Microsoft KB Archive/101366

= Definition and List of Windows NT Advanced User Rights =

PSS ID Number: 101366

Article Last Modified on 11/20/2003

-

The information in this article applies to:


 * Microsoft Windows NT Server 3.1
 * Microsoft Windows NT Workstation 3.1
 * Microsoft Windows NT Advanced Server 3.1

-



This article was previously published under Q101366



The text below defines the advanced user rights that the Windows NT User Manager controls. To administer these rights, run User Manager and choose User Rights from the Policies menu. Then choose Show Advanced User Rights.

The advanced user rights are as follows:

To Act as Part of the Operating System
SE_TCB_NAME SeTcbPrivilege The user can act as a trusted part of the operating system. Some subsystems have this privilege granted to them.

Bypass Traverse Checking
SE_CHANGE_NOTIFY_NAME SeChangeNotifyPrivilege The user can traverse a directory tree even if the user has no other rights to access that directory. Denies access to users in POSIX applications.

Create a Pagefile
SE_CREATE_PAGEFILE_NAME SeCreatePagefilePrivilege The user can create a pagefile.

Create a Token Object
SE_CREATE_TOKEN_NAME SeCreateTokenPrivilege The user can create access tokens. Only the Local Security Authority can have this privilege.

Create Permanent Shared Objects
SE_CREATE_PERMANENT_NAME SeCreatePermanentPrivilege The user can create special permanent objects used in Windows NT, such as \\Device. For more information, please refer to the book "Inside Windows NT" (Microsoft Press).

Debug Programs
SE_DEBUG_NAME SeDebugPrivilege The user can debug applications.

Generate Security Audits
SE_AUDIT_NAME SeAuditPrivilege The user can generate audit-log entries.

Increase Quotas
SE_INCREASE_QUOTA_NAME SeIncreaseQuotaPrivilege The user can increase object quotas. Each object has a quota assigned to it.

Increase Scheduling Priority
SE_INC_BASE_PRIORITY_NAME SeIncreaseBasePriorityPrivilege The user can boost the scheduling priority of a process.

Load and Unload Device Drivers
SE_LOAD_DRIVER_NAME SeLoadDriverPrivilege The user can load and unload device drivers.

Lock Pages in Memory
SE_LOCK_MEMORY_NAME SeLockMemoryPrivilege The user can lock pages in memory to prevent them from being paged out into backing store (such as PAGEFILE.SYS).

Log on as a Batch Job
SECURITY_BATCH_RID SeBatchSid The user can log on to the system as a batch queue facility. This is a group identifier (S-1-5-3).

Log on as a Service
SECURITY_SERVICE_RID SeServiceSid The user can perform security services (S-1-5-4). The user that performs replication logs on as a service.

Modify Firmware Environment Variables
SE_SYSTEM_ENVIRONMENT_NAME SeSystemEnvironmentPrivilege The user can modify system environment variables (not user environment variables).

Profile Single Process
SE_PROF_SINGLE_PROCESS_NAME SeProfileSingleProcessPrivilege The user can use Windows NT profiling capabilities to observe a process.

Profile System Performance
SE_SYSTEM_PROFILE_NAME SeSystemProfilePrivilege The user can use Windows NT profiling capabilities to observe the system.

Receive Unsolicited Device Input
SE_UNSOLICITED_INPUT_NAME SeUnsolicitedInputPrivilege The user can read unsolicited data from a terminal device.

Replace a Process Level Token
SE_ASSIGNPRIMARYTOKEN_NAME SeAssignPrimaryTokenPrivilege The user can modify a process' access token.

Additional query words: prodnt rights adv event 576 audit category

Keywords: kbnetwork KB101366

Technology: kbWinNT310Search kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNTS310 kbWinNTS310search kbWinNTsearch kbWinNTSsearch kbWinNTW310 kbWinNTW310Search kbWinNTWsearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.