4sysops

  • IT Administration Forum
  • PowerShell Forum
  • Community Forum
  • PowerShell Group
  • Earning as 4sysops member
  • Member Ranks
  • Member Leaderboard – This Month
  • Member Leaderboard – This Year
  • Member Leaderboard – All-time
  • Author Leaderboard – 30 Days
  • Author Leaderboard – 365 Days
  • Cloud Computing
  • Write for 4sysops
  • User rights assignment in Windows Server 2016

4sysops - The online community for SysAdmins and DevOps

Avatar

Built-in local security principals and groups

Center for internet security, local policies/user rights assignment.

  • Recent Posts

Leos Marek

  • Microsoft Remote Desktop for Mac not working after upgrade (errors 0x3000064 and 0x3000066) - Thu, Aug 15 2024
  • UniGetUI (formerly WingetUI): GUI for winget, Chocolatey, and PowerShell Gallery - Wed, Jul 17 2024
  • What is Microsoft Dev Home? - Wed, Jul 3 2024

Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:

  • Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.
  • Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state.

As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:

  • Domain Controllers (DC)
  • Member Servers (MS)
  • User Workstations

Configuring user rights assignment via Goup Policy

Configuring user rights assignment via Goup Policy

If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.

Security policies do not support generated group names

Security policies do not support generated group names

The following groups are used throughout this article:

  • Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group.
  • Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account.
  • Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement).
  • Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP).
  • Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today.

The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:

  • CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks.
  • CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more.

Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.

Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.

CIS Benchmarks example

CIS Benchmarks example

User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.

For each setting, the following format is used:

Name of the setting: Recommended value, or values

Access Credential Manager as a trusted caller: No one (empty value)

Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.

Access this computer from the network: Administrators, Authenticated Users

Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.

Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.

Allow log on locally: Administrators

The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.

Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users

It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.

Note: On the DC, it is recommended to allow only administrators to connect via RDP.

Back up files and directories: Administrators

This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.

Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests

The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.

Force shutdown from a remote system/Shut down the system: Administrators

Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.

Manage auditing and security log: Administrators

This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.

Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.

Restore files and directories: Administrators

Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.

Take ownership of files or other objects: Administrators

User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.

Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests

To increase security, you should include the Guests group in these three settings.

Debug programs/Profile single process/Profile system performance: Administrators

This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.

Change the system time: Administrators, Local Service

Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.

Create a token object: No one (empty value)

Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.

Impersonate a client after authentication: Administrators, Local Service, Network Service, Service

An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.

Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.

Load and unload device drivers: Administrators

Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.

I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.

  • Windows Server security features and best practices
  • Security options in Windows Server 2016: Accounts and UAC
  • Security options in Windows Server 2016: Network security

IT Administration News

  • OpenAI exec says Californias AI safety bill might slow progress – The Verge
  • We finally have a definition for open-source AI | MIT Technology Review
  • Meta blames EU regulators for slowing down Europe’s AI growth
  • Pilot project in London: High school students learn with AI instead of in class | heise online
  • Ransomware productivity shows signs of leveling off

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

Group Policy setting for notifying users about an expiring password

Send email notifications about expiring Active Directory passwords with a PowerShell script

Avatar

Unifying endpoint management and security: An overview of ManageEngine Endpoint Central

Avatar

New storage features in Windows Server 2025: NVMe-OF initiator, update for S2D, deduplication for ReFS

Configuring the credentials for the SMTP client

E-MailRelay: Free SMTP server for Windows

Daily retrieval of critical vulnerability alerts

Receive critical Microsoft security alerts by email

Upgrading the openssh-server

Addressing OpenSSH vulnerabilities CVE-2024-6387 and CVE-2024-6409

Avatar

Authenticator backup: Microsoft, Google, Amazon, Authy

Explore delegated Managed Service Account (dMSA) attributes using AD Explorer

Delegated Managed Service Accounts in Windows Server 2025

Avatar

List groups in Linux

Avatar

Install Let’s Encrypt certificates on Windows with Certbot and export as PFX

Avatar

Create and remove group in Linux, add user, switch primary group

Group Policy setting for NTLM security levels

Audit and disable NTLMv1

Signing in to AWS with Touch ID

Enable FIDO passkey authentication for IAM users in AWS

The Passkey authentication process in Entra ID

Enable Microsoft Entra ID passkey authentication

Avatar

KeePassXC: A free cross-platform password manager for Windows, macOS and Linux

Flow of an external authentication with Entra ID. Courtesy: Microsoft

Configuring external authentication methods in Microsoft 365 with Microsoft Entra ID

Microsoft Graph and its interconnected components

Integrate Microsoft Graph activity logs for Microsoft 365 with Azure Monitor

Exchange Online Interacting with Azure Communication Services Email

Disable Basic Authentication for SMTP AUTH in Exchange Online

Add-BitLockerKeyProtector displays the new key on the screen if it is called without WarningAction.

Rotate BitLocker recovery passwords, delete used keys from Active Directory

Granting permissions to select principals to unlock user accounts.

Delegate permission to unlock Active Directory accounts

Avatar

Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.

Gave that account local admin access on the broker servers and then was able to get further.

Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.

Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.

I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.

I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.

