NTRIGHTS.exe (Resource Kit, 2000/2003)
Edit user account Privileges.
NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry]
NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry]
+/-r Right Grant or revoke one of the rights listed below.
-u UserOrGroup Who the rights are to be granted or revoked to.
-m \\Computer The computer (machine) on which to perform the operation.
The default is the local computer.
-e Entry Add a text string 'Entry' to the computer's event log.
Below are the Privileges that can be granted or revoked.
All are case-sensitive.
SeAssignPrimaryTokenPrivilege Replace a process level token
SeAuditPrivilege Generate security audits
SeBackupPrivilege Back up files and directories
SeBatchLogonRight Log on as a batch job
SeChangeNotifyPrivilege Bypass traverse checking
SeCreateGlobalPrivilege Create global objects*
SeCreatePagefilePrivilege Create a pagefile
SeCreatePermanentPrivilege Create permanent shared objects.
SeCreateTokenPrivilege Create a token object
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyInteractiveLogonRight Deny log on locally
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyServiceLogonRight Deny log on as a service
SeDebugPrivilege Debug programs
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeImpersonatePrivilege Impersonate a client after authentication*
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeIncreaseQuotaPrivilege Increase quotas
SeInteractiveLogonRight Log on locally
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeMachineAccountPrivilege Add workstations to domain
SeNetworkLogonRight Access this computer from the network
SeProfileSingleProcessPrivilege Profile single process
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeRestorePrivilege Restore files and directories
SeSecurityPrivilege Manage auditing and security log
SeServiceLogonRight Log on as a service
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeSystemEnvironmentPrivilege Modify firmware environment values
SeSystemProfilePrivilege Profile system performance
SeSystemtimePrivilege Change the system time
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeTcbPrivilege Act as part of the operating system
SeUndockPrivilege Remove computer from docking station
SeUnsolicitedInputPrivilege Read unsolicited input from a terminal device
This command requires Administrator rights and does not run on NT 4.0
* = Privilege valid in Windows 2003 and above only
Allow members of the local Users group to logon locally
ntrights -u Users +r SeInteractiveLogonRight
Revoke the above
ntrights -u Users -r SeInteractiveLogonRight
Specifically deny local logon rights to jdoe
ntrights -u jdoe -r SeDenyInteractiveLogonRight
FortyPoundHead has posted a total of 1975 articles.
You can find more information from FortyPoundHead by visiting .
No comments on this post yet!
Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.
Or you can drop a note to the administrators if you're not sure where you should post.