You can use Group Policy to set the User Rights Assignment on computers, and you can use
NTRights.exe to set user rights in a script.
Some of the user rights that can be granted or revoked in a script are:
| Windows NT right | Permits user to |
| SeAssignPrimaryTokenPrivilege | Replace a process level token. |
| SeAuditPrivilege | Generate security audits. |
| SeBackupPrivilege | Back up files and directories. |
| SeBatchLogonRight | Logon as a batch job. |
| SeChangeNotifyPrivilege | Bypass traverse checking. |
| SeCreatePagefilePrivilege | Create a pagefile. |
| SeCreatePermanentPrivilege | Create permanent shared objects. |
| SeCreateTokenPrivilege | Create a token object. |
| SeDebugPrivilege | Debug programs. |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority. |
| SeIncreaseQuotaPrivilege | Increase quotas. |
| SeInteractiveLogonRight | Log on locally. |
| SeLoadDriverPrivilege | Load and unload device drivers. |
| SeLockMemoryPrivilege | Lock pages in memory. |
| SeMachineAccountPrivilege | Add workstations to domain. |
| SeNetworkLogonRight | Access this computer from the network. |
| SeProfileSingleProcessPrivilege | Profile single process. |
| SeRemoteInteractiveLogonRight | |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system. |
| SeRestorePrivilege | Restore files and directories. |
| SeSecurityPrivilege | Manage auditing and security log. |
| SeServiceLogonRight | Log on as a service. |
| SeShutdownPrivilege | Shut down the system. |
| SeSystemEnvironmentPrivilege | Modify firmware environment values. |
| SeSystemProfilePrivilege | Profile system performance. |
| SeSystemtimePrivilege | Change the system time. |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects. |
| SeTcbPrivilege | Act as part of the operating system. |
| SeUnsolicitedInputPrivilege | Read unsolicited input from a terminal device. |
| Windows NT Deny Rights |
| SeDenyBatchLogonRight |
| SeDenyInteractiveLogonRight |
| SeDenyNetworkLogonRight |
| SeDenyServiceLogonRight |
| SeDenyRemoteInteractiveLogonRight |
Using DumpSec.exe, formerly DumpACL.EXE, I have scripted UserRights.bat to display the User Rights Assignment on a specified computer, using a .CSV format.
The syntax for using UserRights.bat is:
UserRights ComputerName
Where ComputerName is the NetBIOS computer name that you want to enumerate.
The output is displayed on the console, each line containing:
"ComputerName","UserRight","Account","Description"
like:
"jsi009","SeInteractiveLogonRight","BUILTIN\Power Users","Log on locally"
UserRights.bat contains:
@echo off
If \{%1\}==\{\} @echo Syntax: UserRights ComputerName&goto :EOF
setlocal ENABLEDELAYEDEXPANSION
set computer=%1
set computer=%computer:"=%
set computer=%computer:\=%
set host=\\%computer%
set wrk=UserRights_%RANDOM%.CSV
dumpsec.exe /rpt=rights /saveas=csv /outfile=%wrk% /computer=%host%
for /f "Tokens=1-4 Delims=," %%a in ('type %wrk%^|Findstr /b /c:"Se"') do (
set acct=%%b#
set acct=!acct: =!
set acct=!acct: #=!
set acct=!acct:#=!
set desc=%%c#
set desc=!desc: =!
set desc=!desc: #=!
set desc=!desc:#=!
if "!desc!" EQU "" set desc=!acct!&set acct=NONE
@echo "%computer%","%%a","!acct!","!desc!"
)
del /q %wrk%
endlocal
0 comments
Hide comments
