Use NTRights To Grant Specific Privileges

Generally, you use the Security Policy Editor, aka “secpol.msc” to grant rights to accounts under Windows NT (NT, 2000, XP, Server 2003). There are two cases where you wouldn’t do this, though.

  • The Security Policy Editor won’t run under Windows XP Home.
  • You may wish to change the rights using a script.

In either of these cases, you’ll want to use the NTRights utility.

NTRights is available, as a standalone component, from Dynawell, or as a component in the Windows 2003 Server Resource Kit Tools.

You can run NTRights depending upon how it was downloaded and installed.

  • If you downloaded NTRights as a standalone component from Dynawell, and copied NTRights.exe into a folder in the Path, you can run NTRights directly from a command window.
  • If you downloaded and installed the Server Resource Kit Tools, you run NTRights from a SRK command shell.
    • Hit Start.
    • Hit All Programs.
    • Hit Windows Resource Kit Tools.
    • Hit Command Shell.

NTRights is case and syntax sensitive, so you may want to look at the command help – type “ntrights /?” at the prompt. Or you can read How to Set Logon User Rights with the Ntrights.exe Utility. You may also find How to: Determine NTRIGHTS Names and Meanings informative.

As an example, to allow the Guest account to be used for network access, you grant the SeNetworkLogonRight. Enter precisely:

ntrights +r SeNetworkLogonRight -u Guest

Read the documentation carefully, and remember:

  • Distinguish properly between “+r” and “-r”.
  • All rights names, such as “SeNetworkLogonRight”, are case sensitive.
  • There are 4 words (strings of non-blank characters) after “ntrights”, in the above example. Each word must be preceded by a space.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: