Platform SDK: Access Control

Account Rights

Account rights, like privileges, determine the operations that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user or to groups to which the user belongs.

A system administrator can use the Lsa functions to work with account rights. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified account right.

Note  All of the Lsa functions mentioned above support both account rights and Windows NT privileges. Unlike privileges, however, account rights are not supported by the LookupPrivilegeValue and LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account rights if TokenGroups is specified as the value of the TokenInformationClass parameter, and not TokenPrivileges.

The following account right constants are used to control an account's ability to log on. The LogonUser or LsaLogonUser functions fail if the account being logged on does not have the account rights required for the type of logon being performed.

The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right to an account to override any logon rights that an account might have as a result of a group membership. For example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.

Account right constant Description
SE_INTERACTIVE_LOGON_NAME Required for an account to log on using the interactive logon type.
SE_NETWORK_LOGON_NAME Required for an account to log on using the network logon type.
SE_BATCH_LOGON_NAME Required for an account to log on using the batch logon type.
SE_SERVICE_LOGON_NAME Required for an account to log on using the service logon type.
SE_DENY_INTERACTIVE_LOGON_NAME Explicitly denies an account the right to log on using the interactive logon type.
SE_DENY_NETWORK_LOGON_NAME Explicitly denies an account the right to log on using the network logon type.
SE_DENY_BATCH_LOGON_NAME Explicitly denies an account the right to log on using the batch logon type.
SE_DENY_SERVICE_LOGON_NAME Explicitly denies an account the right to log on using the service logon type.

The preceding account right constants are defined as strings in Ntsecapi.h. For example, the SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".