Avatar

Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Twitter

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

user rights assignment windows server

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

:arrow_left:

All of the User Rights that can be set:

Privilege PrivilegeName
SeAssignPrimaryTokenPrivilege Replace a process level token
SeAuditPrivilege Generate security audits
SeBackupPrivilege Back up files and directories
SeBatchLogonRight Log on as a batch job
SeChangeNotifyPrivilege Bypass traverse checking
SeCreateGlobalPrivilege Create global objects
SeCreatePagefilePrivilege Create a pagefile
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeCreateTokenPrivilege Create a token object
SeDebugPrivilege Debug programs
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyInteractiveLogonRight Deny log on locally
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeDenyServiceLogonRight Deny log on as a service
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeIncreaseWorkingSetPrivilege Increase a process working set
SeInteractiveLogonRight Allow log on locally
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeMachineAccountPrivilege Add workstations to domain
SeManageVolumePrivilege Perform volume maintenance tasks
SeNetworkLogonRight Access this computer from the network
SeProfileSingleProcessPrivilege Profile single process
SeRelabelPrivilege Modify an object label
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeRestorePrivilege Restore files and directories
SeSecurityPrivilege Manage auditing and security log
SeServiceLogonRight Log on as a service
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeSystemEnvironmentPrivilege Modify firmware environment values
SeSystemProfilePrivilege Profile system performance
SeSystemtimePrivilege Change the system time
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeTcbPrivilege Act as part of the operating system
SeTimeZonePrivilege Change the time zone
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeUndockPrivilege Remove computer from docking station
Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

:v:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

  • operationsManager
  • troubleshooting
  • certificates
  • Programming
  • Virtualization
  • Productivity

Understanding User Rights Assignment - How to lock down or unlock your user's actions

user rights assignment windows server

Final notes

  • https://www.experts-exchange.com/articles/3360/Understanding-User-Rights-Assignment-How-to-lock-down-or-unlock-your-user's-actions.html copy
  • Active Directory

Comments (1)

user rights assignment windows server

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

The Original Tech Community

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

  • Logon rights
  • Admin equivalent rights
  • Tracking user rights with the security log
  • User rights in-depth
  • Access this computer from the network
  • Act as part of the operating system
  • Add workstations to domain
  • Adjust memory quotas for a process
  • Allow log on locally
  • Allow logon through Terminal Services
  • Back up files and directories
  • Bypass traverse checking
  • Change the system time
  • Create a pagefile
  • Create a token object
  • Create global objects
  • Create permanent shared objects
  • Debug programs
  • Deny access to this computer from the network
  • Deny logon as a batch job
  • Deny logon as a service
  • Deny logon locally
  • Deny logon through Terminal Services
  • Enable computer and user accounts to be trusted for delegation
  • Force shutdown from a remote system
  • Generate security audits
  • Impersonate a client after authentication
  • Increase scheduling priority
  • Load and unload device drivers
  • Lock pages in memory
  • Log on as a batch job
  • Log on as a service
  • Manage auditing and security log
  • Modify firmware environment values
  • Perform volume maintenance tasks
  • Profile single process
  • Profile system performance
  • Remove computer from docking station
  • Replace a process level token
  • Restore files and directories
  • Shut down the system
  • Synchronize directory service data
  • Take ownership of files and other objects

Child articles:

  • Logon Rights
  • Admin Equivalent Rights
  • Tracking User Rights with the Security Log
  • User Rights In-Depth

Back to top

user rights assignment windows server

User name:
Password:
 
 
August 2024
Patch Tuesday
| | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected].
| |

  Windows OS Hub / Windows 10 / Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

In this article, we will look at several ways to manage non-admin user permissions to restart or shutdown Windows workstations or servers. By default, non-privileged users can only reboot and shut down desktop versions of Windows, and cannot restart a Windows Server host (shutdown and restart buttons are not available in the Start Menu). Is it possible to allow a user without local administrator privileges to restart Windows Server?  There is also a reverse task – how to prevent users from restarting a computer with Windows 10 or 11, which is used as an information kiosk, dispatch console, etc.

How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO

Allow remote shutdown/restart without admin permissions, disable (hide) shutdown or restart options from windows, how to find out who restarted/shutdown a windows server.

You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. This GPO option allows you to specify which locally logged-on users can shut down an operating system.

Please note that the default restart/shutdown permissions for desktop versions of Windows 10/11 and Windows Server editions are different.

Open the Local Group Policy Editor ( gpedit.msc ) and navigate to the section specified above. As you can see, the members of local groups Administrators , Users and Backup Operators have the permission to shutdown/reboot a computer running Windows 10 or 11 .

Shut down the system - allow user to shutdown/restart windows via gpo

On Windows Server 2022/2019/2016 , only Administrators or Backup Operators can shut down or restart the server. It is reasonable, since in most cases a non-admin user must not have the privileges to shutdown a server (even accidentally). Just imagine an RDS farm host that is often shuts down since users accidentally click on the “Shutdown” button in the Start menu…

On Active Directory domain controllers, the rights to shut down Windows are delegated to:

  • Administrators
  • Backup Operators
  • Server Operators
  • Print Operators

If the user does not have permission to restart/shutdown the operating system, then an error will appear when running the following command:

shutdown –r –t 0

shutdown command - access is denied 5

If you want to allow a specific user (without administrator rights) to restart your Windows Server, you need to add their account to this policy and update the GPO settings on the computer .

You can manually grant permissions to shut down the computer locally using the legacy ntrights tool from the Windows Server 2003 Resource Kit:

ntrights +r SeShutdownPrivilege -u woshub\j.smith

To prevent a user from shutting down or restarting Windows:

ntrights -r SeShutdownPrivilege -u woshub\j.smith

Or, vice versa, you can prevent users of workstations running the desktop Windows 10/11 edition from restarting the computer that performs some kind of server function. In this case, just remove Users group from the local policy Shut down the system .

In the same way, you can prevent (or allow) shutdown/reboot operations for non-admin users on all computers in a specific Organizational Unit (OU) of an Active Directory domain using a domain GPO.

  • Create the grpAllowRestartComputers user group in AD, to whom you want to grant the permissions to restart computers. You can create a new group using the ADUC snap-in ( dsa.msc ) or the New-ADGroup PowerShell cmdlet.  Add users to the group;

create new gpo

  • Set the GPO name ( gpoAllowReboot ) and edit it;
  • Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> User Rights Assignment;

gpo: allow shutdown windows for non administrator users

  • Update the GPO settings on the target computers and check the resulting GPO settings with the rsop.msc snap-in. Users in your group can now shut down or reboot this host;

allow restart and shut down windows for non-admin in start menu

You can allow some non-admin users to restart your Windows Server remotely using the shutdown command without granting them local administrator privileges, permission to log on through Remote Desktop (RDP) , or local logon permissions ( if this sign-in method is not allowed )

To do it, add a user account to the Force shutdown from a remote system Group Policy option in the same GPO section ( User Rights Assignment ).

By default, only administrators can shutdown/restart the server remotely. Add a user account to the policy.

gpo to allow remote windows restart: Force shutdown from a remote system

ntrights +r SeRemoteShutdownPrivilege -u woshub\j.smith

After that, the user will get the SeRemoteShutdown privilege and will be able to restart the server remotely using the command:

shutdown -m \\hamb-rds01 -r -f -t 0

Or using the Restart-Computer PowerShell cmdlet:

Restart-Computer –ComputerName hamb-rds01 –Force

If WinRM (Windows Remote Management) is enabled on the remote computer, you can use WSman instead of WMI to connect:

Restart-Computer -ComputerName hamb-rds01 -Protocol WSMan

If the user does not have permission to connect to the WMI namespace, an error will appear:

You can use Group Policy to hide the Shutdown, Restart, Sleep and Hibernate options from the sign-in screen and Start Menu. This GPO option is called Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands and is located under User Configuration -> Administrative Templates -> Start Menu and Taskbar

Group Policy: Remove and Prevent Access to the Shut Down, Restart, Sleep, and Hibernate commands - remove Options in Windows 10 Start Menu

After you enable this policy, a user will be able only to disconnect the current session or use the logoff command. The Shutdown, Sleep and Restart buttons will become unavailable.

start menu

You can use some registry tweaks to hide only a specific item from the Power/Shutdown menu in Windows. For example, you want to hide only the “Shut down” option in the Start menu, but keep “Restart”.

  • Open the Registry Editor ( regedit.exe );
  • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown ;

set HideShutDown via registry

REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" /v "value" /t REG_DWORD /d 1 /f

Or using PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown" -Name "value" -Value 1

Also, you can hide other options in the Start Menu and Windows sign-in screen:

  • Hide only thr Restart option in Windows: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart " /v "value" /t REG_DWORD /d 1 /f
  • Hide Hibernate option from Start Menu in Windows: R EG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate" /v "value" /t REG_DWORD /d 1 /f
  • Hide Sleep from the Start Menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep" /v "value" /t REG_DWORD /d 1 /f
  • To completely disable the Power button and remove the “Shut down or sign out” option from WinX menu: REG ADD "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton" /v "value" /t REG_DWORD /d 1 /f

Please note that in Windows Server 2019/2022, after assigning restart permission to a user, an error may appear:

You don’t have permission to shutdown or restart this computer.

In this case, you need to enable the UAC parameter “User Account Control: Run all administrators in Admin Approval Mode” in the GPO:

If you have granted permission to reboot a computer for a non-admin user, you may want to know who restarted a Windows Server : a user or one of the administrators.

Use the Event Viewer ( eventvwr.msc ) to search for shutdown logs in Windows. Go to Windows Logs -> System and filter the current log by the Event ID 1074 .

filte events by 1074 restart event id

As you can see, there are server restart events in the log in chronological order. The event description includes the restart time, the reason, and the user account that restarted the host.

EventID: 1074 The process C:\Windows\system32\shutdown.exe has initiated the restart of computer on behalf of user for the following reason: Reason Code: 0x800000ff Shutdown Type: restart

You can get information about recent Windows shutdown events using the same Event ID 1076 :

Use the following simple PowerShell script to list the last ten computer restart and shutdown events. This list contains the names of the users and processes from which the reboot was initiated.

