Cmd:ntrights
From Ben's Writing
ntrights.exe is a console-based program used to grant or revoke rights to a user or group.
NTRights.Exe - Beta Version by Georg Zanzen
Grants/Revokes NT-Rights to a user/group
usage: -u xxx User/Group
-m \\xxx machine to perform the operation on (default local machine)
-e xxxxx Add xxxxx to the event log
-r xxx revokes the xxx right
+r xxx grants the xxx right
valid NTRights are:
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
Note that the user rights are all case sensitive.
In addition to the above privelages, I've found the following right to work as well:
SeBatchLogonRight
The MSDN supports this finding and says that "[t]he help output for ntrights.exe does not list all the logon rights that can be modified."
| User Right | Friendly Name |
|---|---|
| SeNetworkLogonRight | Access this computer from the network |
| SeInteractiveLogonRight | Log on locally |
| SeBatchLogonRight | Log on as a batch job |
| SeServiceLogonRight | Log on as a service |
| SeDenyNetworkLogonRight | Deny access this computer from the network |
| SeDenyInteractiveLogonRight | Deny log on locally |
| SeDenyBatchLogonRight | Deny log on as a batch job |
| SeDenyServiceLogonRight | Deny log on as a service |
So, for instance, we cam write:
ntrights.exe -u condor-reuse-slot1 -r SeBatchLogonRight
To remove a user's right to log on as a batch job.
