Edit user account privileges.
Syntax NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry] NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry] Key: +/-r Right Grant or revoke one of the rights listed below. -u UserOrGroup Who the rights are to be granted or revoked to. -m \\Computer The computer (machine) on which to perform the operation. The default is the local computer. -e Entry Add a text string 'Entry' to the computer's event log.
Below are the Privileges that can be granted or revoked, all are Case-Sensitive.
Log on as a batch job SeBatchLogonRight Deny logon as a batch job SeDenyBatchLogonRight Log on locally SeInteractiveLogonRight Deny local logon SeDenyInteractiveLogonRight Logon as a service SeServiceLogonRight Deny logon as a service SeDenyServiceLogonRight Access this Computer from the Network SeNetworkLogonRight Deny Access to this computer from the network SeDenyNetworkLogonRight Allow logon through RDP/Terminal Services SeRemoteInteractiveLogonRight Deny logon through RDP/Terminal Services SeDenyRemoteInteractiveLogonRight
System Admin Privileges:
Generate security audits SeAuditPrivilege Manage auditing and security log SeSecurityPrivilege Backup files and directories SeBackupPrivilege Add workstations to the domain SeMachineAccountPrivilege Shut down the system SeShutdownPrivilege Force shutdown from a remote system SeRemoteShutdownPrivilege Create a pagefile SeCreatePagefilePrivilege Increase quotas SeIncreaseQuotaPrivilege Restore files and directories SeRestorePrivilege Change the system time SeSystemTimePrivilege Manage the files on a volume SeManageVolumePrivilege (Win XP only) Take ownership of files/objects SeTakeOwnershipPrivilege Enable computer/user accounts to be trusted for delegation SeEnableDelegationPrivilege Remove computer from docking station SeUndockPrivilege
Create permanent shared objects SeCreatePermanentPrivilege Create a token object SeCreateTokenPrivilege Replace a process-level token SeAssignPrimaryTokenPrivilege Impersonate a client after authentication SeImpersonatePrivilege (Not supported on WinXP or earlier) Increase scheduling priority SeIncreaseBasePriorityPrivilege Act as part of the operating system SeTcbPrivilege Profile a single process SeProfileSingleProcessPrivilege Load and unload device drivers SeLoadDriverPrivilege Lock pages in memory SeLockMemoryPrivilege Create global objects SeCreateGlobalPrivilege (Not supported on Windows XP or earlier)
Debug programs SeDebugPrivilege Bypass traverse checking SeChangeNotifyPrivilege Synch directory service data SeSyncAgentPrivilege Edit firmware environment values SeSystemEnvironmentPrivilege Profile system performance SeSystemProfilePrivilege Obsolete and unused SeUnsolicitedInputPrivilege (has no effect)
To run ntrights you need to be an administrator, to change privileges remotely (-m option) you need to have administrator rights on the machine being changed.
To change permissions for a large number of users, add them to a domain workgroup and grant the privileges to the group.
The group policy editor can be used to view these privileges in a GUI.
On a Windows 2008 Server (or Vista), allowing logon through Terminal Services (SeRemoteInteractiveLogonRight) requires an extra step: Control Panel > System > 'Remote Settings' > 'Select Users' button, and then add users/groups.
Allow all members of the local 'Users' group to logon locally
ntrights -u Users +r SeInteractiveLogonRight
Allow all members of the 'Admin_RDP' group to logon remotely via RDP to "server64", also log this security change in the event log:
ntrights -u MyDom\Admin_RDP +r SeRemoteInteractiveLogonRight -m \\server64 -e "Added RDP rights for Admin_RDP"
Allow all members of the domain group 'Admin_General' to shutdown this computer.
ntrights -u MyDom\Admin_General +r SeShutdownPrivilege
Allow the domain user 'JDoe' to shutdown the machine 'Server64'
ntrights -u MyDom\JDoe +r SeShutdownPrivilege -m \\Server64
Specifically deny local logon rights to Henry:
ntrights -u Henry +r SeDenyInteractiveLogonRight
“What distinguishes the majority of men from the few is their inability to act according to their beliefs” ~ Henry Miller
CACLS - Change file permissions
Q267553 - Reset User Rights in Group Policy
Q315276 - Set Logon User Rights by Using the NTRights
Technet - User Rights and Privileges