Set user rights using the NTRIGHTS utility

Although Windows 2000's GUI administration utilities are powerful, they can't do everything. Using the NTRIGHTS utility from the Windows 2000 Server Resource Kit, you can set user rights directly from the command line.

If you’ve worked with any version of Windows for any amount of time, you’re probably used to the GUI utilities that Windows uses for network administration. While GUI utilities are usually easy to use, they sometimes aren’t the best solution. If you want to manipulate user rights on either a local or a remote machine from the command line, the NTRIGHTS utility is for you. You can easily incorporate NTRIGHTS utilities into batch files that require user rights modifications. In this article, I’ll show you the NTRIGHTS utility in detail, including the command’s hidden functionality.

Accessing the NTRIGHTS utility
The NTRIGHTS utility is a part of the Windows 2000 Server Resource Kit, and therefore isn’t included in the default Windows installation. To install the Windows 2000 Server Resource Kit, insert the Resource Kit CD and wait for the splash screen to appear. When it does, click on the Install Resource Kit link. Doing so will launch the Windows 2000 Server Resource Kit Setup Wizard. Click Next to bypass the Welcome screen, and you’ll be prompted to accept the end user license agreement. After doing so, click Next and the wizard will ask you for your name and the name of your organization.

Enter this information, click Next, and the following screen will ask if you want to perform a typical or a custom installation. For the purposes of this article, a typical installation is fine, so select the Typical radio button and click Next twice to begin the file copy process. When the file copy process completes, click Finish to close the wizard. If you’ve chosen the typical installation, then the NTRIGHTS utility will be located in the \%SYSTEMROOT%\Program Files\Resource Kit folder.

The basic syntax
The key to successfully using the NTRIGHTS utility is to understand the command’s basic syntax. After you understand the basic syntax, the more advanced functions should make sense. To run NTRIGHTS, open a command prompt on your server. Type NTRIGHTS /? at the command line and press [Enter]. When you do, you’ll see the screen shown in Figure A.

Figure A
Here you can view all of the NTRIGHTS command-line switches.

As you can see from the syntax, the NTRIGHTS utility can be a bit cryptic, to say the least. To make matters worse, much of the command’s functionality isn’t outlined in the NTRIGHTS help file.

Before I move on to syntax, there’s one very important thing that you must know: The NTRIGHTS utility is case sensitive. Therefore, commands must be entered exactly as I’ve written them, or they won’t work.

Another point that’s somewhat obvious, but still worth mentioning, is that in order to successfully use the NTRIGHTS utility, you must be logged in as a user who has the rights necessary to perform the attempted operation. For best results, log in as the Administrator. With that said, let’s look at the command syntax.

The first line of the command syntax is –u xxx User/Group. This part of the syntax is a little deceptive because the xxx represents an actual user name or group name. It’s also deceptive because this portion of the syntax never actually uses the words User or Group. For example, suppose you wanted to perform an operation on the Everyone group. If that were the case, then the group specification portion of the command would look something like this:
-u ”Everyone”

The next portion of the command is the -m \\xxx parameter. This parameter tells NTRIGHTS on which machine to run the command. Normally, you’ll be running NTRIGHTS on the local machine, and will have no need for this command. If you do find yourself assigning rights on a remote machine, though, you can do so with the -m parameter. For example, if you wanted to assign the rights to a server named TAZ, then you’d use this parameter:
-m \\TAZ

Next in the syntax is the -e parameter. The -e parameter is the Entry switch. The Entry switch allows you to add a text string to the event log. The syntax for the -e switch is as follows:
-e string

The final switch that you’ll have to deal with is r. Notice that while the -u, -m, and -e switches all begin with minus signs, the e switch doesn’t. That’s because the r switch can be specified with either a plus sign or a minus sign. The +r switch grants the specified right, while the -r switch revokes it. The syntaxes of the r switch are as follows:
-r right
+r right

Another reason why the syntax listed within the NTRIGHTS help file is so misleading is because all of the various switches are shown independently, rather than being shown working in conjunction with each other. Here is my version of what the NTRIGHTS utility syntax really looks like:
NTRIGHTS {-Right | +Right} –u user_or_group [-m \\Computer_name] [-e Entry] [-?]

