JSI Tip 9480. How can I display the User Rights Assignment on a specified computer?

Jerold Schulman

June 21, 2005

1 Min Read
ITPro Today logo


You can use Group Policy to set the User Rights Assignment on computers, and you can use NTRights.exe to set user rights in a script.

Some of the user rights that can be granted or revoked in a script are:

Windows NT right

Permits user to

SeAssignPrimaryTokenPrivilege

Replace a process level token.

SeAuditPrivilege

Generate security audits.

SeBackupPrivilege

Back up files and directories.

SeBatchLogonRight

Logon as a batch job.

SeChangeNotifyPrivilege

Bypass traverse checking.

SeCreatePagefilePrivilege

Create a pagefile.

SeCreatePermanentPrivilege

Create permanent shared objects.

SeCreateTokenPrivilege

Create a token object.

SeDebugPrivilege

Debug programs.

SeIncreaseBasePriorityPrivilege

Increase scheduling priority.

SeIncreaseQuotaPrivilege

Increase quotas.

SeInteractiveLogonRight

Log on locally.

SeLoadDriverPrivilege

Load and unload device drivers.

SeLockMemoryPrivilege

Lock pages in memory.

SeMachineAccountPrivilege

Add workstations to domain.

SeNetworkLogonRight

Access this computer from the network.

SeProfileSingleProcessPrivilege

Profile single process.

SeRemoteInteractiveLogonRight

SeRemoteShutdownPrivilege

Force shutdown from a remote system.

SeRestorePrivilege

Restore files and directories.

SeSecurityPrivilege

Manage auditing and security log.

SeServiceLogonRight

Log on as a service.

SeShutdownPrivilege

Shut down the system.

SeSystemEnvironmentPrivilege

Modify firmware environment values.

SeSystemProfilePrivilege

Profile system performance.

SeSystemtimePrivilege

Change the system time.

SeTakeOwnershipPrivilege

Take ownership of files or other objects.

SeTcbPrivilege

Act as part of the operating system.

SeUnsolicitedInputPrivilege

Read unsolicited input from a terminal device.


Windows NT Deny Rights

SeDenyBatchLogonRight

SeDenyInteractiveLogonRight

SeDenyNetworkLogonRight

SeDenyServiceLogonRight

SeDenyRemoteInteractiveLogonRight

Using DumpSec.exe, formerly DumpACL.EXE, I have scripted UserRights.bat to display the User Rights Assignment on a specified computer, using a .CSV format.

The syntax for using UserRights.bat is:

UserRights ComputerName

Where ComputerName is the NetBIOS computer name that you want to enumerate.

The output is displayed on the console, each line containing:

"ComputerName","UserRight","Account","Description"

like:

"jsi009","SeInteractiveLogonRight","BUILTINPower Users","Log on locally"

UserRights.bat contains:

@echo offIf {%1}=={} @echo Syntax: UserRights ComputerName&goto :EOFsetlocal ENABLEDELAYEDEXPANSIONset computer=%1set computer=%computer:"=%set computer=%computer:=%set host=\%computer%set wrk=UserRights_%RANDOM%.CSVdumpsec.exe /rpt=rights /saveas=csv /outfile=%wrk% /computer=%host%for /f "Tokens=1-4 Delims=," %%a in ('type %wrk%^|Findstr /b /c:"Se"') do (set acct=%%b#set acct=!acct:  =!set acct=!acct: #=!set acct=!acct:#=!set desc=%%c#set desc=!desc:  =!set desc=!desc: #=!set desc=!desc:#=!if "!desc!" EQU "" set desc=!acct!&set acct=NONE@echo "%computer%","%%a","!acct!","!desc!")del /q %wrk%endlocal



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like