Account Rights

Account rights, like privileges, determine the operations that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user or to groups to which the user belongs.

A system administrator can use the Lsa functions to work with account rights. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified account right.

Note  All of the Lsa functions mentioned above support both account rights and Windows NT privileges. Unlike privileges, however, account rights are not supported by the LookupPrivilegeValue and LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account rights if TokenGroups is specified as the value of the TokenInformationClass parameter, and not TokenPrivileges.

The following account right constants are used to control an account's ability to log on. The LogonUser or LsaLogonUser functions fail if the account being logged on does not have the account rights required for the type of logon being performed.

The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right to an account to override any logon rights that an account might have as a result of a group membership. For example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.

The preceding account right constants are defined as strings in Ntsecapi.h. For example, the SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".