoles
# Get detailed mapping for a role
Get-PERoleMapping -RoleName BackupOperator
# Search by keyword
Search-PERoleMapping -Keyword SeImpersonate
# Generate a PE-PROF profile from a role
New-PERoleProfile -RoleName IISApplicationPool -Username 'IIS AppPool\MyApp' -OutputPath .\iis.jsonSee mapping_tool/README.MD for full documentation.
Files: power_elevate/privilege_graph/PE-PG.psm1, PE-PG.ps1
Builds a privilege graph across multiple users and machines with automatic risk scoring:
| Risk Level | Criteria |
|---|---|
| Critical | Score ≥ 15 (e.g., member of Administrators + high-impact privileges) |
| High | Score ≥ 8 |
| Medium | Score ≥ 4 |
| Low | Score < 4 |
# Quick console overview
Get-PEPrivilegeGraph -Usernames jsmith,admin -ComputerNames SRV01,SRV02
# HTML report across the estate
Get-PEPrivilegeGraph -Usernames $allUsers -Format HTML -OutputPath C:\Reports\estate.html
# Find all elevated users on a server
Get-PEPrivilegedUsers -ComputerName SRV01See privilege_graph/README.MD for full documentation.
A PE profile is a JSON document used by PE-PROF and PE-MAP. Key fields:
{
"profileVersion": "1.0",
"schemaVersion": "1.0",
"metadata": {
"profileName": "...",
"description": "...",
"roleBasis": "...",
"createdBy": "PE-PROF | PE-MAP",
"createdAt": "<ISO-8601>",
"computer": "...",
"username": "...",
"domain": "..."
},
"localGroups": ["Backup Operators"],
"privileges": ["SeBackupPrivilege"],
"ntfsPermissions": [{ "path": "...", "fileSystemRights": "...", ... }],
"servicePermissions": [],
"registryPermissions": [{ "keyPath": "...", "registryRights": "...", ... }],
"auditNotes": ["..."]
}See profiles/README.MD for the full schema reference and profiles/example-backup-operator.json for a worked example.
| Dependency | Version | Location | License |
|---|---|---|---|
| Carbon | 2.11.2 | resources/bin/carbon/ |
Apache 2.0 |
Carbon is an optional Windows PowerShell module used for advanced ACL and privilege management. It is loaded automatically when running on Windows; all PE functions degrade gracefully when it is unavailable.
- Fork the repository and create a feature branch.
- Add or update scripts under
power_elevate/. - Ensure any new public functions include comment-based help (
.SYNOPSIS,.DESCRIPTION,.PARAMETER,.EXAMPLE). - Update the relevant component
README.MDwith new usage examples. - Submit a pull request with a clear description of the change.
This project is licensed under the terms in the LICENSE file.