This article was previously published under Q101366

The text below defines the advanced user rights that the Windows NT User Manager controls. To administer these rights, run User Manager and choose User Rights from the Policies menu. Then choose Show Advanced User Rights.

The advanced user rights are as follows:

To Act as Part of the Operating System

SE_TCB_NAME
SeTcbPrivilege
        

The user can act as a trusted part of the operating system. Some subsystems have this privilege granted to them.

Bypass Traverse Checking

SE_CHANGE_NOTIFY_NAME
SeChangeNotifyPrivilege
        

The user can traverse a directory tree even if the user has no other rights to access that directory. Denies access to users in POSIX applications.

Create a Pagefile

SE_CREATE_PAGEFILE_NAME
SeCreatePagefilePrivilege
        

The user can create a pagefile.

Create a Token Object

SE_CREATE_TOKEN_NAME
SeCreateTokenPrivilege
        

The user can create access tokens. Only the Local Security Authority can have this privilege.

Create Permanent Shared Objects

SE_CREATE_PERMANENT_NAME
SeCreatePermanentPrivilege
        

The user can create special permanent objects used in Windows NT, such as \\Device. For more information, please refer to the book "Inside Windows NT" (Microsoft Press).

Debug Programs

SE_DEBUG_NAME
SeDebugPrivilege
        

The user can debug applications.

Generate Security Audits

SE_AUDIT_NAME
SeAuditPrivilege
        

The user can generate audit-log entries.

Increase Quotas

SE_INCREASE_QUOTA_NAME
SeIncreaseQuotaPrivilege
        

The user can increase object quotas. Each object has a quota assigned to it.

Increase Scheduling Priority

SE_INC_BASE_PRIORITY_NAME
SeIncreaseBasePriorityPrivilege
        

The user can boost the scheduling priority of a process.

Load and Unload Device Drivers

SE_LOAD_DRIVER_NAME
SeLoadDriverPrivilege
        

The user can load and unload device drivers.

Lock Pages in Memory

SE_LOCK_MEMORY_NAME
SeLockMemoryPrivilege
        

The user can lock pages in memory to prevent them from being paged out into backing store (such as PAGEFILE.SYS).

Log on as a Batch Job

SECURITY_BATCH_RID
SeBatchSid
        

The user can log on to the system as a batch queue facility. This is a group identifier (S-1-5-3).

Log on as a Service

SECURITY_SERVICE_RID
SeServiceSid
        

The user can perform security services (S-1-5-4). The user that performs replication logs on as a service.

Modify Firmware Environment Variables

SE_SYSTEM_ENVIRONMENT_NAME
SeSystemEnvironmentPrivilege
        

The user can modify system environment variables (not user environment variables).

Profile Single Process

SE_PROF_SINGLE_PROCESS_NAME
SeProfileSingleProcessPrivilege
        

The user can use Windows NT profiling capabilities to observe a process.

Profile System Performance

SE_SYSTEM_PROFILE_NAME
SeSystemProfilePrivilege
        

The user can use Windows NT profiling capabilities to observe the system.

Receive Unsolicited Device Input

SE_UNSOLICITED_INPUT_NAME
SeUnsolicitedInputPrivilege
        

The user can read unsolicited data from a terminal device.

Replace a Process Level Token

SE_ASSIGNPRIMARYTOKEN_NAME
SeAssignPrimaryTokenPrivilege
        

The user can modify a process' access token.