- Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
- Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
- OverflowAI GenAI features for Teams
- OverflowAPI Train & fine-tune LLMs
- Labs The future of collective knowledge sharing
- About the company Visit the blog
Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Get early access and see previews of new features.
How to assign user rights to a local user account through powershell?
I want to modify the user rights associated with a local user account.I want to add groups and users to a particular User Rights. This is done by opening the group policy and opening the following folder in the console tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Then click on the required user Right and add the user or group to it.
Is it possible to do the same through powershell scripts?
4 Answers 4
What I would do is open SecPol.msc, make your modifications via the GUI to a baseline computer and export an .inf template for installation via powershell.
The template can be installed with secedit.exe. If you want, you can open the inf file in a text editor and scroll until you see the [Privilege Rights] section. Here is one for example.
Run this command and reboot. Edit .inf and .db names as appropriate.
Found a third party command line solution. ntwrongs.exe
http://forums.mydigitallife.info/threads/57557-NTWrongs%99
Here is a purely powershell method - https://stackoverflow.com/a/26393118
To build upon @Knuckle-Dragger's answer:
I couldn't add my user to the secreatesymboliclinkprivilege setting ( Computer Configuration > Windows Settings > Security Settings > Local Policies > ** User Rights Assignment** > Create symbolic links ), always with the error "The specified domain either does not exist or could not be contacted", and it worked with his method, for my DOMAIN\user account from the whoami output:
Your Answer
Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more
Sign up or log in
Post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
Not the answer you're looking for? Browse other questions tagged windows powershell or ask your own question .
- The Overflow Blog
- LLMs evolve quickly. Their underlying architecture, not so much.
- From PHP to JavaScript to Kubernetes: how one backend engineer evolved over time
- Featured on Meta
- We've made changes to our Terms of Service & Privacy Policy - July 2024
- Bringing clarity to status tag usage on meta sites
- Feedback requested: How do you use tag hover descriptions for curating and do...
- What does a new user need in a homepage experience on Stack Overflow?
- Staging Ground Reviewer Motivation
Hot Network Questions
- What can I do when someone else is literally duplicating my PhD work?
- Quality difference between Sigma 30mm f1.4 Art and Contemporary
- Where did Geordi's eyes go?
- Hotspot vs home internet
- Why doesn't the world fill with time travelers?
- Need strftime() output in the buffer
- Could a minineptune host life at the surface with gas giant-style storms up above?
- Why do we reduce a body to its center of mass when calculating gain/loss of gravitational potential energy?
- Please help me to identify specific house plant
- Where should the chess pieces be placed in 4x4, 6x6 and 9x9 chessboards?
- How to make a ParametricPlot3D into solid shape
- Purpose of burn permit?
- Antenna speed: slow and fast tracking( explanation of a parameter in comparison table)
- Is the error in translation of Genesis 19:5 deliberate?
- My enemy sent me this puzzle!
- There are at least 3 versions of a quote, with 2 having different attributions. What is the original, who said it, and what does the quote mean?
- Lucas number multiples of Fibonacci pairs
- How to ensure a BSD licensed open source project is not closed in the future?
- Why does Russia strike electric power in Ukraine?
- What is the name of the book about a boy dressed in layers of clothes that isn't a boy?
- Why are volumes of revolution typically taught in Calculus 2 and not Calculus 3?
- Is it OK to make an "offshape" bid if you can handle any likely response?
- How can I draw water level in a cylinder like this?
- What's the proper way to shut down after a kernel panic?
- Programming
- Virtualization
- Productivity
Understanding User Rights Assignment - How to lock down or unlock your user's actions
Final notes
- https://www.experts-exchange.com/articles/3360/Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user's-actions.html copy
- Active Directory
Comments (1)
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
The Original Tech Community
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
User Rights Assignment Back To Not Defined
Is it possible to put a Local Policy User Rights Assignment back to Not Defined? There is not a checkbox to mark it as Not Defined. Is it possible to set any of the User Rights Assignments back to Not Defined?
