You can use the ntrights.exe utility to allow or deny user permissions on users and groups from the command line or batch file processing. The ntrights.exe utility is included in Windows NT Server 4.0 Resource Kit Supplement 3.
The ntrights.exe tool uses the following syntax:
Ntrights + R-/R user_right-u & quot account _ m // computer_name "name "-
Location:
• + R is used to add user permissions.
•-R is used to revoke user permissions.
• User_right is used to grant or revoke user rights.
• "Account _ name" is the name of a user or group (enclosed in quotation marks) That is modifying its user permissions.
• The computer name is the name of the remote computer where the user permission is changed. If M option and computer name are not specified, a change occurs on the Local Computer -.
The permission must be administrator privilege. The following table lists how to change user permissions by using the ntrights.exe utility.
Note: The following is a distinction between user rights and user rights that must be entered exactly as shown below:
The right side of WindowsNT allows the user
Seassignprimarytokenprivilege replaces the process-level token
Seauditprivilege generates security audit
SeBackupPrivilege backup file and directory
SeBatchLogonRight
Sechangenotifyprivilege bypasses the traversal check
Secreatepagefileprivilege
Secreatepermanentprivilege
Secreatetokenprivilege
Sedebugprivilege debugging program
Seincreasebasepriorityprivilege increases the scheduling priority
Seincreasequot1_vilege increases the quota
SeInteractiveLogonRight local Login
Seloaddriverprivilege
SeLockMemoryPrivilege Memory Lock page
Semachineaccountprivilege add workstation to domain
SeNetworkLogonRight accesses this computer from the network
SeProfileSingleProcessPrivilege
SeRemoteShutdownPrivilege Force Shutdown From Remote System
Serestoreprivilege Restore files and directories
Sesecurityprivilege management audit and security logs
SeServiceLogonRight
Seshutdownprivilege shut down the system
Sesystemenvironmentprivilege
Sesystemprofileprivilege: configure system performance
Sesystemtimeprivilege: Change System Time
Setakeownershipprivilege obtains the ownership of a file or other objects.
Setcbprivilege acts as part of the operating system
Seunsolicitedinputprivilege reads unrequested input from the terminal device
Example: You can use the ntrights.exe utility to selectively revoke the local logon permission on the local computer so that only members of the local administrators can log on. By default, the following groups of Windows NT Workstation 4.0 computers have local logon User Permissions:
• Administrator
• Backup Operator
• All
• Laibin
• Powerusers
• Users
To revoke local logon user permissions for all groups but local administrators, the batch file contains the following commands:
Ntrights-r SeInteractiveLogonRight-U "backupoperators"
Ntrights-r SeInteractiveLogonRight-U "everyone"
Ntrights-r SeInteractiveLogonRight-U "guests"
Ntrights-r SeInteractiveLogonRight-U "superuser"
Ntrights-r SeInteractiveLogonRight-U "user"
For more information about how to use the ntrights.exe utility, see the rktools. HLP File in Windows NT Server 4.0 Resource Kit Supplement 3.