DOCUMENT:Q101366  19-JUL-1993  [W_NT]
TITLE   :INF: Definition and List of Windows NT Advanced User Rights
PRODUCT :Windows NT
PROD/VER:3.10
OPER/SYS:WINDOWS
KEYWORDS:

----------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT operating system, version 3.1
 - Microsoft Windows NT Advanced Server, version 3.1
----------------------------------------------------------------------

The text below defines the advanced user rights that the Windows NT
User Manager controls. To administer these rights, run User Manager
and choose User Rights from the Policies menu. Then choose Show
Advanced User Rights.

The advanced user rights are as follows:

To Act as Part of the Operating System
--------------------------------------
 
SE_TCB_NAME
SeTcbPrivilege

The user can act as a trusted part of the operating system. Some
subsystems have this privilege granted to them.
 
Bypass Traverse Checking
------------------------
 
SE_CHANGE_NOTIFY_NAME
SeChangeNotifyPrivilege

The user can traverse a directory tree even if the user has no other
rights to access that directory. Denies access to users in POSIX
applications.

Create a Pagefile
-----------------

SE_CREATE_PAGEFILE_NAME
SeCreatePagefilePrivilege

The user can create a pagefile.

Create a Token Object
---------------------

SE_CREATE_TOKEN_NAME
SeCreateTokenPrivilege

The user can create access tokens. Only the Local Security Authority
can have this privilege.
 
Create Permanent Shared Objects
-------------------------------

SE_CREATE_PERMANENT_NAME
SeCreatePermanentPrivilege

The user can create special permanent objects used in Windows NT, such
as \\Device. For more information, please refer to the book "Inside
Windows NT" (Microsoft Press).

Debug Programs
--------------

SE_DEBUG_NAME
SeDebugPrivilege

The user can debug applications.

Generate Security Audits
------------------------

SE_AUDIT_NAME
SeAuditPrivilege

The user can generate audit-log entries.

Increase Quotas
---------------

SE_INCREASE_QUOTA_NAME
SeIncreaseQuotaPrivilege

The user can increase object quotas. Each object has a quota assigned
to it.

Increase Scheduling Priority
----------------------------
 
SE_INC_BASE_PRIORITY_NAME
SeIncreaseBasePriorityPrivilege

The user can boost the scheduling priority of a process.

Load and Unload Device Drivers
------------------------------

SE_LOAD_DRIVER_NAME
SeLoadDriverPrivilege

The user can load and unload device drivers.

Lock Pages in Memory
--------------------

SE_LOCK_MEMORY_NAME
SeLockMemoryPrivilege

The user can lock pages in memory to prevent them from being paged out
into backing store (such as PAGEFILE.SYS).

Log on as a Batch Job
---------------------
 
SECURITY_BATCH_RID
SeBatchSid

The user can log on to the system as a batch queue facility. This is a
group identifier (S-1-5-3).

Log on as a Service
-------------------

SECURITY_SERVICE_RID
SeServiceSid

The user can perform security services (S-1-5-4). The user that
performs replication logs on as a service.

Modify Firmware Environment Variables
-------------------------------------

SE_SYSTEM_ENVIRONMENT_NAME
SeSystemEnvironmentPrivilege

The user can modify system environment variables (not user environment
variables).

Profile Single Process
----------------------
 
SE_PROF_SINGLE_PROCESS_NAME
SeProfileSingleProcessPrivilege

The user can use Windows NT profiling capabilities to observe a
process.

Profile System Performance
--------------------------

SE_SYSTEM_PROFILE_NAME
SeSystemProfilePrivilege

The user can use Windows NT profiling capabilities to observe the
system.

Receive Unsolicited Device Input
--------------------------------

SE_UNSOLICITED_INPUT_NAME
SeUnsolicitedInputPrivilege

The user can read unsolicited data from a terminal device.

Replace a Process Level Token
-----------------------------

SE_ASSIGNPRIMARYTOKEN_NAME
SeAssignPrimaryTokenPrivilege

The user can modify a process' access token.
 
Additional reference words: 3.10 rights adv

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1993.