I am trying to find an area of a Group Policy that is causing an issue with the installation of a Windows Feature. I have removed the computer from the domain and many parts of the GPO remains on the computer including User Rights Assignment. I am suspicious that this is causing the error I am getting. I would like to go through the User Rights Assignment to see what is causing the issue. If I can se it back to Not Defined per item them I can see what is causing the issue. But I do not see a way to check a box to put it back. I can remove everyone from the list of users/groups but that just makes the list blank and doesn't set it to Not Configured.
- group-policy
- security-policy
- If a local policy is configured as "Not Defined", it means the current value is the default value, which is either the value for enabled or the value for disabled. There a reason you cannot simply just set the value of the policy back to "not defined' using the group policy editor? Encourage you to provide more information, perhaps even explain what problem you are trying to solve, so we can answer your question. – Ramhound Commented Sep 8, 2017 at 20:10
- @Ramhound I added some information. I am trying to find a piece of URS causing errors on the installation of a windows server feature. – JukEboX Commented Sep 8, 2017 at 20:28
- Tell us the exact policy. What it modified in the registry should be easy to determine removing the keys will be how this is done – Ramhound Commented Sep 8, 2017 at 21:32
User Right Assignment don't have a "default" configuration.
This is due to the fact that these settings are modified by when certain Windows roles and features are installed. Other applications can also modify these rights, creating a situation where a one-size-fits-all definition of default would leave many systems half functional.
Further, the User Right Assignments fall into a broader category of GP settings that cannot be conveniently reverted to a default state due to an effect known as Group Policy tattooing.
You must apply your own "default" settings
If you only have a few User Rights to modify , edit the settings through the Local Group Policy editor ( gpedit.msc ) and refer to another workstation that has the desired rights assignments for your configuration.
If you have many User Rights to modify , then consider using the Secedit command-line tool to export the settings from a computer with the desired configuration and then apply them into the target machine. Example commands:
Export the current machine's User Rights Assignments:
Apply the exported User Rights Assignments to the local machine:
More Information
This Microsoft support article explains why it's not possible to restore Windows Security settings to a so-called default state and offers some possible workarounds.
This and this article discuss Group Policy tattooing and its implications for Windows Security Settings.
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows group-policy security-policy ..
- The Overflow Blog
- LLMs evolve quickly. Their underlying architecture, not so much.
- From PHP to JavaScript to Kubernetes: how one backend engineer evolved over time
- Featured on Meta
- We've made changes to our Terms of Service & Privacy Policy - July 2024
- Bringing clarity to status tag usage on meta sites
Hot Network Questions
- Polyline to polygon
- Seifert Surfaces of Fibered Knots
- "Authorized ESTA After Incorrectly Answering Criminal Offense Question: What Should I Do?"
- Is there any video of an air-to-air missile shooting down an aircraft?
- How do you hide an investigation of alien ruins on the moon during Apollo 11?
- default-valued optional (boolean) parameter for a new command in tikz
- How do I safely remove a mystery cast iron pipe in my basement?
- How to ensure a BSD licensed open source project is not closed in the future?
- Inconsistent “unzip -l … | grep -q …” results with pipefail
- Flight left while checked in passenger queued for boarding
- Why is not it generally accepted that tyranids are the strongest most adaptable race in w40k?
- What's the origin of the colloquial "peachy", "simply peachy", and "just peachy"?
- In theory, could an object like 'Oumuamua have been captured by a three-body interaction with the sun and planets?
- Hotspot vs home internet
- What are the limits of Terms of Service as a legal shield for a company?
- Resonance structure of aromatic [S4N4]2+
- How to make a ParametricPlot3D into solid shape
- Quality difference between Sigma 30mm f1.4 Art and Contemporary
- How is the grammar of this sentence explained?
- Idiomatic alternative to “going to Canossa”
- using a tikz foreach loop inside a newcommand
- Can I use "historically" to mean "for a long time" in "Historically, the Japanese were almost vegetarian"?
- Bound on when sequence of norms of matrix powers starts to decrease
- Feasibility of unpressurized space farms containing vacuum-adapted plants
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Allow logon locally option grayed out
We have a Domain Controller running on windows2012R2.
All local computers are on Windows10.
When i try to login to one of the client computer with Domain User Credentials i get an error
What could be the issue?
