What User Rights does?
User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain.
What it includes?
User rights include logon rights and permissions.
- Logon rights control who is authorized to log on to a computer and how they can log on.
- User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects.
How are User Rights Managed?
User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events.
Configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local computer by using the Local Group Policy Editor (gpedit.msc)
Which Event ID to Look on?
Event ID 4704 and 4705 documents a change to user right assignments on windows computer including the right and user or group that received the new right.
Event id 4704: A user right was assigned
Event id 4705: A user right was removed
The fact that should be kept in consideration is "User rights" and "privileges" are synonymous terms used interchangeably in Windows.
Same like most other security settings in Windows, Rights are defined in group policy objects and applied by the computer. This event, therefore, will normally show the Assigned By user as the system itself.
How to determine who actually made the changes?
To actually determine who made the rights assignment change you must search the domain controllers' security logs for changes to groupPolicyContainer objects (logged by Directory Service auditing).
Logon ID allows you to link this event to the prior event 4624 logon event of the user who performed this action.
Note: This event, 4704, and 4705 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service".
User Rights
| System name | Description |
| SeTcbPrivilege | Act as part of the operating system |
| SeMachineAccountPrivilege | Add workstations to domain |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process |
| SeBackupPrivilege | Back up files and directories |
| SeChangeNotifyPrivilege | Bypass traverse checking |
| SeSystemtimePrivilege | Change the system time |
| SeCreatePagefilePrivilege | Create a pagefile |
| SeCreateTokenPrivilege | Create a token object |
| SeCreatePermanentPrivilege | Create permanent shared objects |
| SeDebugPrivilege | Debug programs |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system |
| SeAuditPrivilege | Generate security audits |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority |
| SeLoadDriverPrivilege | Load and unload device drivers |
| SeLockMemoryPrivilege | Lock pages in memory |
| SeSecurityPrivilege | Manage auditing and security log |
| SeSystemEnvironmentPrivilege | Modify firmware environment values |
| SeManageVolumePrivilege | Perform volume maintenance tasks |
| SeProfileSingleProcessPrivilege | Profile single process |
| SeSystemProfilePrivilege | Profile system performance |
| SeUndockPrivilege | Remove computer from docking station |
| SeAssignPrimaryTokenPrivilege | Replace a process level token |
| SeRestorePrivilege | Restore files and directories |
| SeShutdownPrivilege | Shut down the system |
| SeSyncAgentPrivilege | Synchronize directory service data |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects |
No comments:
Post a Comment