Powershell/Private/SecurityPolicy/Set-DenyLogonSidList.ps1

function Set-DenyLogonSidList {

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [AllowEmptyCollection()]
        [System.String[]]
        $SidList,

        [Parameter(Mandatory = $false)]
        [System.String]
        $Privilege = 'SeDenyInteractiveLogonRight'
    )

    process {
        $tempDir = "$(Get-WindowsDrive)\Windows\Temp\JCADMU"
        if (-not (Test-Path $tempDir)) {
            New-Item -ItemType Directory -Force -Path $tempDir | Out-Null
        }
        $guid = [guid]::NewGuid().ToString('N')
        $configInf = Join-Path $tempDir "secedit_config_$guid.inf"
        $seceditDb = Join-Path $tempDir "secedit_$guid.sdb"
        $seceditLog = Join-Path $tempDir "secedit_$guid.log"
        try {
            # Re-emit SID-form tokens as '*<SID>' (the form secedit expects for SIDs); pass any
            # non-SID token (an unresolved account name) through verbatim. Empty list clears the right.
            $privilegeValue = (@($SidList | ForEach-Object {
                        if ($_ -match '^S-\d') { "*$_" } else { $_ }
                    }) -join ',')
            $infContent = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
$Privilege = $privilegeValue
"@

            Set-Content -Path $configInf -Value $infContent -Encoding Unicode -Force
            $seceditOutput = & secedit /configure /db "$seceditDb" /cfg "$configInf" /areas USER_RIGHTS /log "$seceditLog" /quiet 2>&1
            if ($LASTEXITCODE -ne 0) {
                # Capture the secedit log before the finally block deletes it; it carries the real
                # reason (e.g. an entry that could not be mapped to a SID).
                $logText = if (Test-Path $seceditLog) { (Get-Content -Path $seceditLog -Raw -ErrorAction SilentlyContinue) } else { '' }
                $detail = (@($seceditOutput; $logText) | Out-String).Trim()
                Write-ToLog "secedit /configure failed (exit code $LASTEXITCODE) applying '$Privilege'. $detail`nCommon causes: an entry in the list is not a valid SID or resolvable account, or the session is not elevated."
            }
        } finally {
            foreach ($file in @($configInf, $seceditDb, $seceditLog)) {
                if (Test-Path $file) {
                    Remove-Item $file -Force -ErrorAction SilentlyContinue
                }
            }
        }
    }
}