You can use Group Policy to set the User Rights Assignment on computers, and you can use
NTRights.exe to set user rights in a script.
Some of the user rights that can be granted or revoked in a script are:
Windows NT right | Permits user to |
SeAssignPrimaryTokenPrivilege | Replace a process level token. |
SeAuditPrivilege | Generate security audits. |
SeBackupPrivilege | Back up files and directories. |
SeBatchLogonRight | Logon as a batch job. |
SeChangeNotifyPrivilege | Bypass traverse checking. |
SeCreatePagefilePrivilege | Create a pagefile. |
SeCreatePermanentPrivilege | Create permanent shared objects. |
SeCreateTokenPrivilege | Create a token object. |
SeDebugPrivilege | Debug programs. |
SeIncreaseBasePriorityPrivilege | Increase scheduling priority. |
SeIncreaseQuotaPrivilege | Increase quotas. |
SeInteractiveLogonRight | Log on locally. |
SeLoadDriverPrivilege | Load and unload device drivers. |
SeLockMemoryPrivilege | Lock pages in memory. |
SeMachineAccountPrivilege | Add workstations to domain. |
SeNetworkLogonRight | Access this computer from the network. |
SeProfileSingleProcessPrivilege | Profile single process. |
SeRemoteInteractiveLogonRight | |
SeRemoteShutdownPrivilege | Force shutdown from a remote system. |
SeRestorePrivilege | Restore files and directories. |
SeSecurityPrivilege | Manage auditing and security log. |
SeServiceLogonRight | Log on as a service. |
SeShutdownPrivilege | Shut down the system. |
SeSystemEnvironmentPrivilege | Modify firmware environment values. |
SeSystemProfilePrivilege | Profile system performance. |
SeSystemtimePrivilege | Change the system time. |
SeTakeOwnershipPrivilege | Take ownership of files or other objects. |
SeTcbPrivilege | Act as part of the operating system. |
SeUnsolicitedInputPrivilege | Read unsolicited input from a terminal device. |
Windows NT Deny Rights |
SeDenyBatchLogonRight |
SeDenyInteractiveLogonRight |
SeDenyNetworkLogonRight |
SeDenyServiceLogonRight |
SeDenyRemoteInteractiveLogonRight |
Using DumpSec.exe, formerly DumpACL.EXE, I have scripted UserRights.bat to display the User Rights Assignment on a specified computer, using a .CSV format.
The syntax for using UserRights.bat is:
UserRights ComputerName
Where ComputerName is the NetBIOS computer name that you want to enumerate.
The output is displayed on the console, each line containing:
"ComputerName","UserRight","Account","Description"
like:
"jsi009","SeInteractiveLogonRight","BUILTIN\Power Users","Log on locally"
UserRights.bat contains:
@echo off If \{%1\}==\{\} @echo Syntax: UserRights ComputerName&goto :EOF setlocal ENABLEDELAYEDEXPANSION set computer=%1 set computer=%computer:"=% set computer=%computer:\=% set host=\\%computer% set wrk=UserRights_%RANDOM%.CSV dumpsec.exe /rpt=rights /saveas=csv /outfile=%wrk% /computer=%host% for /f "Tokens=1-4 Delims=," %%a in ('type %wrk%^|Findstr /b /c:"Se"') do ( set acct=%%b# set acct=!acct: =! set acct=!acct: #=! set acct=!acct:#=! set desc=%%c# set desc=!desc: =! set desc=!desc: #=! set desc=!desc:#=! if "!desc!" EQU "" set desc=!acct!&set acct=NONE @echo "%computer%","%%a","!acct!","!desc!" ) del /q %wrk% endlocal