Get-EventLog -LogName System | where {$_.EventId -eq 1074} |select-object -first 10 | ForEach-Object { $rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCode if ($_.ReplacementStrings[4]) { $rv.Date = $_.TimeGenerated $rv.User = $_.ReplacementStrings[6] $rv.Process = $_.ReplacementStrings[0] $rv.Action = $_.ReplacementStrings[4] $rv.Reason = $_.ReplacementStrings[2] $rv } } | Select-Object Date, Action, Reason, User, Process |ft

powershell get shutdown history in windows events

Fix: Can’t Extend Volume in Windows

Fix: windows needs your current credentials pop-up message, related reading, how to hide or show the ‘safely remove..., enable hyper-v on windows 10/11 pro and home..., how to hide or show specific settings pages..., mount physical and network drives in wsl2 (windows..., change network connection (adapter) priorities in windows.

' src=

So sad that there’s no option to disable only shutdown. I have a need to allow user to restart their machines but not shutdown.

' src=

FYI you can hide shutdown from the start menu using HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown

Thanks, but even so an advanced user would know to turn it off using other ways.

' src=

Thank you MT.. this helped..

' src=

On Windows 11, this did work, however, a user who is blocked from restarting/shutting down in this way, can still press Control-Alt-Delete and has the restart/shutdown option in the lower right hand corner. Is there a way to remove that, too?

I just actually tried it from a “non-privileged” account. The good news is that although the options appear, they don’t actually work. 🙃

Leave a Comment Cancel Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Current ye@r *

Leave this field empty

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What is the relationship between User Rights Assignment Policies vs. Membership of Local Groups

I just spent the better part of this morning on a support call with a vendor where we eventually resolved our issue by manually adding the service account their application was using to the following Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment policies which were being set by a Domain GPO:

  • Back up files and directories
  • Log on as a batch job
  • Restore files and directories

After rebooting the server and getting the updated GPO our service account no longer generated the following Event 4625 - Logon Type 4 audit events when attempting to start the application:

The vendor's documentation instructed us to add the service account to the Backup Operators and Power User Local Groups - which we did. Reading the Explain tab for each one of the required User Right Assignment policies indicates that the Backup Operators have those Rights by default (TechNet seems to confirm this ). Incidentally, there's no mention of Power User being assigned those Rights that I can find so I'm not really sure why that was a requirement.

Why did we have to explicitly assign that service account those Rights ( Back up files and directories , Log on as a batch job , Restore files and directories ) when it already should of had them by virtue of being a member of the Backup Operators Local Group?

What is the relation between the User Rights Policies and the builtin Local Groups? Are User Rights Polices the constituent parts that make up the "meta"-rights of each builtin Local Groups? If so, where can I find which Rights belong to which bultin Local Groups?

As stated we resolved this issue by adding our service account to the Group Policy Object that is manually assigning a number of service accounts these specific Rights. I got the sense from the vendor's engineer that this GPO is interfering with the mapping of these constituent Rights to Local Groups. Is this hunch correct? Is assigning constituent User Rights this way a Bad Idea (TM)?

  • windows-server-2008-r2
  • group-policy
  • windows-authentication

Members of local built-in groups (as well as domain groups) have whatever rights are assigned to the group. The default rights on a server for local built-in groups are set in the local security settings. To access the local security settings, click Start, type secpol.msc and hit enter. In the Local Security Policy editor, expand Local Policies, and click on User Rights Assignment. There you will see what groups/users are granted which rights.

The local User Rights Assignment settings can be overriden by domain group policy. If you create a domain group policy that grants certain groups/users a certain right, such as "Logon as a batch job", this will override the local policy for which users have that right.

From what you have written, here is what I am guessing happened: You had a GPO in your domain that granted certain users the rights that you mentioned. This policy did not grant these rights to local machine Backup Operators group. This policy overwrote the default policy on the server. Thus, adding the user to the Backup Operators group did not give them those rights because, due to the Domain GPO, the Backup Operators do not have them.

As to whether or not the vendor's solution is a good idea: I have found that it is usually easier to manage rights by using well-organized groups rather than granting them to individual accounts. This way, when you add a new user, you add the user to the logical groups to which he belongs, and he will immediately have all of the rights he needs rather than having to assign him each right one-by-one. That is what the Built-in groups were intended to do.

Instead of granting those three rights to an individual user, you could have granted the "Backup Operators" group those three rights in the GPO. Then adding the user to that group would have the intended effect.

I am curious why you would have a domain policy managing those rights in the first place. If the purpose was to grant certain users access to perform backup operations, it might have been a better idea to use the domain built-in Backup Operators group.

Joel Davies's user avatar

You must log in to answer this question.

