Platform SDK: Access Control |
Account rights, like privileges, determine the operations that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user or to groups to which the user belongs.
A system administrator can use the Lsa functions to work with account rights. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified account right.
Note All of the Lsa functions mentioned above support both account rights and Windows NT privileges. Unlike privileges, however, account rights are not supported by the LookupPrivilegeValue and LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account rights if TokenGroups is specified as the value of the TokenInformationClass parameter, and not TokenPrivileges.
The following account right constants are used to control an account's ability to log on. The LogonUser or LsaLogonUser functions fail if the account being logged on does not have the account rights required for the type of logon being performed.
The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right to an account to override any logon rights that an account might have as a result of a group membership. For example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.
Account right constant | Description |
---|---|
SE_INTERACTIVE_LOGON_NAME | Required for an account to log on using the interactive logon type. |
SE_NETWORK_LOGON_NAME | Required for an account to log on using the network logon type. |
SE_BATCH_LOGON_NAME | Required for an account to log on using the batch logon type. |
SE_SERVICE_LOGON_NAME | Required for an account to log on using the service logon type. |
SE_DENY_INTERACTIVE_LOGON_NAME | Explicitly denies an account the right to log on using the interactive logon type. |
SE_DENY_NETWORK_LOGON_NAME | Explicitly denies an account the right to log on using the network logon type. |
SE_DENY_BATCH_LOGON_NAME | Explicitly denies an account the right to log on using the batch logon type. |
SE_DENY_SERVICE_LOGON_NAME | Explicitly denies an account the right to log on using the service logon type. |
The preceding account right constants are defined as strings in Ntsecapi.h. For example, the SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".