Modifying Windows User Rights

Modifying Windows User Rights
Last Updated: 09 Feb 2003
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***


The following tools can be used to VIEW and/or MANIPULATE
Windows User Rights in NT/2000/XP and 2003:


CONSOLE

• SECEDIT ................ Native Utility
• NTRIGHTS ............... Resource Kit
• SHOWPRIV ............... Resource Kit

• AINTX Utilities ........ http://www.dwam.net/docs/aintx/
• DameWare Utils ......... http://www.dameware.com/
• NTSEC UTILS ............ http://www.pedestalsoftware.com/
• GRANT .................. http://www.franzo.co.nz/hansson/grant.htm


GUI

• EXPLORER ............... Native Utility
• WINFILE ................ Native Utility
• MMC (Local Security) ... Native Utility

• Domain Assistant ....... http://www.softwareshelf.com/products/domain.asp


ACCESSING LOCAL USER RIGHTS VIA GUI

• Windows 2000 and Later (excluding XP Home):
	 1. START --> RUN --> SECPOL.MSC
	 2. Expand "Local Security Settings"
	 3. Expand "Local Policies"
	 4. Select "User Rights Assignment"


WHITEPAPERS & TECH DOCUMENTS

• http://support.microsoft.com/?KBID=245207
• http://support.microsoft.com/?KBID=279664
• http://support.microsoft.com/?KBID=266280
• http://support.microsoft.com/?KBID=245040
• http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
• http://msdn.microsoft.com/library/en-us/gp/615.asp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ADDITIONAL SEARCH OPTIONS (MS KB)

• http://msdn.microsoft.com/
• http://www.microsoft.com/technet/
• http://www.microsoft.com/

  EXACT PHRASE ........... "NTRIGHTS"
  ALL WORDS .............. "Local Security Policy"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


PERSONAL NOTES

• XP HOME does not support Local Security Polices or
  domain memberhip.

• Under Win2K, the USER RIGHTS settings have been moved
  to "Administrative Tools" --> "Local Security Policy"
  under the MMC (%SystemRoot%\SYSTEM32\SECPOL.MSC)

• SECPOL will only address local security policy.  It
  does not appear possible to change the focus to a
  remote system, as you could under NT4.  You can still
  use NTRIGHTS to make any necessary changes on single
  machines, or use Group Policy at a domain or OU level.