Auditing User Right Assignment Changes

 Last reviewed: February 5, 1998
Article ID: Q163905

The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51,and 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

Windows NT can audit when a user or group is added to or removed from a User Right. To audit these types of action, choose the auditing category, Security Policy Changes in User Manager under the Policies menu, auditing. This is the only needed audit category to audit these specific actions. Only the audit category File and Object Access will add additional security events, but these events simply show objects being opened and handles being closed for user account access that populate the Add Users and Groups dialog boxes.

MORE INFORMATION

Below is the sample output from the Security Event Log when a user is added to each of the User Right. Although User Manger does not differentiate between User Privileges and Rights, in actuality only Privileges are currently audited. Actions that are not audited are actually "rights."

  1. Access this computer from the network: no events

  2. Act as part of the operating system: (Advanced Right)

2/17/97 2:29:19 PM Security Success Audit Policy Change 608 
   randymc  RANDYMC1 User Right Assigned:
   User Right: SeTcbPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Add workstations to domain:

    2/17/97 2:18:11 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeMachineAccountPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Back up files and directories:

    2/17/97 2:19:03 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeBackupPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Bypass traverse checking: (Advanced Right)

    2/17/97 2:30:06 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeChangeNotifyPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Change the system time:

    2/17/97 2:19:57 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeSystemtimePrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Create a pagefile: (Advanced Right)

    2/17/97 2:30:57 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeCreatePagefilePrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Create a token object: (Advanced Right)

    2/17/97 2:31:45 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeCreateTokenPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Create permanent shared objects: (Advanced Right)

    2/17/97 2:32:40 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeCreatePermanentPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Debug programs: (Advanced Right)

    2/17/97 2:33:41 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeDebugPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Force shutdown from a remote system:

    2/17/97 2:20:46 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeRemoteShutdownPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Generate security audits: (Advanced Right)

    2/17/97 2:34:31 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeAuditPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Increase quotas: (Advanced Right)

    2/17/97 2:35:12 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeIncreaseQuotaPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Increase scheduling priority: (Advanced Right)

    2/17/97 2:35:52 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeIncreaseBasePriorityPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Load and unload device drivers:

    2/17/97 2:21:43 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeLoadDriverPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Lock pages in memory: (Advanced Right)

    2/17/97 2:36:57 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeLockMemoryPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Log on as a batch job: (Advanced Right) no events

  • Log on as a service: (Advanced Right) no events

  • Log on locally: no events

  • Manage auditing and security log:

    2/17/97 2:25:18 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeSecurityPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Modify firmware environment values: (Advanced Right)

    2/17/97 2:41:54 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeSystemEnvironmentPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Profile single process: (Advanced Right)

    2/17/97 3:20:18 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeProfileSingleProcessPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Profile system performance: (Advanced Right)

    2/17/97 3:21:11 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeSystemProfilePrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Replace a process level token: (Advanced Right)

    2/17/97 3:21:57 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeAssignPrimaryTokenPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Restore files and directories:

    2/17/97 2:26:13 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeRestorePrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Shut down the system:

    2/17/97 2:27:00 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeShutdownPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

  • Take ownership of files or other objects:

    2/17/97 2:27:41 PM Security Success Audit Policy Change 608 

       randymc  RANDYMC1 User Right Assigned:
   User Right: SeTakeOwnershipPrivilege
   Assigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944
   Assigned By:
   User Name:  randymc
   Domain:     RANDYMCD
   Logon ID:   (0x0,0x1EDC)

    Keywords          : ntdomain NTSrvWkst kbenv
Version           : WinNT:3.5,3.51,4.0
Platform          : winnt
Hardware          : x86
Issue type        : kbinfo

    • ================================================================================

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    Last reviewed: February 5, 1998
    © 1998 Microsoft Corporation. All rights reserved. Terms of Use.