I tried to add users to " Allow log on locally " Policy on Local computer with Local admin login but im unable to add users or groups
Is there any work around?
please suggest.
- group-policy
- Probably UAC; use "Run as administrator" to launch the policy editor. Anyway, there already is "Everyone" listed... you can't really add much more. – Massimo Commented Apr 4, 2016 at 19:17
- i tried running with administrator even , no Luck. . if this is not the solution, what could be the issue "The sign in method . . . . " :/ – Uday Sriramadas Commented Apr 4, 2016 at 19:22
- 1 Seems like a user/computer GPO setting more than a local computer. Might want to check the GPO settings on the server more than on the local computer. – Naryna Commented Apr 4, 2016 at 19:22
- May be , Do you have any idea which GPO may cause this thing? #Brandyn – Uday Sriramadas Commented Apr 4, 2016 at 19:26
- You can use gpresult to find what GPOs are applied to the computer. – Massimo Commented Apr 4, 2016 at 19:28
You need to manage this element via Group Policy Management. Czerw11 did a good write up of the process of using Group Policy Management to update this on your domain controllers via the Default Domain Controller Policy, you can extend this to your client policy as well.
https://czerwsup.wordpress.com/2014/11/05/allow-log-on-locally-add-new-user-greyed-out-fix-via-domain-controller-policy-settings/
Summary Steps:
- Admin Tools
- Group Policy Management
- Navigate through your domain to Default Domain Policy in your case (not Default Domain Controllers Policy as in the example)
To improve this answer, the best practice is to not edit the Default Domain Controllers Policy, but to create a GPO with these policies changes and assign it to the narrowest OU you need to affect the servers. If you edit the Default Policies you remove all of the default permissions.
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies
- User Rights Assignment
- Double Click on Allow Log On Locally and add your users
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged group-policy login windows-10 ..
- The Overflow Blog
- LLMs evolve quickly. Their underlying architecture, not so much.
- From PHP to JavaScript to Kubernetes: how one backend engineer evolved over time
- Featured on Meta
- We've made changes to our Terms of Service & Privacy Policy - July 2024
- Bringing clarity to status tag usage on meta sites
Hot Network Questions
- Does a MySQL replication slave need to be as powerful as the master?
- How does current in the cable shield affect the signal in the wires within
- Is it possible to do physics without mathematics?
- "Authorized ESTA After Incorrectly Answering Criminal Offense Question: What Should I Do?"
- Did US troops insist on segregation in British pubs?
- When was this photo taken?
- Where did Geordi's eyes go?
- Quality difference between Sigma 30mm f1.4 Art and Contemporary
- Solve an equation perturbatively
- Immutability across programming languages
- In theory, could an object like 'Oumuamua have been captured by a three-body interaction with the sun and planets?
- How do I scan both pages on a piece of paper using Document Scanner 42.0?
- Meaning of て form here: 「あなたどう思って?」と聞いた。
- Canceling factors in a ratio of factorials
- Polyline to polygon
- How do you hide an investigation of alien ruins on the moon during Apollo 11?
- Why cant we save the heat rejected in a heat engine?
- What can I do when someone else is literally duplicating my PhD work?
- Why does Russia strike electric power in Ukraine?
- What's the proper way to shut down after a kernel panic?
- Could a minineptune host life at the surface with gas giant-style storms up above?
- Can I use "historically" to mean "for a long time" in "Historically, the Japanese were almost vegetarian"?
- What are the limits of Terms of Service as a legal shield for a company?
- How can I draw water level in a cylinder like this?
- NIST 800-53
- Common Controls Hub
The Adjust memory quotas for a process user right must only be assigned to Administrators, Local Service, and Network Service.
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63849 | WN10-UR-000020 | SV-78339r1_rule | Medium |
| Description |
|---|
| Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Adjust memory quotas for a process" user right can adjust memory that is available to processes, and could be used in a denial of service (DoS) attack. |
| STIG | Date |
|---|---|
| 2015-11-30 |
| Check Text ( C-64599r1_chk ) |
|---|
| Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Adjust memory quotas for a process" user right, this is a finding: Administrators LOCAL SERVICE NETWORK SERVICE |
| Fix Text (F-69777r1_fix) |
|---|
| Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Adjust memory quotas for a process" to only include the following groups or accounts: Administrators LOCAL SERVICE NETWORK SERVICE |
Fix: This user does not have the required permissions to run Setup
Double-click “Manage auditing and security log”.
