Q: How can I configure and manage Windows user rights from the command line?

A: You can use the ntrights utility to grant or revoke Windows user rights, both logon rights and privileges, to users and groups on a local or remote computer. The ntrights utility is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit. For example, to grant ServiceAccount1 on computer MyComputer the Logon as a service right, you must run the following command.

Ntrights +r SeServiceLogonRight -u ServiceAccount1 -m \MyComputer

To revoke the Everyone group’s right to Access this computer from the network, run the command

Ntrights -r SeNetworkLogonRight -u Everyone

To display the user rights that have been assigned to the account you used to log on to a Windows system, use the whoami command line tool with the /priv switch:

Whoami /priv

Whoami is included in the Windows 2000 Resource Kit and is bundled with Server 2003, Windows Vista, and Windows Server 2008.

To display which users and groups have been assigned a particular user right, you can use the ShowPriv utility, which is included in the Server 2003 Resource Kit and the Windows 2000 Resource Kit. For example, to find which users and groups have been assigned the Log on locally logon on your system, run the command

Showpriv SeInteractiveLogonRight

Related Reading: