Auditing User Right Assignment Changes

This article was previously published under Q163905
This article has been archived. It is offered "as is" and will no longer be updated.
SUMMARY
Windows NT can audit when a user or group is added to or removed from aUser Right. To audit these types of action, choose the auditing category,Security Policy Changes in User Manager under the Policies menu, auditing.This is the only needed audit category to audit these specific actions.Only the audit category File and Object Access will add additional securityevents, but these events simply show objects being opened and handles beingclosed for user account access that populate the Add Users and Groupsdialog boxes.
MORE INFORMATION
Below is the sample output from the Security Event Log when a user is addedto each of the User Right. Although User Manager does not differentiatebetween User Privileges and Rights, in actuality only Privileges arecurrently audited. Actions that are not audited are actually "rights."
  1. Access this computer from the network: no events
  2. Act as part of the operating system: (Advanced Right)
    2/17/97  2:29:19 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeTcbPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  3. Add workstations to domain:
    2/17/97  2:18:11 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeMachineAccountPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  4. Back up files and directories:
    2/17/97  2:19:03 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeBackupPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  5. Bypass traverse checking: (Advanced Right)
    2/17/97  2:30:06 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeChangeNotifyPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  6. Change the system time:
    2/17/97  2:19:57 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeSystemtimePrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  7. Create a pagefile: (Advanced Right)
    2/17/97  2:30:57 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeCreatePagefilePrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  8. Create a token object: (Advanced Right)
    2/17/97  2:31:45 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeCreateTokenPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  9. Create permanent shared objects: (Advanced Right)
    2/17/97  2:32:40 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeCreatePermanentPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  10. Debug programs: (Advanced Right)
    2/17/97  2:33:41 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeDebugPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  11. Force shutdown from a remote system:
    2/17/97  2:20:46 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeRemoteShutdownPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  12. Generate security audits: (Advanced Right)
    2/17/97  2:34:31 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeAuditPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  13. Increase quotas: (Advanced Right)
    2/17/97  2:35:12 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeIncreaseQuotaPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  14. Increase scheduling priority: (Advanced Right)
    2/17/97  2:35:52 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeIncreaseBasePriorityPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  15. Load and unload device drivers:
    2/17/97  2:21:43 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeLoadDriverPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  16. Lock pages in memory: (Advanced Right)
    2/17/97  2:36:57 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeLockMemoryPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  17. Log on as a batch job: (Advanced Right) no events
  18. Log on as a service: (Advanced Right) no events
  19. Log on locally: no events
  20. Manage auditing and security log:
    2/17/97  2:25:18 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeSecurityPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  21. Modify firmware environment values: (Advanced Right)
    2/17/97  2:41:54 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeSystemEnvironmentPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  22. Profile single process: (Advanced Right)
    2/17/97  3:20:18 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeProfileSingleProcessPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  23. Profile system performance: (Advanced Right)
    2/17/97  3:21:11 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeSystemProfilePrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  24. Replace a process level token: (Advanced Right)
    2/17/97  3:21:57 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeAssignPrimaryTokenPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  25. Restore files and directories:
    2/17/97  2:26:13 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeRestorePrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  26. Shut down the system:
    2/17/97  2:27:00 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeShutdownPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCDLogon ID:   (0x0,0x1EDC)						
  27. Take ownership of files or other objects:
    2/17/97  2:27:41 PM  Security Success Audit  Policy Change  608randymc  RANDYMC1 User Right Assigned:User Right: SeTakeOwnershipPrivilegeAssigned To:   S-1-5-21-2092848103-1120294241-1737835142-7944Assigned By:User Name:  randymcDomain:     RANDYMCD   Logon ID:   (0x0,0x1EDC)						
Properties

Article ID: 163905 - Last Review: 02/24/2014 08:27:11 - Revision: 2.1

  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbnosurvey kbarchive kbenv kbinfo KB163905
Feedback