  • The Overflow Blog
  • Ryan Dahl explains why Deno had to evolve with version 2.0
  • Featured on Meta
  • We've made changes to our Terms of Service & Privacy Policy - July 2024
  • Bringing clarity to status tag usage on meta sites

Hot Network Questions

  • How to remove files which confirm to a certain number pattern
  • Can the closure operator arising from a symmetric, anti-reflexive relation be trivial without the relation being maximal?
  • Drawing an arc on a rectangle
  • How does 我感到最大的成就就是影响了一代又一代人对自己的看法 not imply 自己影响了别人?
  • Consistency strength of HoTT
  • Is a monoid endomorphism determined by its right inverse?
  • Why is global state hard to test? Doesn't setting the global state at the beginning of each test solve the problem?
  • How do closed cycle liquid engines actually work?
  • Why are swimming goggles typically made from a different material than diving masks?
  • ¿こうする es expresión o dos palabras juntas? / Is こうする an expression, or two words together?
  • Calling get_GeodesicArea from ogr2ogr
  • What do all branches of Mathematics have in common to be considered "Mathematics", or parts of the same field?
  • The Master Tetrist
  • Should it be "until" or "before" in "Go home until it's too late"?
  • Everyone hates this Key Account Manager, but company won’t act
  • How can flyby missions work?
  • SF novel where the story, or part of it, is narrated by two linked brains taking turns
  • Why don't we observe protons deflecting in J.J. Thomson's experiment?
  • C - mini string lib
  • Euler E152: "Analysin enim ineptam existimat"
  • How many people could we get off of the planet in a month?
  • Would weightlessness (i.e. in thrill rides, planes, skydiving, etc.) be different on a Flat Earth?
  • Is sudoku only one puzzle?
  • In Moon, why does Sam ask GERTY to activate a third clone before the rescue team arrives?

user rights assignment windows server

Add User or Group button is grayed out in User Rights Assignment

Logon failure: The user has not been granted the requested logon type at this computer

1] Modify default Domain Controller Policy setting

2] enable add user or group button in user rights assignment, what are some of the settings available in the user rights assignment, how do i add a user to logon locally, where are user rights assignments stored.

user rights assignment windows server

Edit Local Security Policy Settings on Windows Server Core

 (modified 

The Gist Of IT

This section shows the work flow in condensed form. If you prefer a more detailled explanation skip to the next section.

If you needed to edit the local Security Policy Settings on Windows Server Core you may have noticed that the Microsoft Management Console (MMC) is not available on Server Core.

user rights assignment windows server

You may know that installing the Server Core App Compatibility Feature on Demand (FOD) adds the MMC (including a bunch of other basic features) back to Server Core. But unfortunately, although you can now open the MMC and add the Local Computer Policy snap-in ( gpedit.msc ), the Security Settings section is still unavailable.

user rights assignment windows server

This means you need to use secedit.exe to edit the local security policy settings. This can be a bit daunting if you’re new to Windows Server Core. With the help of an example, I would like to show you how it works. In our example, we want to grant a domain account the privilege to log on as a service . On the Desktop edition, you would add the account as shown below.

user rights assignment windows server

First, we need to find the constant of the privilege we want to assign. We can look this up in the Security Policy Settings Reference ( User Rights Assignment / Log On As A Service ). There it says, the constant is SeServiceLogonRight .

After we identified the constant, create a new temporary working directory, then export the current security settings with: secedit /export /cfg hisecws.inf . We can scope the command to export only the user rights assignments: secedit /export /cfg hisecws.inf /areas USER_RIGHTS . If we inspect the export, we should see something similar to this.

user rights assignment windows server

It is a good idea to keep a backup of this file until you verified that your applied changes work as expected. We would revert the changes simply by applying this configuration in the same way we would apply the new configuration, which I will explain next.

In this exported configuration file, each privilege is applied to one or more SIDs, separated by commas. Privileges that are currently not applied to any SID are not listed in the file. Find the line that starts with SeServiceLogonRight and append the SID you want to grant privilege to. Remember to prepend the SID with an asterisk. You may also remove any other privileges that should remain untouched to prevent unintentional changes. The final file would look similar to this:

Before we apply this configuration, we want to validate it: secedit /validate hisecws.inf . It is important to mention that this validates only the configuration file structure, not the values.

To finally apply the new configuration run this command: secedit /configure /db hisecws.sdb /overwrite /cfg hisecws.inf /areas USER_RIGHTS /log hisecws.log . This imports the configuration into a new database file before applying the database configuration to the system settings. This is a mandatory step as it is not possible to apply a configuration file directly to the system settings. The /overwrite parameter forces secedit to purge any data from the database file, if it already exists in the local folder. Unless you are configuring advanced scenarios, I recommend to overwrite it to not import unintended changes. We also scoped the import to the user rights assignments, although this was not strictly necessary as the imported configuration only contained one setting anyway.

When done check the log files for abnormalities, then restart your system. (Restarting the system is not always required, but getting into this would be out of scope for this article.) After you confirmed that the configuration changes work as expected, you may remove all files that you created during the change.

One response to “Edit Local Security Policy Settings on Windows Server Core”

Laurie Avatar

Thank you for the clear, clean and concise instructions. Just what I was looking for.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Can't edit Local Security Policy

I'm trying to add users to the Access this computer from the network User Rights Assignment policy but the 'Add' button is disabled:

enter image description here

I'm connecting to the machine via RDP using the local Administrator account (not a domain user). I've also tried to do the same with a domain user that is in the Administrators group but the result is the same.

How can I add a user to this policy?

The machine is running Windows 7.

  • remote-desktop
  • administrator
  • group-policy

I say Reinstate Monica's user avatar

  • You need to be using a domain user in the Administrator user group –  Ramhound Commented Aug 27, 2015 at 12:38
  • I am using it (the built-in account..), but I login via RDP. does it matter? –  etaiso Commented Aug 27, 2015 at 12:38
  • Your not using one, you indicated your using the local Administrator account, you need to be using a user connected to the domain with Administrator permissions. –  Ramhound Commented Aug 27, 2015 at 12:44
  • I also tried that . it's the same –  etaiso Commented Aug 27, 2015 at 12:46
  • Update your question; If I had know that; I could have saved time responding. –  Ramhound Commented Aug 27, 2015 at 12:51

You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy.

