Home XP Commands
XP Syntax

NTRIGHTS.exe (Resource Kit, 2000/2003)

Edit user account Privileges. 

Syntax
       NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry]

       NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry]

Key:

   +/-r Right        Grant or revoke one of the rights listed below.

     -u UserOrGroup  Who the rights are to be granted or revoked to.

     -m \\Computer   The computer (machine) on which to perform the operation.
                     The default is the local computer. 

     -e Entry        Add a text string 'Entry' to the computer's event log. 

Below are the Privileges that can be granted or revoked.
All are case-sensitive.

Privilege                       Meaning 

SeAssignPrimaryTokenPrivilege   Replace a process level token
SeAuditPrivilege                Generate security audits
SeBackupPrivilege               Back up files and directories
SeBatchLogonRight               Log on as a batch job

SeChangeNotifyPrivilege         Bypass traverse checking
SeCreateGlobalPrivilege         Create global objects*
SeCreatePagefilePrivilege       Create a pagefile
SeCreatePermanentPrivilege      Create permanent shared objects. 
SeCreateTokenPrivilege          Create a token object

SeDenyBatchLogonRight           Deny log on as a batch job
SeDenyInteractiveLogonRight     Deny log on locally
SeDenyNetworkLogonRight         Deny access this computer from the network
SeDenyServiceLogonRight         Deny log on as a service
SeDebugPrivilege                Debug programs
SeEnableDelegationPrivilege     Enable computer and user accounts to be trusted for delegation

SeImpersonatePrivilege          Impersonate a client after authentication*
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeIncreaseQuotaPrivilege        Increase quotas
SeInteractiveLogonRight         Log on locally

SeLoadDriverPrivilege           Load and unload device drivers
SeLockMemoryPrivilege           Lock pages in memory
SeMachineAccountPrivilege       Add workstations to domain
SeNetworkLogonRight             Access this computer from the network
SeProfileSingleProcessPrivilege Profile single process
SeRemoteShutdownPrivilege       Force shutdown from a remote system
SeRestorePrivilege              Restore files and directories

SeSecurityPrivilege             Manage auditing and security log
SeServiceLogonRight             Log on as a service
SeShutdownPrivilege             Shut down the system
SeSyncAgentPrivilege            Synchronize directory service data
SeSystemEnvironmentPrivilege    Modify firmware environment values 
SeSystemProfilePrivilege        Profile system performance
SeSystemtimePrivilege           Change the system time

SeTakeOwnershipPrivilege        Take ownership of files or other objects
SeTcbPrivilege                  Act as part of the operating system
SeUndockPrivilege               Remove computer from docking station
SeUnsolicitedInputPrivilege     Read unsolicited input from a terminal device


This command requires Administrator rights and does not run on NT 4.0

* = Privilege valid in Windows 2003 and above only

Example:

Allow members of the local Users group to logon locally

ntrights -u Users +r SeInteractiveLogonRight

Revoke the above

ntrights -u Users -r SeInteractiveLogonRight

Specifically deny local logon rights to jdoe

ntrights -u jdoe -r SeDenyInteractiveLogonRight

"What distinguishes the majority of men from the few is their inability to act according to their beliefs." - Henry Miller

Related commands:

CACLS - Change file permissions

Q267553 - Reset User Rights in Group Policy
Q315276 - Set Logon User Rights by Using the NTRights


Back to the Top

Simon Sheppard
 SS64.com