Type administrators and click Check Names .
One small request: If you liked this post, please share this?
About the author, leave a comment cancel reply.
System configuration tools in Windows
Windows provides a variety of configuration tools tailored to meet the needs of different users. These built-in tools facilitate your device's customization and monitoring, allowing you to change Windows' configuration to suit your preferences and requirements with precision.
This article describes the essential tools that you can use to manage Windows, and each section of this article provides a concise overview of a specific tool. You'll find a brief description of the tool's functionality, its applications, and instructions on how to access it. This structured approach ensures that you can quickly identify the tool you need and understand how to use it effectively for your particular requirements.
Expand each section to learn more about each tool and discover how Windows caters to both novice and advanced users, ensuring everyone can optimize their system with ease.
|
| is the main application to customize and manage Windows settings. It's designed with simplicity, accessibility, and ease of use in mind, providing a more intuitive and user-friendly experience than the traditional Control Panel. The app is organized into categories, to quickly navigate and adjust settings to suit your preferences and needs. The Settings app is continually updated to support the latest Windows features. From Settings, you can also find support and troubleshooting help, making it a central hub for maintaining the health and functionality of Windows. To open Settings you can use one of the following methods: and select +I
|
Task Manager
|
| is an application that serves as a system monitor and startup manager for Windows, providing insights into your device's performance and resource consumption. It allows you to view and manage running applications, assess CPU load, memory usage, disk activity, and network usage. With Task Manager you can terminate unresponsive programs, adjust startup applications, and monitor active user sessions, ensuring optimal system performance and user control. To open the Task Manager, you can use one of the following methods: and select |
Computer Management
|
| The console is a Microsoft Management Console (MMC) snap-in that provides a centralized location for managing various system components, services, and settings on Windows. It includes tools for managing disks, services, devices, shared folders, and users, among other administrative tasks. The console is particularly useful for IT professionals and advanced users who need to perform administrative tasks on local or remote computers. To open the Computer Management console, you can use one of the following methods: and select +R, type compmgmt.msc and press Enter |
Event Viewer
|
| The is a Microsoft Management Console (MMC) snap-in that you can use to view and manage event logs. It provides a detailed record of system, security, and application events on a Windows device, which can be invaluable for troubleshooting and monitoring system health. The Event Viewer can display information such as the source of an event, the date and time it occurred, and any associated error codes or messages. The Event Viewer is organized into categories like Windows Logs, Application and Services Logs, and Subscriptions. Users can filter logs by criteria such as event level, date, and keywords to quickly locate relevant events. The Event Viewer also allows users to save log files for analysis and export event data for external use. For IT professionals, the Event Viewer is a powerful tool for diagnosing problems, auditing system activity, and ensuring compliance with security policies. It's also used to track the health and status of servers and other critical infrastructure components. To open the Event Viewer, you can use one of the following methods: and select +R, type eventvwr.msc and press Enter |
Control Panel
|
| The is a feature that's been part of Windows for a long time. It provides a centralized location to view and manipulate system settings and controls. Through a series of applets, you can adjust various options ranging from system time and date to hardware settings, network configurations, and more. Many of the settings in Control Panel are in the process of being migrated to the app, which offers a more modern and streamlined experience. while the Control Panel still exists for compatibility reasons and to provide access to some settings that have not yet migrated, you're encouraged to use the Settings app, whenever possible.To open the Control Panel, you can use one of the following methods: +R, type control and press Enter |
System Configuration
|
| is a system utility that allows you to troubleshoot issues with Windows startup. It provides options to customize the startup process, including the ability to enable or disable software, control startup services, and access other advanced system settings. System Configuration can be particularly useful when diagnosing performance issues or software conflicts, as it allows you to selectively start the system with only essential services and programs running. The utility includes several tabs such as General, Boot, Services, Startup, and Tools, each offering different functions for managing the system's startup behavior. For example, the Services tab allows you to disable services that might be causing issues, while the Startup tab (which redirects to Task Manager in newer versions of Windows) lets you manage the programs that launch at startup. System Configuration is a powerful tool, and it should be used with caution. Incorrectly configuring system settings can lead to system instability or prevent Windows from starting correctly. Therefore, it's recommended that you create a backup of your system before making changes with System Configuration.To open System Configuration, you can use one of the following methods: +R, type MSConfig and press Enter |
System Information