Now that I’ve shown you the individual switches and the full syntax of the NTRIGHTS utility, I want to show you what an actual, valid command might look like.

Suppose that you wanted to remove the Log On Locally permission from the Guests group. You could do so with the NTRIGHTS utility by using the -u and r switches. The r switch requires you to specify the name of a right that you want to grant or revoke. The right that’s associated with the Log On Locally function is SeInteractiveLogonRight. Remember that the name of the right is case sensitive. Therefore, if you wanted to remove the Log On Locally permission from the Guest group, you’d use the following command:
NTRIGHTS –r SeInteractiveLogonRight –u “Guests”

User rights
Now that I’ve demonstrated the NTRIGHTS utility, the following sections will explain the various user rights in greater detail. Remember that the command’s basic syntax remains the same regardless of which of these rights you choose to plug in. The rights you can set using NTRIGHTS include:
  • SeCreateTokenPrivilege: The SeCreateTokenPrivilege allows a user to create a token object.
  • SeAssignPrimaryTokenPrivilege: The SeAssignPrimaryTokenPrivilege allows anyone to whom you’ve granted this right to replace a process-level token. This permission can only be used to replace tokens, not to create them.
  • SeLockMemoryPrivilege: This is a special user right that allows someone to lock memory pages. When memory pages are locked, the operating system can’t send those memory pages to virtual memory storage.
  • SeIncreaseQuotaPrivilege: In Windows 2000, each object has a specific quota assigned to it. The SeIncreaseQuotaPrivilege allows users to increase the quota value. For example, this is the right that would be assigned to a user that you wanted to be able to adjust disk space quotas.
  • SeUnsolicitedInputPrivilege: The SeUnsolicitedInputPrivilege controls which users can read unsolicited input from a terminal device.
  • SeMachineAccountPrivilege: The SeMachineAccountPrivilege is usually reserved for Administrators. This right allows people to add computers to a domain.
  • SeTcbPrivilege: I recommend using extreme discretion when granting the SeTcbPrivilege. This particular privilege allows a user to act as a trusted part of the operating system. Normally, this right is granted to subsystems rather than to users.
  • SeSecurityPrivilege: The SeSecurityPrivilege right is a good right to assign when you have a dedicated security coordinator. This particular right allows someone to manage the system’s auditing and security logs.
  • SeTakeOwnershipPrivilege: The SeTakeOwnershipPrivilege is a right that’s given to someone that you want to be able to take ownership of files, folders, and other objects.
  • SeLoadDriverPrivilege: The SeLoadDriverPrivilege is another one of those privileges that’s typically reserved for Administrators. Anyone with this privilege is free to load or unload device drivers.
  • SeSystemProfilePrivilege: Some of the privileges that I’ve shown you are easy to guess by their name, but the SeSystemProfilePrivilege isn’t one of them. This privilege allows someone to run the Performance Monitor against the system.
  • SeSystemTimePrivilege: The SeSystemTimePrivilege allows someone to reset the system clock.
  • SeProfileSingleProcessPrivilege: The SeProfileSingleProcessPrivilege is useful for anyone who needs diagnostic capabilities on the system. It allows someone to use Windows’ profiling capabilities to observe an individual process.
  • SeIncreaseBasePriorityPrivilege: The SeIncreaseBasePriorityPrivilege allows a user to boost the speed of a process by increasing its priority.
  • SeCreatePagefilePrivilege: The SeCreatePagefilePrivilege allows a user to create a page file on the system and to manage the system’s virtual memory.
  • SeCreatePermanentPrivilege: The SeCreatePermanentPrivilege allows a user to create special permanent objects within windows. An example of this is the \\Device object.
  • SeBackupPrivilege: The SeBackupPrivilege allows a user to backup files and directories. This is the main special privilege that’s granted to the Backup Operators group.
  • SeRestorePrivilege: The SeRestorePrivilege is also usually associated with the Backup Operators group. This privilege allows users to restore files and folders from backup media.
  • SeShutdownPrivilege: This privilege grants a user the rights to shut down the system.
  • SeAuditPrivilege: The SeAuditPrivilege allows a user to generate security audits.
  • SeSystemEnvironmentPrivilege: The SeSystemEnvironmentPrivilege allows users to modify system environment variables. Keep in mind that granting this permission won’t grant the user the rights to modify user environment variables.
  • SeChangeNotifyPrivilege: The SeChangeNotifyPrivilege is synonymous with bypassing traverse checking. It allows a user to browse a directory tree even if he or she has no rights to the directory. However, granting this right does not grant access to users in POSIX applications.
  • SeRemoteShutdownPrivilege: This privilege allows a user to force a remote system to shut down.

