Posted On 2006-11-27 by FortyPoundHead
Keywords: Command Reference NTRIGHTS
Tags: Tutorial Windows Commandline Windows
Views: 4056

NTRIGHTS.exe (Resource Kit, 2000/2003)

Edit user account Privileges.

NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry]

NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry]


+/-r Right Grant or revoke one of the rights listed below.

-u UserOrGroup Who the rights are to be granted or revoked to.

-m \\Computer The computer (machine) on which to perform the operation.
The default is the local computer.

-e Entry Add a text string 'Entry' to the computer's event log.

Below are the Privileges that can be granted or revoked.
All are case-sensitive.

Privilege Meaning

SeAssignPrimaryTokenPrivilege Replace a process level token
SeAuditPrivilege Generate security audits
SeBackupPrivilege Back up files and directories
SeBatchLogonRight Log on as a batch job

SeChangeNotifyPrivilege Bypass traverse checking
SeCreateGlobalPrivilege Create global objects*
SeCreatePagefilePrivilege Create a pagefile
SeCreatePermanentPrivilege Create permanent shared objects.
SeCreateTokenPrivilege Create a token object

SeDenyBatchLogonRight Deny log on as a batch job
SeDenyInteractiveLogonRight Deny log on locally
SeDenyNetworkLogonRight Deny access this computer from the network
SeDenyServiceLogonRight Deny log on as a service
SeDebugPrivilege Debug programs
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation

SeImpersonatePrivilege Impersonate a client after authentication*
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeIncreaseQuotaPrivilege Increase quotas
SeInteractiveLogonRight Log on locally

SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeMachineAccountPrivilege Add workstations to domain
SeNetworkLogonRight Access this computer from the network
SeProfileSingleProcessPrivilege Profile single process
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeRestorePrivilege Restore files and directories

SeSecurityPrivilege Manage auditing and security log
SeServiceLogonRight Log on as a service
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeSystemEnvironmentPrivilege Modify firmware environment values
SeSystemProfilePrivilege Profile system performance
SeSystemtimePrivilege Change the system time

SeTakeOwnershipPrivilege Take ownership of files or other objects
SeTcbPrivilege Act as part of the operating system
SeUndockPrivilege Remove computer from docking station
SeUnsolicitedInputPrivilege Read unsolicited input from a terminal device
This command requires Administrator rights and does not run on NT 4.0

* = Privilege valid in Windows 2003 and above only


Allow members of the local Users group to logon locally

ntrights -u Users +r SeInteractiveLogonRight

Revoke the above

ntrights -u Users -r SeInteractiveLogonRight

Specifically deny local logon rights to jdoe

ntrights -u jdoe -r SeDenyInteractiveLogonRight

About the Author

FortyPoundHead has posted a total of 1974 articles.

Comments On This Post

No comments on this post yet!

Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.

Your IP address is:

Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links