This appendix describes the advanced user rights defined by Windows NT. The descriptions shown in the Policy column appear in the User Rights Policy dialog box of User Manager. The description column also identifies which users are granted this user right by default.
User Right | Policy | Description |
SeTcbPrivilege | Act as part of the operating system | The user can use to perform as a secure, trusted part of the operating system. Some subsystems are granted this privilege. |
SeChangeNotifyPrivilege | Bypass traverse checking | The user can traverse directory trees. Deny access to users using POSIX applications. |
SeCreatePagefilePrivilege | Create a pagefile | The user can create a page file (not available in this version of Windows NT). Security is determined by a users access to the ..\CurrentControlSet\Control\Session Management key. |
SeCreateTokenPrivilege | Create a token object | Required to create access tokens. Only the Local Security Authority can do this. |
SeCreatePermanentPrivilege | Create permanent shared objects | Required to create special permanent objects, such as \\Device, which are used within Windows NT. |
SeDebugPrivilege | Debug programs | The user can debug various low-level objects such as threads. |
SeAuditPrivilege | Generate security audits | Required to generate security audit log entries. |
SeIncreaseQuotaPrivilege | Increase quotas | Required to increase object quotas (not available in this version of Windows NT). |
SeIncreaseBasePriorityPrivilege | Increase scheduling priority | The user can boost the priority of a process. |
SeLoadDriverPrivilege | Load and unload device drivers | The user can load an unload device drivers. |
SeLockMemoryPrivilege | Lock pages in memory | The user can lock pages in memory so they cannot be paged out to a backing store such as PAGEFILE.SYS. As physical memory is a limited resource, locking pages can lead to greater disk thrashing as essentially the amount of physical pages available to other applications is reduced. |
No Name | Log on as a batch job | The user can log on using a batch queue facility (not available in this version of Windows NT). |
No Name | Log on as a service | The user can perform security services. |
SeSystemEnvironmentPrivilege | Modify Firmware environment variables | The user can modify system environment variables (not user environment variables). |
SeProfileSingleProcessPrivilege | Profile single process | The user can use the profiling (performance sampling) capabilities of Windows NT on a process. |
SeSystemProfilePrivilege | Profile system performance | The user can use the profiling capabilities of Windows NT on the system. (This can slow the system down.) |
SeAssignPrimaryTokenPrivilege | Replace a process level token | Required to modify a process's security access token. This is a powerful privilege used only by the system. |