Rights not listed in the help file
There were some user rights that weren’t listed in the help file. The syntax for those unlisted rights is identical to the syntax for the rights that I’ve already shown you. The rest of this article explains the unlisted rights.
  • SeNetworkLogonRight: This right allows you to control who can and who can’t access the designated computer from across the network. Most of the time, when I’ve seen this right used in the past, it has been used in conjunction with the -u and -m switches. For example, if you wanted to allow the Administrators group to access the computer TAZ from across the network, you could use the command NTRIGHTS +r SeNetworkLogonRight –u “Administrators” –m \\TAZ
  • SeInteractiveLogonRight: The SeInteractiveLogonRight can be used to grant a user or group the right to log on to a designated computer locally. This means that the user can physically sit down at the computer and log on.
  • SeBatchLogonRight: The SeBatchLogonRight can be used to grant someone the right to log on as a batch job. This is especially useful for those times when someone may need to run a batch job that requires an extended set of permissions.
  • SeServiceLogonRight: This permission can be used to grant someone the right to log on to the machine as a service. Many times, services are granted system-level permissions that the average user, or even the administrator, may not have.

Denials to counteract rights
All of these rights are specific denials designed to counteract the rights not listed in the help file that I’ve explained earlier in this section.
  • SeDenyNetworkLogonRight: Simply removing the SeNetworkLogonRight isn’t enough to guarantee that someone can’t log on to the network. To make absolutely sure that no one from a particular group can log on to the machine from the network, you can grant the group the SeDenyNetworkLogonRight to the machine. Since a specific denial overrides a specific permission, all users in the group would be denied the right to log on to the machine from across the network. To remove the specific denial, you’d simply remove the SeDenyNetworkLogonRight.
  • SeDenyInteractiveLogonRight: The SeDenyInteractiveLogonRight is a specific denial that’s designed to prevent someone from logging on locally to the designated machine. Remember that as with all of the specific denial rights, the SeDenyInteractiveLogonRight works backward from rights that grant permission. Granting the SeDenyInteractiveLogonRight blocks access to the machine. Revoking the right doesn’t necessarily grant access to the machine, but it doesn’t make access impossible if some other right has specified that access to the machine is allowed.
  • SeDenyBatchLogonRight: The SeDenyBatchLogonRight is the counterpart to the SeBatchLogonRight. This right gives administrators the ability to prevent someone from logging on as a batch job.
  • SeDenyServiceLogonRight: Likewise, the SeDenyServiceLogonRight is the counterpart to the SeServiceLogonRight. It’s designed to prevent a user or group from logging on as a service.

Know your rights
Although NTRIGHTS is a very handy utility, it can be confusing to use because of the unconventional way that the help file lists the syntax and because so many of the available rights were omitted from the help file. But now that you know all of the available rights and the utility’s syntax, you can start using NTRIGHTS to build more powerful batch files.

Editor's Picks