Rights are authorized action a user can perform on the system. They are tightly coupled with permissions which are applied at object level. These user rights can be applied through local policies or centralized grouppolicy object. Below are the security related user rights present in Server 2012.
| User Right | Description | Powershell Command (Constant) |
| Access Credential Manager as a trusted caller | Applies to Credential Manager during backup-related processes. This privilege is assigned to the Winlogon service only and should not be assigned to the account. | SeTrustedCredManAccessPrivilege |
| Access this computer from the network | Determines whether a user can utilize protocols related to accessing a given computer, such as Service Message Block (SMB), NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+) | SeNetworkLogonRight |
| Act as part of the operating system | Applies to processes to determine whether they can use a user’s identity to gain access to the privileges granted to that user | SeTcbPrivilege |
| Add workstations to domain | Enables a user to add a computer to a domain. | SeMachineAccountPrivilege |
| Adjust memory quotas for a process | Enables a user to change the memory used by a process. | SeIncreaseQuotaPrivilege |
| Allow logon locally | Enables a user to start an interactive session | SeInteractiveLogonRight |
| Allow logon through Remote Desktop Services | Enables a user to log on using Remote Desktop Services. | SeRemoteInteractiveLogonRight |
| Back up files and directories | Enables an account to bypass permissions for backup purposes | SeBackupPrivilege |
| Bypass traverse checking | Enables an account to traverse an NTFS file system without needing to check the Traverse Folder permission. | SeChangeNotifyPrivilege |
| Change the system time | Enables a user to change the time on the local computer. | SeSystemtimePrivilege |
| Change the time zone | Enables a user to change the time zone on the local computer. | SeTimeZonePrivilege |
| Create a pagefile | Enables a user to change settings around the pagefile, including its size. | SeCreatePagefilePrivilege |
| Create a token object | Enables a process to create a token using the privileged account. | SeCreateTokenPrivilege |
| Create global objects | Enables creation of global objects | SeCreateGlobalPrivilege |
| Create permanent shared objects | Enables creation of directory objects | SeCreatePermanentPrivilege |
| Create symbolic links | Enables an account to create a file system symbolic link. | SeCreateSymbolicLinkPrivilege |
| Debug programs | Enables a user to attach to a process for debugging. | SeDebugPrivilege |
| Deny access to this computer from the network | Prevents users from accessing the computer. | SeDenyNetworkLogonRight |
| Deny logon as a batch job | Prevents an account from logging on using batch-related methods | SeDenyBatchLogonRight |
| Deny logon as a service | Prevents an account from logging on as a service | SeDenyServiceLogonRight |
| Deny logon locally | Prevents an account from logging on locally at a computer console. | SeDenyInteractiveLogonRight |
| Deny logon through Remote Desktop Services | Prevents users from logging on to a computer using Remote Desktop Services. | SeDenyRemoteInteractiveLogonRight |
| Enable computer and user accounts to be trusted for delegation | Enables a user to set the Trusted for Delegation setting | SeEnableDelegationPrivilege |
| Force shutdown from a remote system | Allows a user to shut down a computer when connected remotely | SeRemoteShutdownPrivilege |
| Generate security audits | Enables an account to generate audit records in the security log. | SeAuditPrivilege |
| Impersonate a client after authentication | Enables a program to impersonate a user or account and act on behalf of that user or account. | SeImpersonatePrivilege |
| Increase a process working set | Enables a user to increase the size of a working set of a process. | SeIncreaseWorkingSetPrivilege |
| Increase scheduling priority | Enables a user to increase the base priority of a process. | SeIncreaseBasePriorityPrivilege |
| Load and unload device drivers | Enables a user to dynamically load or unload device drivers. | SeLoadDriverPackage |
| Lock pages in memory | Enables an account to keep data from a process in physical memory. | SeLockMemoryPrivilege |
| Log on as a batch job | Enables an account to log on using batch-related methods, including Task Scheduler | SeBatchLogonRight |
| Log on as a service | Enables a service account to register a process. | SeServiceLogonRight |
| Manage auditing and security log | Enables a user to work with auditing and security log. | SeSecurityPrivilege |
| Modify an object label | Enables an account to modify integrity labels used by Windows Integrity Controls (WIC). | SeRelabelPrivilege |
| Modify firmware environment values | Enables a user to modify non-volatile RAM (NVRAM) settings. | SeSystemEnvironmentPrivilege |
| Perform volume maintenance tasks | Enables a user to do volume- and disk management–related tasks. | SeManageVolumePrivilege |
| Profile single process | Enables a user to view performance aspects of a process | SeProfileSingleProcessPrivilege |
| Profile system performance | Enables a user to use the Windows Performance Monitor tools. | SeSystemProfilePrivilege |
| Remove computer from docking station | Enables a user to undock a computer without logging on. | SeUndockPrivilege |
| Replace a process level token | Enables a process to replace an access token of a child process | SeAssignPrimaryTokenPrivilege |
| Restore files and directories | Enables a user to bypass the normal permission checks when restoring. | SeRestorePrivilege |
| Shut down the system | Enables a local user to shut down the system | SeShutdownPrivilege |
| Synchronize directory service data | Enables a user to synchronize service data, such as LDAP directory synchronization. | SeSyncAgentPrivilege |
| Take ownership of files or other objects | Enables an account to take ownership of objects in the computer. | SeTakeOwnershipPrivilege |
You can use the above powershell constants with cmdlets to automate the user rights assignment process. MS link to script
Wintel Geeks 