|
| is a system utility that provides a comprehensive view of the hardware, system components, and software environment on a Windows device. It is particularly useful for gathering information that can help diagnose issues with a device's configuration. The tool can display a vast array of details, including installed hardware, system drivers, services, and running processes, among others. To open System Information, you can use one of the following methods: +R, type msinfo32 and press Enter open System Information with Administrator privileges to ensure accurate reporting of system drivers and services. |
Registry Editor
|
| The is a powerful tool used to view and modify the system registry. The registry is a database that stores low-level settings for Windows and for applications that opt to use it. The Registry Editor allows you to change settings that are not exposed in the user interface, including system policies, installed applications, and the types of files that certain applications can open. To open the Registry Editor, you can use one of the following methods: +R, type regedit and press Enter When using the Registry Editor, it's important to proceed with caution. Improper changes to the registry can cause significant issues, including system instability, application errors, or even prevent Windows from starting. Always ensure you have backed up the registry before making any changes, and only modify registry settings if you are confident in your understanding of the potential impact. It's advisable to follow trusted guidance or consult with an IT professional when in doubt. |
Local Group Policy Editor
|
| The is a Microsoft Management Console (MMC) snap-in that provides a single user interface through which all the settings of local group policy object can be managed. It's used by administrators to configure policies for a local computer, without affecting other users or computers in the network. The editor includes a wide range of settings that control various aspects of the operating system, such as security options, system behaviors, user environment settings, and more. The Local Group Policy Editor is not availabe on Windows Home edition.The Local Group Policy Editor is particularly useful for managing devices that are not part of a domain or not centrally managed by an organization. For devices that are member of a domain, group policy settings are typically managed centrally by the IT department. using the Group Policy Management Console or a Mobile Device Management (MDM) solution. However, for local policies, the Local Group Policy Editor is the go-to tool. It allows administrators to enforce specific configurations that are not available through the Settings app or the Control Panel. To open the Local Group Policy Editor, you can use one of the following methods: +R, type gpedit.msc and press Enter Changes made in the Local Group Policy Editor can significantly affect the computer's operation, so it is recommended that only experienced administrators use this tool, and that they carefully plan and test any changes before applying them to production environments. |
Advanced System Settings
|
| is a system utility that you can use to access and modify settings that are not typically available in Settings or Control Panel. This utility is particularly useful for IT professionals or advanced users who need to configure system properties, environment variables, performance settings, and user profiles for optimal system performance. making changes using Advanced System Settings should be done with caution, as incorrect settings can affect system stability.To open Advanced System Settings, you can use one of the following methods: +R, type SystemPropertiesAdvanced and press Enter |
Need more help?
Want more options.
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Microsoft 365 subscription benefits
Microsoft 365 training
Microsoft security
Accessibility center
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
Ask the Microsoft Community
Microsoft Tech Community
Windows Insiders
Microsoft 365 Insiders
Was this information helpful?
Thank you for your feedback.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Policy CSP - UserRights
- 26 contributors
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds . These settings are subject to change and may have dependencies on other features or services in preview.
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see Well-known SID structures .
Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.
General example
Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.
Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator.
Grant a user right to Administrators group via SID:
Grant a user right to multiple groups (Administrators, Authenticated Users) via SID:
Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings:
Grant a user right to multiple groups (Authenticated Users, Administrators) via strings:
Empty input indicates that there are no users configured to have that user right:
If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag ( <![CDATA[...]]> ) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
 is the entity encoding of 0xF000 .
For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:
For example, the following syntax grants user rights to a specific user or group, by using the SID of the account or group:
AccessCredentialManagerAsTrustedCaller
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
This user right is used by Credential Manager during Backup/Restore. No accounts should've this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
Description framework properties :
| Property name | Property value |
|---|---|
| Format | (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ) |
Group policy mapping :
| Name | Value |
|---|---|
| Name | Access Credential Manager ase a trusted caller |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
AccessFromNetwork
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services aren't affected by this user right.
Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
| Name | Value |
|---|---|
| Name | Access this computer from the network |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ActAsPartOfTheOperatingSystem
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
Assigning this user right can be a security risk. Only assign this user right to trusted users.
| Name | Value |
|---|---|
| Name | Act as part of the operating system |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
AdjustMemoryQuotasForProcess
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
| Name | Value |
|---|---|
| Name | Adjust memory quotas for a process |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
AllowLocalLogOn
This user right determines which users can log on to the computer.
Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
| Name | Value |
|---|---|
| Name | Allow log on locally |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
AllowLogOnThroughRemoteDesktop
Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.
| Name | Value |
|---|---|
| Name | Allow log on through Remote Desktop Services |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
BackupFilesAndDirectories
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read.
Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users.
| Name | Value |
|---|---|
| Name | Back up files and directories |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
BypassTraverseChecking
This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege doesn't allow the user to list the contents of a directory, only to traverse directories.
| Name | Value |
|---|---|
| Name | Bypass traverse checking |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ChangeSystemTime
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
When you configure user rights, it replaces existing users or groups that were previously assigned to those user rights. The system requires that the Local Service account (SID S-1-5-19 ) always has the ChangeSystemTime right. Always specify Local Service , in addition to any other accounts that you need to configure in this policy.
If you don't include the Local Service account, the request fails with the following error:
| Error code | Symbolic name | Error description | Header |
|---|---|---|---|
| (Hex) | ERROR_NOT_SUPPORTED | The request isn't supported. | winerror.h |
| Name | Value |
|---|---|
| Name | Change the system time |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ChangeTimeZone
This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and isn't affected by a change in the time zone.
| Name | Value |
|---|---|
| Name | Change the time zone |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
CreateGlobalObjects
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.
Assigning this user right can be a security risk. Assign this user right only to trusted users.
| Name | Value |
|---|---|
| Name | Create global objects |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
CreatePageFile
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users.
| Name | Value |
|---|---|
| Name | Create a pagefile |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
CreatePermanentSharedObjects
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it isn't necessary to specifically assign it.
| Name | Value |
|---|---|
| Name | Create permanent shared objects |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
CreateSymbolicLinks
This user right determines if the user can create a symbolic link from the computer he is logged-on to.
This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
| Name | Value |
|---|---|
| Name | Create symbolic links |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
CreateToken
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System.
Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.
| Name | Value |
|---|---|
| Name | Create a token object |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
DebugPrograms
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
| Name | Value |
|---|---|
| Name | Debug programs |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
DenyAccessFromNetwork
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
| Name | Value |
|---|---|
| Name | Deny access to this computer from the network |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
DenyLocalLogOn
This security setting determines which service accounts are prevented from registering a process as a service.
This security setting doesn't apply to the System, Local Service, or Network Service accounts.
| Name | Value |
|---|---|
| Name | Deny log on as a service |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
DenyLogOnAsBatchJob
This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.
| Name | Value |
|---|---|
| Name | Deny log on as a batch job |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
DenyLogOnAsService
Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.
This security setting doesn't apply to the System, Local Service, or Network Service accounts. Default: None.
DenyRemoteDesktopServicesLogOn
This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
| Name | Value |
|---|---|
| Name | Deny log on through Remote Desktop Services |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
EnableDelegation
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that's granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that's trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set.
Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
| Name | Value |
|---|---|
| Name | Enable computer and user accounts to be trusted for delegation |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
GenerateSecurityAudits
This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
| Name | Value |
|---|---|
| Name | Generate security audits |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ImpersonateClient
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they've created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they're started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that's being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users don't usually need this user right.
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
| Name | Value |
|---|---|
| Name | Impersonate a client after authentication |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
IncreaseProcessWorkingSet
Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.
Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.
| Name | Value |
|---|---|
| Name | Increase a process working set |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
IncreaseSchedulingPriority
This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
If you remove Window Manager\Window Manager Group from the Increase scheduling priority user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver.
