Powershell/Private/SecurityPolicy/Get-DenyLogonSidList.ps1

function Get-DenyLogonSidList {
    [CmdletBinding()]
    [OutputType([System.Object[]])]
    param (
        [Parameter(Mandatory = $false)]
        [System.String]
        $Privilege = 'SeDenyInteractiveLogonRight'
    )

    process {
        $tempDir = "$(Get-WindowsDrive)\Windows\Temp\JCADMU"
        if (-not (Test-Path $tempDir)) {
            New-Item -ItemType Directory -Force -Path $tempDir | Out-Null
        }
        $exportInf = Join-Path $tempDir "secedit_export_$([guid]::NewGuid().ToString('N')).inf"
        try {
            $seceditOutput = & secedit /export /areas USER_RIGHTS /cfg "$exportInf" 2>&1
            if (($LASTEXITCODE -ne 0) -or (-not (Test-Path $exportInf))) {
                $outputText = ($seceditOutput | Out-String).Trim()
                throw "secedit /export failed (exit code $LASTEXITCODE). $outputText`nCommon cause: the session is not elevated (reading the user-rights policy requires an Administrator session)."
            }
            $line = Select-String -Path $exportInf -Pattern "^\s*$Privilege\s*=" -ErrorAction SilentlyContinue | Select-Object -First 1
            $sids = @()
            if ($line) {
                $value = ($line.Line -split '=', 2)[1].Trim()
                if (-not [string]::IsNullOrWhiteSpace($value)) {
                    $tokens = @($value -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ })
                    # Normalize every entry to a bare SID: strip the '*' prefix from SID tokens, and
                    # translate account names to a SID via Convert-UserName (which returns the input
                    # unchanged if it cannot resolve).
                    $sids = @($tokens | ForEach-Object {
                            if ($_.StartsWith('*')) {
                                $_.Substring(1)
                            } else {
                                Convert-UserName -user $_
                            }
                        })
                }
            }
            return $sids
        } finally {
            if (Test-Path $exportInf) {
                Remove-Item $exportInf -Force -ErrorAction SilentlyContinue
            }
        }
    }
}