NTRIGHTS.exe (2003 Resource Kit)

Edit user account privileges.

Syntax
       NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry]

       NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry]

Key:

   +/-r Right        Grant or revoke one of the rights listed below.

     -u UserOrGroup  Who the rights are to be granted or revoked to.

     -m \\Computer   The computer (machine) on which to perform the operation.
                     The default is the local computer. 

     -e Entry        Add a text string 'Entry' to the computer's event log.

This utility does still work under Windows 7/2008 R2, although (like all Resource Kit tools) it is unsupported.

Below are the Privileges that can be granted or revoked, all are Case-Sensitive.

Logon Privileges:

 Log on as a batch job            SeBatchLogonRight  
 Deny logon as a batch job    SeDenyBatchLogonRight  
 Log on locally                   SeInteractiveLogonRight 
 Deny local logon             SeDenyInteractiveLogonRight  
 Logon as a service               SeServiceLogonRight  
 Deny logon as a service      SeDenyServiceLogonRight
 Access this Computer from the Network         SeNetworkLogonRight 
 Deny Access to this computer from the network SeDenyNetworkLogonRight  
 Allow logon through RDP/Terminal Services     SeRemoteInteractiveLogonRight
 Deny logon through RDP/Terminal Services  SeDenyRemoteInteractiveLogonRight

System Admin Privileges:

 Generate security audits         SeAuditPrivilege  
 Manage auditing and security log SeSecurityPrivilege 
 Backup files and directories     SeBackupPrivilege  
 Add workstations to the domain   SeMachineAccountPrivilege
 Shut down the system             SeShutdownPrivilege
 Force shutdown from a remote system  SeRemoteShutdownPrivilege  
 Create a pagefile                SeCreatePagefilePrivilege  
 Increase quotas                  SeIncreaseQuotaPrivilege  
 Restore files and directories    SeRestorePrivilege  
 Change the system time           SeSystemTimePrivilege  
 Manage the files on a volume     SeManageVolumePrivilege  (Win XP only) 
 Take ownership of files/objects  SeTakeOwnershipPrivilege 
 Enable computer/user accounts
   to be trusted for delegation       SeEnableDelegationPrivilege  
 Remove computer from docking station SeUndockPrivilege  

Service Privileges:

 Create permanent shared objects  SeCreatePermanentPrivilege  
 Create a token object            SeCreateTokenPrivilege  
 Replace a process-level token    SeAssignPrimaryTokenPrivilege 
 Impersonate a client after authentication  SeImpersonatePrivilege (Not supported on WinXP or earlier)
 Increase scheduling priority     SeIncreaseBasePriorityPrivilege  
 Act as part of the operating system   SeTcbPrivilege  
 Profile a single process         SeProfileSingleProcessPrivilege
 Load and unload device drivers   SeLoadDriverPrivilege  
 Lock pages in memory             SeLockMemoryPrivilege  
 Create global objects            SeCreateGlobalPrivilege (Not supported on Windows XP or earlier)

Misc Privileges:

 Debug programs                   SeDebugPrivilege  
 Bypass traverse checking         SeChangeNotifyPrivilege  
 Synch directory service data     SeSyncAgentPrivilege  
 Edit firmware environment values SeSystemEnvironmentPrivilege  
 Profile system performance       SeSystemProfilePrivilege  
 Obsolete and unused              SeUnsolicitedInputPrivilege (has no effect)

To run ntrights you need to be an administrator, to change privileges remotely (-m option) you need to have administrator rights on the machine being changed.
To change permissions for a large number of users, add them to a domain group and grant the privileges to the group.
The group policy editor can be used to view these privileges in a GUI.

On a Windows 2008 Server (or Vista), allowing logon through Terminal Services (SeRemoteInteractiveLogonRight) requires an extra step: Control Panel > System > 'Remote Settings' > 'Select Users' button, and then add users/groups.

Examples:

Allow all members of the local 'Users' group to logon locally

ntrights -u Users +r SeInteractiveLogonRight

Allow all members of the 'Admin_RDP' group to logon remotely via RDP to "server64", also log this security change in the event log:

ntrights -u MyDom\Admin_RDP +r SeRemoteInteractiveLogonRight -m \\server64 -e "Added RDP rights for Admin_RDP"

Allow all members of the domain group 'Admin_General' to shutdown this computer.

ntrights -u MyDom\Admin_General +r SeShutdownPrivilege

Allow the domain user 'JDoe' to shutdown the machine 'Server64'

ntrights -u MyDom\JDoe +r SeShutdownPrivilege -m \\Server64

Specifically deny local logon rights to Henry:

ntrights -u Henry +r SeDenyInteractiveLogonRight

“What distinguishes the majority of men from the few is their inability to act according to their beliefs” ~ Henry Miller

Related:

CACLS - Change file permissions
Q267553 - Reset User Rights in Group Policy
Q315276 - Set Logon User Rights by Using the NTRights
Technet - User Rights and Privileges


© Copyright SS64.com 1999-2014
Some rights reserved