On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
| Name | Value |
|---|---|
| Name | Increase scheduling priority |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
LoadUnloadDeviceDrivers
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users.
| Name | Value |
|---|---|
| Name | Load and unload device drivers |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
| Name | Value |
|---|---|
| Name | Lock pages in memory |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
LogOnAsBatchJob
This security setting allows a user to be logged-on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.
| Name | Value |
|---|---|
| Name | Log on as a batch job |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
LogOnAsService
This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.
| Name | Value |
|---|---|
| Name | Log on as a service |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ManageAuditingAndSecurityLog
This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
| Name | Value |
|---|---|
| Name | Manage auditing and security log |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ManageVolume
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
| Name | Value |
|---|---|
| Name | Perform volume maintenance tasks |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ModifyFirmwareEnvironment
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.
This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
| Name | Value |
|---|---|
| Name | Modify firmware environment values |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ModifyObjectLabel
This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
| Name | Value |
|---|---|
| Name | Modify an object label |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ProfileSingleProcess
This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
| Name | Value |
|---|---|
| Name | Profile single process |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ProfileSystemPerformance
This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.
| Name | Value |
|---|---|
| Name | Profile system performance |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
RemoteShutdown
This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
| Name | Value |
|---|---|
| Name | Force shutdown from a remote system |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ReplaceProcessLevelToken
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.
| Name | Value |
|---|---|
| Name | Replace a process level token |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
RestoreFilesAndDirectories
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write.
Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
| Name | Value |
|---|---|
| Name | Restore files and directories |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
ShutDownTheSystem
This security setting determines which users who are logged-on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.
| Name | Value |
|---|---|
| Name | Shut down the system |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
TakeOwnership
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
| Name | Value |
|---|---|
| Name | Take ownership of files or other objects |
| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
Related articles
Policy configuration service provider
Was this page helpful?
Additional resources
IMAGES
COMMENTS
1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...
The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the ...
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Default values. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.
In the console tree, click Computer Configuration, select Windows Settings, and then select Security Settings. Do one of the following: Select Account Policies to edit the Password Policy or Account Lockout Policy. Select Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options. In the details pane, double-click the ...
Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.
4. You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy. To modify this policy, either:
Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators. Users.
I want to modify the user rights associated with a local user account.I want to add groups and users to a particular User Rights. This is done by opening the group policy and opening the following folder in the console tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
The User Rights Assignment section of Windows Policy is where you get to manage this stuff. To see for yourself, open the default domain controllers Group Policy Object (GPO) or run gpedit.msc. With the policy management window open, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
You must apply your own "default" settings. If you only have a few User Rights to modify, edit the settings through the Local Group Policy editor ( gpedit.msc) and refer to another workstation that has the desired rights assignments for your configuration. If you have many User Rights to modify, then consider using the Secedit command-line tool ...
If you edit the Default Policies you remove all of the default permissions. Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies. User Rights Assignment. Double Click on Allow Log On Locally and add your users. Share.
I went to make changes in the local computer policy, specifically >windows settings> security settings>local policies>user rights assignment. It appears that security settings>local policies>user rights assignment are locked as are the local policies (little padlock on the file) I am the administrator of the computer -- the only user -- how do I unlock these folders so I can make changes.
Common scenarios for using security settings policies. Security settings policies are used to manage the following aspects of security: accounts policy, local policy, user rights assignment, registry values, file and registry Access Control Lists (ACLs), service startup modes, and more.
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. - Administrators - Authenticated Users - Enterprise Domain Controllers
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Default values. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. If any groups or accounts other than the following are granted the "Adjust memory quotas for a process" user right, this is a finding:
You can view the security policies on your computer by opening a admin Command Prompt and running the command secedit /export /cfg c:\secpol.txt. Then, inspect c:\secpol.txt or compare it with another Windows 10/11 computer to see which settings are incorrect. You may also run whoami /priv to check the privileges for the current user account.
The Computer Management console is a Microsoft Management Console (MMC) snap-in that provides a centralized location for managing various system components, services, and settings on Windows.It includes tools for managing disks, services, devices, shared folders, and users, among other administrative tasks. The console is particularly useful for IT professionals and advanced users who need to ...
The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local computer by using the ...
This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview. User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the ...