Changing User Rights from a Batch File or Command Line


You can use the NTRights.exe utility to grant or deny user rights to users and groups from a command line or a batch file. The NTRights.exe utility is included in the Windows NT Server 4.0 Resource Kit Supplement 3.

More Information

The NTRights.exe utility uses the following syntax:

ntrights +r/-r user_right-u "account_name" -m\\computer_name


  • +r is used to add a user right.
  • -r is used to revoke a user right.
  • user_right is the user right to grant or revoke.
  • "account _name" is the name of the user or group (enclosed in quotation marks) whose user rights are being modified.
  • computer_name is the name of the remote computer where the user rights are being changed. If the -m option and the computer name are not specified, the changes occur on the local computer.

To be able to set a right for a user or group, you must have Administrator privileges. The following table lists the user rights that can be changed by using the NTRights.exe utility.

NOTE: The following user rights are case-sensitive and must be typed exactly as they appear below:

Windows NT rightPermits user to
SeAssignPrimaryTokenPrivilegeReplace a process level token
SeAuditPrivilegeGenerate security audits
SeBackupPrivilegeBack up files and directories
SeBatchLogonRightLog on as a batch job
SeChangeNotifyPrivilegeBypass traverse checking
SeCreatePagefilePrivilegeCreate a pagefile
SeCreatePermanentPrivilegeCreate permanent shared objects
SeCreateTokenPrivilegeCreate a token object
SeDebugPrivilegeDebug programs
SeIncreaseBasePriorityPrivilegeIncrease scheduling priority
SeIncreaseQuotaPrivilegeIncrease quotas
SeInteractiveLogonRightLog on locally
SeLoadDriverPrivilegeLoad and unload device drivers
SeLockMemoryPrivilegeLock pages in memory
SeMachineAccountPrivilegeAdd workstations to domain
SeNetworkLogonRightAccess this computer from the network
SeProfileSingleProcessPrivilegeProfile single process
SeRemoteShutdownPrivilegeForce shutdown from a remote system
SeRestorePrivilegeRestore files and directories
SeSecurityPrivilegeManage auditing and security log
SeServiceLogonRightLog on as a service
SeShutdownPrivilegeShut down the system
SeSystemEnvironmentPrivilegeModify firmware environment values
SeSystemProfilePrivilegeProfile system performance
SeSystemtimePrivilegeChange the system time
SeTakeOwnershipPrivilegeTake ownership of files or other objects
SeTcbPrivilegeAct as part of the operating system
SeUnsolicitedInputPrivilegeRead unsolicited input from a terminal device

EXAMPLE: You can use the NTRights.exe utility to selectively revoke the Log on locally right on the local computer so that only members of the local Administrators group can log on locally. On a Windows NT Workstation 4.0-based computer, by default the following groups have the user right Log on Locally:
  • Administrators
  • Backup Operators
  • Everyone
  • Guests
  • Power Users
  • Users

To revoke the Log on locally user right for all groups but the local Administrators group, include the following commands in a batch file:

ntrights -r SeInteractiveLogonRight -u "Backup Operators"
ntrights -r SeInteractiveLogonRight -u "Everyone"
ntrights -r SeInteractiveLogonRight -u "Guests"
ntrights -r SeInteractiveLogonRight -u "Power Users"
ntrights -r SeInteractiveLogonRight -u "Users"

For more information about using the NTRights.exe utility, refer to the RKTools.hlp file included in the Windows NT Server 4.0 Resource Kit Supplement 3.

Artikelnummer: 266280 – Letzte Überarbeitung: 31.10.2006 – Revision: 1