NTRIGHTS.exe – Windows CMD Command
Edit user account privileges.
NTRIGHTS +r Right -u UserOrGroup [-m \\Computer] [-e Entry]
NTRIGHTS -r Right -u UserOrGroup [-m \\Computer] [-e Entry]
+/-r Right Grant or revoke one of the rights listed below.
-u UserOrGroup Who the rights are to be granted or revoked to.
This is the pre-windows 2000 logon name (Max 20 characters)
-m \\Computer The computer (machine) on which to perform the operation.
The default is the local computer.
-e Entry Add a text string 'Entry' to the computer's event log.
This utility does work under all recent versions of Windows, although (like all Resource Kit tools) it is unsupported.
Below are the Privileges that can be granted or revoked, all are Case-Sensitive.
Log on as a batch job SeBatchLogonRight
Deny logon as a batch job SeDenyBatchLogonRight
Log on locally SeInteractiveLogonRight
Deny local logon SeDenyInteractiveLogonRight
Logon as a service SeServiceLogonRight
Deny logon as a service SeDenyServiceLogonRight
Access this Computer from the Network SeNetworkLogonRight
Deny Access to this computer via network SeDenyNetworkLogonRight
Allow logon through RDP/Terminal Services SeRemoteInteractiveLogonRight
Deny logon through RDP/Terminal Services SeDenyRemoteInteractiveLogonRight
System Admin Privileges:
Generate security audits SeAuditPrivilege
Manage auditing and security log SeSecurityPrivilege
Backup files and directories SeBackupPrivilege
Create symbolic links SeCreateSymbolicLinkPrivilege
Add workstations to the domain SeMachineAccountPrivilege
Shut down the system SeShutdownPrivilege
Force shutdown from a remote system SeRemoteShutdownPrivilege
Create a pagefile SeCreatePagefilePrivilege
Increase quotas SeIncreaseQuotaPrivilege
Restore files and directories SeRestorePrivilege
Change the system time SeSystemTimePrivilege
Change the time zone SeTimeZonePrivilege
Take ownership of files/objects SeTakeOwnershipPrivilege
Enable computer/user accounts
to be trusted for delegation SeEnableDelegationPrivilege
Remove computer from docking station SeUndockPrivilege
Create permanent shared objects SeCreatePermanentPrivilege
Create a token object SeCreateTokenPrivilege
Replace a process-level token SeAssignPrimaryTokenPrivilege
Impersonate a client after authentication SeImpersonatePrivilege
Increase scheduling priority SeIncreaseBasePriorityPrivilege
Act as part of the operating system SeTcbPrivilege
Profile a single process SeProfileSingleProcessPrivilege
Load and unload device drivers SeLoadDriverPrivilege
Lock pages in memory SeLockMemoryPrivilege
Create global objects SeCreateGlobalPrivilege
Debug programs SeDebugPrivilege
Bypass traverse checking SeChangeNotifyPrivilege
Synch directory service data SeSyncAgentPrivilege
Edit firmware environment values SeSystemEnvironmentPrivilege
Perform volume maintenance tasks SeManageVolumePrivilege
Profile system performance SeSystemProfilePrivilege
Obsolete and unused SeUnsolicitedInputPrivilege (has no effect)
The Se_Deny… rights will override the corresponding account rights.
A Se_Deny… right will override any logon rights that an account may inherit as a result of its group membership(s).
To run NTRIGHTS you need to be an administrator.
To change privileges remotely (-m option) you need to have administrator rights on the machine being changed.
It is often helpful to grant the privileges to a named group, e.g. grant SeServiceLogonRight to a group called ServiceAccounts, then add individual user accounts to that group.
The group policy editor can be used to view these privileges in a GUI.
On a Windows 2008 Server (or Vista), allowing logon through Terminal Services (SeRemoteInteractiveLogonRight) requires an extra step: Control Panel > System > ‘Remote Settings’ > ‘Select Users’ button, and then add users/groups.
Allow all members of the local 'Users' group to logon locally:
ntrights -u Users +r SeInteractiveLogonRight
Allow members of the domain group 'Admin-RDP' to logon remotely via RDP to "serverF4T", also log this security change in the event log:
ntrights -u F4TDom\Admin-RDP +r SeRemoteInteractiveLogonRight -m \\server64 -e "Added RDP rights for Admin-RDP"
Allow the domain user 'Ashley' the right to run a batch (Scheduled Task) on ServerF4T:
ntrights -u F4TDom\Ashley +r SeBatchLogonRight -m \\serverF4T
Allow all members of the domain group 'Admin-Local' to shutdown this computer:
ntrights -u F4TDom\Admin-Local +r SeShutdownPrivilege
Allow the domain user 'JDoe' to shutdown the machine 'ServerF4T' :
ntrights -u F4TDom\JDoe +r SeShutdownPrivilege -m \\ServerF4T
Allow any Interactive user of the local machine the right to change the system time:
ntrights -u INTERACTIVE +r SeSystemtimePrivilege
Specifically deny local logon rights to Henry:
ntrights -u Henry +r SeDenyInteractiveLogonRight