Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 9480. How can I display the User Rights Assignment on a specified computer?
Jerold Schulman
June 21, 2005
1 Min Read
You can use Group Policy to set the User Rights Assignment on computers, and you can use NTRights.exe to set user rights in a script.
Some of the user rights that can be granted or revoked in a script are:
Windows NT right | Permits user to |
|---|---|
SeAssignPrimaryTokenPrivilege | Replace a process level token. |
SeAuditPrivilege | Generate security audits. |
SeBackupPrivilege | Back up files and directories. |
SeBatchLogonRight | Logon as a batch job. |
SeChangeNotifyPrivilege | Bypass traverse checking. |
SeCreatePagefilePrivilege | Create a pagefile. |
SeCreatePermanentPrivilege | Create permanent shared objects. |
SeCreateTokenPrivilege | Create a token object. |
SeDebugPrivilege | Debug programs. |
SeIncreaseBasePriorityPrivilege | Increase scheduling priority. |
SeIncreaseQuotaPrivilege | Increase quotas. |
SeInteractiveLogonRight | Log on locally. |
SeLoadDriverPrivilege | Load and unload device drivers. |
SeLockMemoryPrivilege | Lock pages in memory. |
SeMachineAccountPrivilege | Add workstations to domain. |
SeNetworkLogonRight | Access this computer from the network. |
SeProfileSingleProcessPrivilege | Profile single process. |
SeRemoteInteractiveLogonRight | |
SeRemoteShutdownPrivilege | Force shutdown from a remote system. |
SeRestorePrivilege | Restore files and directories. |
SeSecurityPrivilege | Manage auditing and security log. |
SeServiceLogonRight | Log on as a service. |
SeShutdownPrivilege | Shut down the system. |
SeSystemEnvironmentPrivilege | Modify firmware environment values. |
SeSystemProfilePrivilege | Profile system performance. |
SeSystemtimePrivilege | Change the system time. |
SeTakeOwnershipPrivilege | Take ownership of files or other objects. |
SeTcbPrivilege | Act as part of the operating system. |
SeUnsolicitedInputPrivilege | Read unsolicited input from a terminal device. |
Windows NT Deny Rights |
|---|
SeDenyBatchLogonRight |
SeDenyInteractiveLogonRight |
SeDenyNetworkLogonRight |
SeDenyServiceLogonRight |
SeDenyRemoteInteractiveLogonRight |
Using DumpSec.exe, formerly DumpACL.EXE, I have scripted UserRights.bat to display the User Rights Assignment on a specified computer, using a .CSV format.
The syntax for using UserRights.bat is:
UserRights ComputerName
Where ComputerName is the NetBIOS computer name that you want to enumerate.
The output is displayed on the console, each line containing:
"ComputerName","UserRight","Account","Description"
like:
"jsi009","SeInteractiveLogonRight","BUILTINPower Users","Log on locally"
UserRights.bat contains:
@echo offIf {%1}=={} @echo Syntax: UserRights ComputerName&goto :EOFsetlocal ENABLEDELAYEDEXPANSIONset computer=%1set computer=%computer:"=%set computer=%computer:=%set host=\%computer%set wrk=UserRights_%RANDOM%.CSVdumpsec.exe /rpt=rights /saveas=csv /outfile=%wrk% /computer=%host%for /f "Tokens=1-4 Delims=," %%a in ('type %wrk%^|Findstr /b /c:"Se"') do (set acct=%%b#set acct=!acct: =!set acct=!acct: #=!set acct=!acct:#=!set desc=%%c#set desc=!desc: =!set desc=!desc: #=!set desc=!desc:#=!if "!desc!" EQU "" set desc=!acct!&set acct=NONE@echo "%computer%","%%a","!acct!","!desc!")del /q %wrk%endlocalAbout the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
