User Rights in Server 2012

userrights

Rights are authorized action a user can perform on the system. They are tightly coupled with permissions which are applied at object level. These user rights can be applied through local policies or centralized grouppolicy object. Below are the security related user rights present in Server 2012.

 User Right  Description  Powershell Command (Constant)
 Access Credential Manager as a trusted caller Applies to Credential Manager during backup-related processes. This privilege is assigned to the Winlogon service only and should not be assigned to the account. SeTrustedCredManAccessPrivilege
 Access this computer from the network  Determines whether a user can utilize protocols related to accessing a given computer, such as Service Message Block (SMB), NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)  SeNetworkLogonRight
 Act as part of the operating system  Applies to processes to determine whether they can use a user’s identity to gain access to the privileges granted to that user  SeTcbPrivilege
 Add workstations to domain  Enables a user to add a computer to a domain.  SeMachineAccountPrivilege
 Adjust memory quotas for a process  Enables a user to change the memory used by a process.  SeIncreaseQuotaPrivilege
 Allow logon locally  Enables a user to start an interactive session  SeInteractiveLogonRight
 Allow logon through Remote Desktop Services  Enables a user to log on using Remote Desktop Services.  SeRemoteInteractiveLogonRight
 Back up files and directories  Enables an account to bypass permissions for backup purposes  SeBackupPrivilege
 Bypass traverse checking  Enables an account to traverse an NTFS file system without needing to check the Traverse Folder permission.  SeChangeNotifyPrivilege
 Change the system time  Enables a user to change the time on the local computer. SeSystemtimePrivilege
 Change the time zone  Enables a user to change the time zone on the local computer.  SeTimeZonePrivilege
 Create a pagefile  Enables a user to change settings around the pagefile, including its size. SeCreatePagefilePrivilege
 Create a token object  Enables a process to create a token using the privileged account.  SeCreateTokenPrivilege
 Create global objects  Enables creation of global objects  SeCreateGlobalPrivilege
 Create permanent shared objects  Enables creation of directory objects  SeCreatePermanentPrivilege
 Create symbolic links  Enables an account to create a file system symbolic link.  SeCreateSymbolicLinkPrivilege
 Debug programs  Enables a user to attach to a process for debugging.  SeDebugPrivilege
 Deny access to this computer from the network  Prevents users from accessing the computer.  SeDenyNetworkLogonRight
 Deny logon as a batch job  Prevents an account from logging on using batch-related methods  SeDenyBatchLogonRight
 Deny logon as a service  Prevents an account from logging on as a service  SeDenyServiceLogonRight
 Deny logon locally  Prevents an account from logging on locally at a computer console.  SeDenyInteractiveLogonRight
 Deny logon through Remote Desktop Services  Prevents users from logging on to a computer using Remote Desktop Services. SeDenyRemoteInteractiveLogonRight
 Enable computer and user accounts to be trusted for delegation  Enables a user to set the Trusted for Delegation setting  SeEnableDelegationPrivilege
 Force shutdown from a remote system  Allows a user to shut down a computer when connected remotely  SeRemoteShutdownPrivilege
 Generate security audits  Enables an account to generate audit records in the security log.  SeAuditPrivilege
 Impersonate a client after authentication  Enables a program to impersonate a user or account and act on behalf of that user or account.  SeImpersonatePrivilege
 Increase a process working set  Enables a user to increase the size of a working set of a process.  SeIncreaseWorkingSetPrivilege
 Increase scheduling priority  Enables a user to increase the base priority of a process.  SeIncreaseBasePriorityPrivilege
 Load and unload device drivers  Enables a user to dynamically load or unload device drivers.  SeLoadDriverPackage
 Lock pages in memory  Enables an account to keep data from a process in physical memory.  SeLockMemoryPrivilege
 Log on as a batch job  Enables an account to log on using batch-related methods, including Task Scheduler  SeBatchLogonRight
 Log on as a service  Enables a service account to register a process.  SeServiceLogonRight
 Manage auditing and security log  Enables a user to work with auditing and security log.  SeSecurityPrivilege
 Modify an object label  Enables an account to modify integrity labels used by Windows Integrity Controls (WIC).  SeRelabelPrivilege
 Modify firmware environment values  Enables a user to modify non-volatile RAM (NVRAM) settings.  SeSystemEnvironmentPrivilege
 Perform volume maintenance tasks  Enables a user to do volume- and disk management–related tasks.  SeManageVolumePrivilege
 Profile single process  Enables a user to view performance aspects of a process  SeProfileSingleProcessPrivilege
 Profile system performance  Enables a user to use the Windows Performance Monitor tools.  SeSystemProfilePrivilege
 Remove computer from docking station  Enables a user to undock a computer without logging on.  SeUndockPrivilege
 Replace a process level token  Enables a process to replace an access token of a child process  SeAssignPrimaryTokenPrivilege
 Restore files and directories  Enables a user to bypass the normal permission checks when restoring.  SeRestorePrivilege
 Shut down the system Enables a local user to shut down the system SeShutdownPrivilege
Synchronize directory service data Enables a user to synchronize service data, such as LDAP directory synchronization. SeSyncAgentPrivilege
Take ownership of files or other objects Enables an account to take ownership of objects in the computer. SeTakeOwnershipPrivilege

You can use the above powershell constants with cmdlets to automate the user rights assignment process. MS link to script 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s