To modify this policy, either:

  • Modify the policy in the applicable domain Group Policy Object.
  • Prevent any domain-based GPOs from specifying this setting, then edit the computer's Local Group Policy.
  • where can I find this policy in the GPO? –  marijnr Commented Jun 13, 2018 at 13:15
  • 2 Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment –  I say Reinstate Monica Commented Jun 13, 2018 at 13:16

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows security remote-desktop administrator group-policy ..

  • The Overflow Blog
  • Ryan Dahl explains why Deno had to evolve with version 2.0
  • Featured on Meta
  • We've made changes to our Terms of Service & Privacy Policy - July 2024
  • Bringing clarity to status tag usage on meta sites

Hot Network Questions

  • Is "UN law" a thing?
  • Should I be worried about this giant crack?
  • Why was the uncut gem stored in a fish?
  • How soon to fire rude and chaotic PhD student?
  • How should I respond to a former student from my old institution asking for a reference?
  • The Master Tetrist
  • statusline expression using variables from statusline
  • Calling get_GeodesicArea from ogr2ogr
  • Should it be "until" or "before" in "Go home until it's too late"?
  • Which BASIC dialect first featured a single-character comment introducer?
  • Euler E152: "Analysin enim ineptam existimat"
  • bash script quoting frustration
  • Ethics application: secondary analysis of anonymous data without "future use" consent
  • How can flyby missions work?
  • How does 我感到最大的成就就是影响了一代又一代人对自己的看法 not imply 自己影响了别人?
  • Can the speed of light inhibit the synchronisation of a power grid?
  • What do all branches of Mathematics have in common to be considered "Mathematics", or parts of the same field?
  • One IO to control two LEDs. When one is lit, the other is not
  • If you get pulled for secondary inspection at immigration, missing flight, will the airline rebook you?
  • Did polls adjust their methodology after overestimating Democrat's shares in the 2016 and 2020 presidential elections in the Rust Belt?
  • Why name the staves in LilyPond's "published" "Solo piano" template?
  • What prevents applications from misusing private keys?
  • In Moon, why does Sam ask GERTY to activate a third clone before the rescue team arrives?
  • Is a monoid endomorphism determined by its right inverse?

user rights assignment windows server

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How to grant users rights to manage services

  • 3 contributors

This article describes how to grant users the authority to manage system services in Windows Server.

By default, only members of the Administrators group can start, stop, pause, resume, or restart a service. This article describes methods that you can use to grant the appropriate rights to users to manage services.

Applies to:   Supported versions of Windows Server Original KB number:   325349

Method 1: Use Group Policy

You can use Group Policy to change permissions on system services. See How To Configure Group Policies to Set Security for System Services for more information.

Method 2: Use Security Templates

To use security templates to change permissions on system services, create a security template following these steps:

  • Select Start , search mmc and select it.
  • On the File menu, click Add/Remove Snap-in .
  • Select Security Configuration and Analysis , select Add , and then select OK .
  • In the console tree, right-click Security Configuration and Analysis , and then select Open Database .
  • Specify a name and location for the database, and then click Open .
  • In the Import Template dialog box that appears, click the security template that you want to import, and then click Open .
  • In the console tree, right-click Security Configuration and Analysis , and then click Analyze Computer Now .
  • In the Perform Analysis dialog box that appears, accept the default path for the log file that is displayed in the Error log file path box or specify the location that you want, and then click OK .

After the analysis is complete, configure the service permissions as follows:

  • In the console tree, select System Services .
  • In the right pane, double-click the service whose permissions you want to change.
  • Select the Define this policy in the database check box, and then select Edit Security .
  • To configure permissions for a new user or group, select Add . In the Select Users, Computers, or Groups dialog box, type the name of the user or group that you want to set permissions for, and then select OK .
  • In the Permissions for User or Group list, configure the permissions that you want for the user or group. When you add a new user or group, the Allow check box next to the Start, stop and pause permission is selected by default. This setting permits the user or group to start, stop, and pause the service.
  • Select OK two times.

To apply the new security settings to the local computer, right-click Security Configuration and Analysis , and then click Configure Computer Now .

You can use also the Secedit command-line tool to configure and analyze system security. For more information about Secedit, see secedit commands . Note that when you use this method to apply settings, all the settings in the template are reapplied, and this may override other previously configured file, registry, or service permissions.

Was this page helpful?

