Windows NT User Rights

This appendix describes the advanced user rights defined by Windows NT. The descriptions shown in the Policy column appear in the User Rights Policy dialog box of User Manager. The description column also identifies which users are granted this user right by default.

User Right

Policy

Description

SeTcbPrivilege

Act as part of the operating system

The user can use to perform as a secure, trusted part of the operating system. Some subsystems are granted this privilege.
Granted by default: None

SeChangeNotifyPrivilege

Bypass traverse checking

The user can traverse directory trees. Deny access to users using POSIX applications.
Granted by default: Everyone

SeCreatePagefilePrivilege

Create a pagefile

The user can create a page file (not available in this version of Windows NT). Security is determined by a users access to the ..\CurrentControlSet\Control\Session Management key.
Granted by default: None

SeCreateTokenPrivilege

Create a token object

Required to create access tokens. Only the Local Security Authority can do this.
Granted by default: None

SeCreatePermanentPrivilege

Create permanent shared objects

Required to create special permanent objects, such as \\Device, which are used within Windows NT.
Granted by default: None

SeDebugPrivilege

Debug programs

The user can debug various low-level objects such as threads.
Granted by default: Administrators

SeAuditPrivilege

Generate security audits

Required to generate security audit log entries.
Granted by default: None

SeIncreaseQuotaPrivilege

Increase quotas

Required to increase object quotas (not available in this version of Windows NT).
Granted by default: None

SeIncreaseBasePriorityPrivilege

Increase scheduling priority

The user can boost the priority of a process.
Granted by default: Administrators and Power Users

SeLoadDriverPrivilege

Load and unload device drivers

The user can load an unload device drivers.
Granted by default: Administrators

SeLockMemoryPrivilege

Lock pages in memory

The user can lock pages in memory so they cannot be paged out to a backing store such as PAGEFILE.SYS. As physical memory is a limited resource, locking pages can lead to greater disk thrashing as essentially the amount of physical pages available to other applications is reduced.
Granted by default: None

No Name

Log on as a batch job

The user can log on using a batch queue facility (not available in this version of Windows NT).
Granted by default: None

No Name

Log on as a service

The user can perform security services.
Granted by default: None

SeSystemEnvironmentPrivilege

Modify Firmware environment variables

The user can modify system environment variables (not user environment variables).
Granted by default: Administrators

SeProfileSingleProcessPrivilege

Profile single process

The user can use the profiling (performance sampling) capabilities of Windows NT on a process.
Granted by default: Administrators and Power Users

SeSystemProfilePrivilege

Profile system performance

The user can use the profiling capabilities of Windows NT on the system. (This can slow the system down.)
Granted by default: Administrators

SeAssignPrimaryTokenPrivilege

Replace a process level token

Required to modify a process's security access token. This is a powerful privilege used only by the system.
Granted by default: None