The Microsoft Windows 2000 Server Resource Kit is full of valuable goodies, and one of those goodies is Ntrights (ntrights.exe). This command-line utility lets you modify user or group rights on both local and remote machines. These days, most Windows administrators probably use a GUI to manage user rights, but the command-based utility hasn't lost its value and in many cases can be a better choice than the GUI version. For example, you can incorporate Ntrights in scripts and batch files to run many complicated administrative tasks on several machines.
When you install the resource kit, Ntrights installs by default in \%systemroot%\program files\resource kit. To use the utility, you must log on with an account that has sufficient rights to make modifications on the destination machine on which you want the changes to take effect.
To access the tool's Help files, type the command
The Ntrights Help output, which Web Figure 1 (http://www.secadministrator.com, InstantDoc ID 4000) shows, lists the rights that you can modify and the syntax that you use for each command. The output doesn't display a complete list of all the rights that you can modify with the utility, so I also define the rights that the Help file doesn't list.
You'll notice that the Help file structure is a bit confusing and doesn't follow the structure that you typically see in other Help files. For example, the xxx notation that you see in Web Figure 1 can at times mean User/Group and at other times mean machine name or server name. Also note that these commands are case sensitive; you must type them exactly as they appear in this list or they'll fail. Let's start with the Ntrights switches.
- -u xxx User/Group—This switch specifies a user or group on which to perform a task; for example,
ntrights -u "Everyone"
ntrights -m \\BART
ntrights -e This is a test.
User Rights Included in the Help File
The following rights appear in the Ntrights Help file. You can use them to perform the described actions.
- SeCreateTokenPrivilege—This right grants the right to create a token object. A token object is a set of security settings that a process can use to gain access to local resources. Any application or process that requires this right should use the local system account, which already has this right.
- SeAssignPrimaryTokenPrivilege—This right lets users replace process-level tokens but doesn't let them create tokens. For example, if the system account creates a process that has several subprocesses or child processes, a user with the SeAssignPrimaryTokenPrivilege right can change the access token of the child processes.
- SeLockMemoryPrivilege—This right lets a user lock memory pages so that the OS doesn't send the locked memory pages to virtual memory.
- SeIncreaseQuotaPrivilege—This right grants a user the ability to adjust a disk space quota limit.
- SeUnsolicitedInputPrivilege—This option controls which users have permission to read unsolicited input from a terminal device.
- SeMachineAccountPrivilege—This right lets users add computers to the domain; usually this permission is given to administrators, Help desk technicians, and consultants aiding in workstation rollouts.
- SeTcbPrivilege—This right lets its possessor act as a trusted part of the OS. Be careful when granting this permission.
- SeSecurityPrivilege—This option lets a user manage the system's Security and audit logs.
- SeTakeOwnershipPrivilege—This right lets a user take ownership of files, folders, and objects that the user didn't create or have access to.
- SeLoadDriverPrivilege—This right lets a user load and unload device drivers and should be given to only administrators and server operators because loading incompatible or bad device drivers can lead to server instability.
- SeSystemProfilePrivilege—This right lets a user run Performance Monitor on a machine. I recommend that you grant this right to only administrators and server operators.
- SeSystemtimePrivilege—This option lets a user reset the system clock.
- SeProfileSingleProcessPrivilege—This right lets a user monitor processes.
- SeIncreaseBasePriorityPrivilege—This right lets a user increase the priority level of a particular process.
- SeCreatePagefilePrivilege—This right grants its possessor the ability to create a pagefile and to manage virtual memory.
- SeCreatePermanentPrivilege—This right lets a user create permanent objects in Windows.
- SeBackupPrivilege—This right lets a user back up files and directories.
- SeRestorePrivilege—This right completes the SeBackupPrivilege by letting the user restore files and folders.
- SeShutdownPrivilege—This option lets a user shut down the system.
- SeAuditPrivilege—This right lets a user generate security audits.
- SeSystemEnvironmentPrivilege—This right lets a user modify system environment variables.
- SeChangeNotifyPrivilege—This right lets a user browse a directory tree.
- SeRemoteShutdownPrivilege—This right grants a user the ability to remotely shut down a system.
User Rights Not Displayed in the Help File
The following list shows rights that don't appear in the Ntrights Help file. You can use them to perform the listed actions.
- SeNetworkLogonRight— This right grants a user the ability to control who can and who can't access a particular computer over the network.
- SeDenyNetworkLogonRight—This right implicitly denies a user or group access to a particular computer over the network.
- SeInteractiveLogonRight—This right lets a user or group log on locally to a machine from its console.
- SeDenyInteractiveLogonRight—This right implicitly denies a user or group the ability to log on locally from the console of a machine.
- SeBatchLogonRight—This right lets a user log on as a batch job. It's usually given to a special user account created solely to run batch jobs.
- SeDenyBatchLogonRight—This right implicitly denies a user from logging on and running batch jobs on a machine.
- SeServiceLogonRight—This option lets a user log on as a service. You generally grant this right to a special user account created solely to run certain services on certain machines.
- SeDenyServiceLogonRight—This right implicitly denies a user from logging on as a service.
Putting Ntrights to Work
Now that we know what Ntrights can do, let's look at some examples of how these rights and switches work together in various scenarios. For example, let's say you wanted to grant the Authenticated Users group the right to access the BART server over the network. Let's also say you're running the Ntrights utility from your workstation because you don't feel like walking over to the server's console or using Win2K Server Terminal Services to log on to it. You would run the following command:
Authenticated Users -m \\BART
Have you ever tried to access a Terminal Services server and received the error The local policy of this system does not permit you to log on interactively? This error usually occurs when a nonadministrator tries to access a Win2K domain controller (DC). By design, this access is restricted; however, if you've created administrative groups that you want to grant this right to, you can use the following command to give the group the Log on Locally right:
Another example would be if you want to grant the user account MAILER, which you created to be used as a service account, the right to log on to the server BART and start a service. You also want to add a line of text in the server's event log. The command would look like the following:
-u MAILER -m \\BART -e Mailer
user account has been given
right to log on as a service
You might want to remove a particular user or group's ability to shut down the system. By taking away this right, you can stop users from accidentally or intentionally shutting down a server for which they have access. To do so, type
Finally, let's say you want to revoke the right to change the system time from the Users group in the Simpsons domain. You would use the command
Put Your Ntrights to Good Use
Ntrights is a powerful resource kit utility that you can use for a wide range of administrative tasks related to granting and revoking user and group rights. Best of all, Ntrights is a command-line utility, which means you can incorporate it into scripts and run it on any machine at any time. Now go ahead and "right'em up."