How can I grant User Rights from the command line?

A. A. Usually user rights, such as Logon Locally, are grant by starting User Manager and selecting User Rights from the Policies menu. If you want to grant rights from the command line, for use with account generation scripts etc., the Windows NT Resource Kit Supplement Two includes a new utility called NTRIGHTS.EXE which grants user rights from the command line.

The program uses a series of codewords for each user right:

Code Word User Right
SeNetworkLogonRight Access this computer from the network.
SeTcbPrivilege Act as part of the operating system.
SeMachineAccountPrivilege Add workstations to domain.
SeBackupPrivilege Back up files and directories.
SeChangeNotifyPrivilege Bypass traverse checking.
SeSystemtimePrivilege Change the system time.
SeCreatePagefilePrivilege Create a pagefile.
SeCreateTokenPrivilege Create a token object.
SeCreatePermanentPrivilege Create permanent shared objects.
SeDebugPrivilege Debug programs.
SeRemoteShutdownPrivilege Force shutdown from a remote system.
SeAuditPrivilege Generate security audits.
SeIncreaseQuotaPrivilege Increase quotas.
SeIncreaseBasePriorityPrivilege Increase scheduling priority.
SeLoadDriverPrivilege Load and unload device drivers.
SeLockMemoryPrivilege Lock pages in memory.
SeBatchLogonRight Logon as a batch job.
SeServiceLogonRight Log on as a service.
SeInteractiveLogonRight Log on locally.
SeSecurityPrivilege Manage auditing and security log.
SeSystemEnvironmentPrivilege Modify firmware environment values.
SeProfileSingleProcessPrivilege Profile single process.
SeSystemProfilePrivilege Profile system performance.
SeUnsolicitedInputPrivilege Read unsolicited input from a terminal device.
SeAssignPrimaryTokenPrivilege Replace a process level token.
SeRestorePrivilege Restore files and directories.
SeShutdownPrivilege Shut down the system.
SeTakeOwnershipPrivilege Take ownership of files or other objects.

To grant a user right perform the following

ntrights +r SeInteractiveLogonRight -u SavillTech\savillj

This would grant savillj of the SavillTech domain the right to log on locally. To grant the right on a remote machine use the -m switch

ntrights +r SeInteractiveLogonRight -u SavillTech\savillj -m \\<machine name>

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.