Additional resources

Windows 10 Help Forums

  • What's New?
  • Tutorial Index
  • Advanced Search
  • Windows 10 Forums

Allow or Prevent Users and Groups to Sign in Locally to Windows 10  

Allow or Prevent Users and Groups to Sign in Locally to Windows 10

Allow or Prevent Users and Groups to Sign in Locally to Windows 10

Allow or Prevent Users and Groups to Sign in Locally to Windows 10

How to Allow or Prevent Users and Groups to Sign in Locally to Windows 10 By default, you need to dismiss the lock screen and enter your credentials to sign in to Windows 10 with your account. By default, Users , Guests , Backup Operators , and Administrators are able to sign in locally to Windows 10. See also: Allow log on locally - security policy setting (Windows 10) | Microsoft Docs This tutorial will show you how to allow or prevent specific users and groups from being able to sign in (log on) locally to a Windows 10 PC. You must be signed in as an administrator to allow or prevent users and groups to sign in locally. Only allowed users and groups will be able to sign in locally to Windows 10. The Deny log on locally policy will override this Allow log on locally policy.  CONTENTS: Option One: Allow Users and Groups to Sign in Locally in Local Security Policy Option Two: Prevent Users and Groups to Sign in Locally in Local Security Policy Option Three: Allow or Prevent Users and Groups to Sign in Locally in Command Prompt EXAMPLE: "The sign in method you're trying to use isn't allowed. For more info, contact your network administrator." message when a user or group is not allowed to sign in locally OPTION ONE Allow Users and Groups to Sign in Locally in Local Security Policy Local Security Policy is only available in the Windows 10 Pro , Enterprise , and Education editions . All editions can use Option Three below. 1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment , and double click/tap on the Allow log on locally policy in the right pane. (see screenshot below) 3. Click/tap on the Add User or Group button. (see screenshot below) 4. Click/tap on the Advanced button. (see screenshot below) 5. Click/tap on the Object Types button. (see screenshot below) 6. Check all the boxes for Object types, and click/tap on the OK . (see screenshot below) 7. Click/tap on the Find Now button, select the name of the user or group (ex: "Guests") you want to add, and click/tap on OK . (see screenshots below) If you like, you can press and hold the Ctrl key to select more than one user and/or group. 8. Click/tap on OK . (see screenshot below) 9. Click/tap on OK . (see screenshot below) 10. When finished, you can close Local Users and Groups if you like. OPTION TWO Prevent Users and Groups to Sign in Locally in Local Security Policy Local Security Policy is only available in the Windows 10 Pro , Enterprise , and Education editions . All editions can use Option Three below. 1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment , and double click/tap on the Allow log on locally policy in the right pane. (see screenshot below) 3. Select the user or group (ex: "Guest") you want to remove, and click/tap on the Remove button. (see screenshot below) If you like, you can press and hold the Ctrl key to select more than one user and/or group. 4. Click/tap on OK . (see screenshot below) 5. When finished, you can close Local Users and Groups if you like. OPTION THREE Allow or Prevent Users and Groups to Sign in Locally in Command Prompt 1. If you haven't already, you will need to do the following below before continuing on to step 2 below. A) Download the ntrights.exe file below from the Windows Server 2003 Resource Kit Tools . Download B) Save the ntrights.zip file to your desktop, and unblock it. C) Open the ntrights.zip file, copy or move the ntrights.exe file into your C:\Windows\System32 folder, and click/tap on Continue to approve. 2. Open an elevated command prompt . 3. Type the command you want below into the elevated command prompt, and press Enter . (Add user or group to allow) ntrights +r SeInteractiveLogonRight -u " User or Group " OR (Remove user or group to prevent) ntrights -r SeInteractiveLogonRight -u " User or Group " Substitute User or Group in the command above with the actual name of the user or group (ex: "Guests) you want to add or remove for this policy. For example: ntrights +r SeInteractiveLogonRight -u " Guests " 4. When finished, you can close the elevated command prompt if you like. That's it, Shawn Related Tutorials How to Add or Remove Users from Groups in Windows 10 How to Change User Rights Assignment Security Policy Settings in Windows 10 How to Deny Users and Groups to Sign in Locally to Windows 10 How to Enable or Disable User Accounts in Windows 10 How to Sign in to Windows 10 How to Enable or Disable Show Local Users on Sign-in Screen on Domain Joined Windows 10 PC How to Hide or Show Your Email Address on Sign-in Screen in Windows 10 How to Do Not Display Last Signed-in User Name on Sign-in Screen in Windows 10 How to Enable or Disable Don't Display Username at Sign-in in Windows 10 Enable or Disable Display Last Sign-in Information during User Sign-in in Windows 10 How to Add a Message at Sign-in for Users in Windows 10 How to Allow or Prevent Users and Groups to Log on with Remote Desktop in Windows 10 How to Deny Users and Groups to Log on with Remote Desktop in Windows 10 Windows 11 Tutorials

Allow or Prevent Users and Groups to Sign in Locally to Windows 10

  • Vista Forums
  • Eight Forums
  • Seven Forums
  • Eleven Forums
  • Privacy and Cookies
  • Terms of service

Windows 10 Forums

  • Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
  • Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
  • OverflowAI GenAI features for Teams
  • OverflowAPI Train & fine-tune LLMs
  • Labs The future of collective knowledge sharing
  • About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Powershell: Export User Rights Assignment

I'm new to PowerShell (PS). Currently I'm using windows server 2012 and I'm interested to know whether there is any way to export User Rights Assignment into a txt file. I tried

The above should should export it.

So, I get this: Current Output . Is there any way to export User Rights Assignment and make it look like (even with using batch files): Expected Output .

