User rights grant specific privileges and logon rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories.

To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.

The following table lists and describes the privileges that can be granted to a user.

Privilege Description Default setting

Act as part of the operating system

Allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the Local System account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. You do not need to assign this privilege to users unless your organization uses servers running Windows 2000 or Windows NT 4.0 and uses applications that exchange passwords in plaintext.

Local System

Add workstations to a domain

Determines which groups or users can add workstations to a domain.

This user right is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

Adding a computer account to the domain allows the computer to recognize accounts and groups that exist in Active Directory Domain Services (AD DS).

Domain controllers: Authenticated Users

Adjust memory quotas for a process

Determines who can change the maximum memory that can be consumed by a process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Administrators

Back up files and directories

Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

Administrators and Backup Operators

Bypass traverse checking

Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers.

Workstations and servers: Administrators, Backup Operators, Power Users, Users, and Everyone

Domain controllers: Administrators and Authenticated Users

Change the system time

Determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers.

Workstations and servers: Administrators and Power Users

Domain controllers: Administrators and Server Operators

Create a pagefile

Allows the user to create and change the size of a paging file. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System properties.

Administrators

Create a token object

Allows a process to create a token that it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

Processes requiring this privilege should use the Local System account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

No one

Create global objects

Determines which accounts can create global objects in a Terminal Services or Remote Desktop Services session.

Administrators and Local System

Create permanent shared objects

Allows a process to create a directory object in the operating system's object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.

No one

Debug programs

Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components do need to be assigned this user right. This user right provides complete access to sensitive and critical operating system components.

Administrators and Local System

Enable computer and user accounts to be trusted for delegation

Determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client, as long as the account of the client does not have the Account cannot be delegated account control flag set.

This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers.

Domain controllers: Administrators

Force shutdown from a remote system

Determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers.

Workstations and servers: Administrators

Domain controllers: Administrators and Server Operators

Generate security audits

Determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information, see Audit: Shut down system immediately if unable to log security audits (https://go.microsoft.com/fwlink/?LinkId=136299).

Local System

Impersonate a client after authentication

Determines which accounts are allowed to impersonate other accounts.

Administrators and Service

Increase scheduling priority

Determines which accounts can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

Administrators

Load and unload device drivers

Determines which users can dynamically load and unload device drivers or other code into kernel mode. This user right does not apply to Plug and Play device drivers. Because device drivers run as trusted (or highly privileged) programs,you should not assign this privilege to other users. Instead, use the StartService() API.

Administrators

Lock pages in memory

Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

None; certain system processes have the privilege inherently

Manage auditing and security log

Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This security setting does not allow a user to enable file and object access auditing. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured. For more information, see Audit object access (https://go.microsoft.com/fwlink/?LinkId=136283).

You can view audited events in the Security log of the Event Viewer. A user with this privilege can also view and clear the Security log.

Administrators

Modify firmware environment values

Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.

  • On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.

  • On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run Bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System properties.

  • On all computers, this user right is required to install or upgrade Windows.

Administrators and Local System

Profile a single process

Determines which users can use performance monitoring tools to monitor the performance of nonsystem processes.

Administrators, Power Users, and Local System

Profile system performance

Determines which users can use performance monitoring tools to monitor the performance of system processes.

Administrators and Local System

Remove computer from docking station

Determines whether a user can undock a portable computer from its docking station without logging on.

If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.

Disabled

Replace a process level token

Determines which user accounts can initiate a process to replace the default token associated with a started subprocess.

This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers.

Local Service and Network Service

Restore files and directories

Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.

Specifically, this user right is similar to granting the following permissions to a user or group on all files and folders on the system:

  • Traverse Folder/Execute File

  • Write

Workstations and servers: Administrators, and Backup Operators

Domain controllers: Administrators, Backup Operators, and Server Operators

Shut down the system

Determines which users who are logged on locally to the computer can shut down the operating system by using the Shut Down command. Misuse of this user right can result in a denial of service.

Workstations: Administrators, Backup Operators, Power Users, and Users

Servers: Administrators, Backup Operators, and Power Users

Domain controllers: Account Operators, Administrators, Backup Operators, Server Operators, and Print Operators

Synchronize directory service data

Determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.

None

Take ownership of files or other objects

Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Administrators

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right—in this case, the right to perform a backup—takes precedence over all file and directory permissions. For more information, see Backup and Recovery (https://go.microsoft.com/fwlink/?LinkID=131606).

Note

At a command prompt, you can type whoami /priv to see your privileges.