2.2.6 Privilege Rights

  • Article

This section defines settings that enable an administrator to control what accounts have what privileges. The syntax for the entries in this category MUST be as follows. 

 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = "Privilege Rights"
 Settings = Setting / Setting Settings
 Setting = RightName Wsp "=" Wsp SidList LineBreak
 SidList = SidEnt / SidEnt Wsp "," Wsp SidList
  
  
 RightName = "SeNetworkLogonRight" / "SeTcbPrivilege" 
       / "SeMachineAccountPrivilege" / "SeIncreaseQuotaPrivilege" 
       / "SeRemoteInteractiveLogonRight" / "SeBackupPrivilege" 
       / "SeChangeNotifyPrivilege" / "SeCreatePagefilePrivilege" 
       / "SeSystemtimePrivilege" / "SeCreateTokenPrivilege" 
       / "SeCreateGlobalPrivilege" / "SeCreatePermanentPrivilege" 
       / "SeDebugPrivilege" / "SeDenyNetworkLogonRight" 
       / "SeDenyBatchLogonRight" / "SeDenyServiceLogonRight" 
       / "SeDenyInteractiveLogonRight" 
       / "SeDenyRemoteInteractiveLogonRight" 
       / "SeEnableDelegationPrivilege" 
       / "SeRemoteShutdownPrivilege" / "SeAuditPrivilege" 
       / "SeImpersonatePrivilege" 
       / "SeIncreaseBasePriorityPrivilege" 
       / "SeLoadDriverPrivilege" / "SeLockMemoryPrivilege" 
       / "SeBatchLogonRight" / "SeServiceLogonRight" 
       / "SeInteractiveLogonRight" / "SeSecurityPrivilege" 
       / "SeSystemEnvironmentPrivilege" 
       / "SeManageVolumePrivilege" 
       / "SeProfileSingleProcessPrivilege" 
       / "SeSystemProfilePrivilege" / "SeUndockPrivilege" 
       / "SeAssignPrimaryTokenPrivilege" / "SeRestorePrivilege" 
       / "SeShutdownPrivilege" / "SeSyncAgentPrivilege" 
       / "SeTakeOwnershipPrivilege" / "SeTrustedCredManAccessPrivilege"
       / "SeTimeZonePrivilege" / "SeCreateSymbolicLinkPrivilege"
       / "SeIncreaseWorkingSetPrivilege" / "SeRelabelPrivilege"
  
  
  
 SidEnt = %d42 SID / PRINCIPALNAMESTRING
  
 ; SID is defined in MS-DTYP section 2.4.2.1
  
 PRINCIPALNAMESTRING = 1*20(ALPHANUM / %d32-33 / %d35-41 / %d45 / %d64 / %d94-96 / %d123 / %d125 / %d126)

For information about each privilege setting, see [MSDN-PRIVS].

The SID element in the preceding syntax is a string representation of the security identifiers (SIDs) of accounts or groups and MUST conform to the syntax specified in [MS-DTYP] section 2.4.2.1.