Windows NT can audit when a user or group is added to or removed from a
User Right. To audit these types of action, choose the auditing category,
Security Policy Changes in User Manager under the Policies menu, auditing.
This is the only needed audit category to audit these specific actions.
Only the audit category File and Object Access will add additional security
events, but these events simply show objects being opened and handles being
closed for user account access that populate the Add Users and Groups
dialog boxes.
Below is the sample output from the Security Event Log when a user is added
to each of the User Right. Although User Manger does not differentiate
between User Privileges and Rights, in actuality only Privileges are
currently audited. Actions that are not audited are actually "rights."
- Access this computer from the network: no events
- Act as part of the operating system: (Advanced Right)
2/17/97 2:29:19 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeTcbPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Add workstations to domain:
2/17/97 2:18:11 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeMachineAccountPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Back up files and directories:
2/17/97 2:19:03 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeBackupPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Bypass traverse checking: (Advanced Right)
2/17/97 2:30:06 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeChangeNotifyPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Change the system time:
2/17/97 2:19:57 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeSystemtimePrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Create a pagefile: (Advanced Right)
2/17/97 2:30:57 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeCreatePagefilePrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Create a token object: (Advanced Right)
2/17/97 2:31:45 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeCreateTokenPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Create permanent shared objects: (Advanced Right)
2/17/97 2:32:40 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeCreatePermanentPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Debug programs: (Advanced Right)
2/17/97 2:33:41 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeDebugPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Force shutdown from a remote system:
2/17/97 2:20:46 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeRemoteShutdownPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Generate security audits: (Advanced Right)
2/17/97 2:34:31 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeAuditPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Increase quotas: (Advanced Right)
2/17/97 2:35:12 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeIncreaseQuotaPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Increase scheduling priority: (Advanced Right)
2/17/97 2:35:52 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeIncreaseBasePriorityPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Load and unload device drivers:
2/17/97 2:21:43 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeLoadDriverPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Lock pages in memory: (Advanced Right)
2/17/97 2:36:57 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeLockMemoryPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Log on as a batch job: (Advanced Right) no events
- Log on as a service: (Advanced Right) no events
- Log on locally: no events
- Manage auditing and security log:
2/17/97 2:25:18 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeSecurityPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Modify firmware environment values: (Advanced Right)
2/17/97 2:41:54 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeSystemEnvironmentPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Profile single process: (Advanced Right)
2/17/97 3:20:18 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeProfileSingleProcessPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Profile system performance: (Advanced Right)
2/17/97 3:21:11 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeSystemProfilePrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Replace a process level token: (Advanced Right)
2/17/97 3:21:57 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeAssignPrimaryTokenPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Restore files and directories:
2/17/97 2:26:13 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeRestorePrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Shut down the system:
2/17/97 2:27:00 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeShutdownPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)
- Take ownership of files or other objects:
2/17/97 2:27:41 PM Security Success Audit Policy Change 608
randymc RANDYMC1 User Right Assigned:
User Right: SeTakeOwnershipPrivilege
Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944
Assigned By:
User Name: randymc
Domain: RANDYMCD
Logon ID: (0x0,0x1EDC)