P.S Is There anyway to output those values in console? So i would be enable to redirect them to a txt file.

jonjoli's user avatar

  • 1 Please edit the description and clearly explain the difference between the two links you have pasted. That will make the problem clear to the readers. Even when the link is removed, readers will still have access to the problem description. –  phoenix Commented Feb 11, 2016 at 16:52
  • Sorry link got changed in edit –  jonjoli Commented Feb 11, 2016 at 17:06
  • 1 I could probably try to help you but my company blocks all file download sites so I can't view any of the links you posted. –  Squashman Commented Feb 11, 2016 at 18:57
  • should just post them? –  Ojs Commented Feb 11, 2016 at 19:04
  • @jonjoli - See my updated answer. –  Bill_Stewart Commented Feb 16, 2016 at 21:23

3 Answers 3

Here's a PowerShell script that outputs usable objects with translated names and SIDs:

Bill_Stewart's user avatar

  • 1 sorry for late response but that gives the same output as "secedit /export /areas USER_RIGHTS /cfg d:\policies.txt" –  jonjoli Commented Feb 12, 2016 at 11:16
  • It outputs the data as objects, not as text, so no, the output is not "the same". Perhaps you need to clarify your question. –  Bill_Stewart Commented Feb 12, 2016 at 13:37
  • how to make it ouput as txt? –  jonjoli Commented Feb 12, 2016 at 13:46
  • What do you mean? Please update your question with what you want the output to look like (no links please - please paste an example directly into your question). –  Bill_Stewart Commented Feb 12, 2016 at 15:41
  • 1 You are in luck in this case. I think I understand. See updated answer. –  Bill_Stewart Commented Feb 12, 2016 at 18:52

in addition to Eric's change i also needed to add a try catch to one of the functions in Bill_Stewart's post. if the SID being translated is from an object that no longer exists this will return the SID instead of sending an error for translate.

Ryan Reed's user avatar

Great script overall. Thank you for your efforts. One change I needed to make however to get it to output all principals assigned a right was to change the regex to '^(Se\S+) = (.+)' so that principals that were already resolved with a space in the name such as 'Domain users' were matched. Before that it would just report 'Domain.'

To save the output to a file, add a >> filename after the closing bracket of the last foreach-object Ex: } } >> 'outFile.txt'

or to output as delimited file (e.g., csv) use the following:

} | convertto-csv -delimiter '~' -notypeinformation >> 'outFile.txt'

Hope this helps.

Eric Alexander's user avatar

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged windows shell powershell batch-file or ask your own question .

  • The Overflow Blog
  • Ryan Dahl explains why Deno had to evolve with version 2.0
  • Featured on Meta
  • We've made changes to our Terms of Service & Privacy Policy - July 2024
  • Bringing clarity to status tag usage on meta sites
  • Feedback requested: How do you use tag hover descriptions for curating and do...
  • What does a new user need in a homepage experience on Stack Overflow?

Hot Network Questions

  • Why is global state hard to test? Doesn't setting the global state at the beginning of each test solve the problem?
  • What prevents applications from misusing private keys?
  • What language did Descartes use when he lived in the Netherlands?
  • Why don't we observe protons deflecting in J.J. Thomson's experiment?
  • 1969s-1970s novel, mankind needs to emigrate to escape Sun going nova, women are higher status than men, men have artificial snake familiars
  • How can rotate an object about a specific point that I know the coordinates of
  • "Knocking it out of the park" sports metaphor American English vs British English?
  • How can I put node of a forest correctly?
  • Explaining Arithmetic Progression
  • Seven different digits are placed in a row. The products of the first 3, middle 3 and last 3 are all equal. What is the middle digit?
  • Why did Worf respond when Picard ordered the Enterprise out of the asteroid in TNG: The Pegasus?
  • How can I receive the responses to my broadcast requests through PF?
  • How to display 3 horizontal nested tabs on mobile device
  • Is it OK to use the same field in the database to store both a percentage rate and a fixed money fee?
  • The Reforger NPC is stuck underground. How do I get him to move?
  • Should it be "until" or "before" in "Go home until it's too late"?
  • Why do combinatorists care about Kazhdan–Lusztig polynomials?
  • Help to identify SOT23-3 code 'PF'
  • How to add a segment to an Excel radar plot
  • The Master Tetrist
  • How to raise a vector to powers contained in a vector, change the list into a product, and do this for all the lines of a matrix, efficiently?
  • How to remove a file which name seems to be "." on an SMB share?
  • Euler E152: "Analysin enim ineptam existimat"
  • Home water pressure higher than city water pressure?

user rights assignment windows server

IMAGES

  1. User rights assignment in Windows Server 2016

    user rights assignment windows server

  2. 70-410 Lab 17 Assigning User Rights Group Policy Windows Server 2012 R2

    user rights assignment windows server

  3. Account Rights and Privileges

    user rights assignment windows server

  4. Windows Server 2003

    user rights assignment windows server

  5. Server Inventory Tool

    user rights assignment windows server

  6. Monitoring User Rights Changes on Windows Servers

    user rights assignment windows server

COMMENTS

  1. User Rights Assignment

    User rights are managed in Group Policy under the User Rights Assignment item. Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy ...

  2. User rights assignment in Windows Server 2016

    They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are: Group policy objects (GPO) - Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.

  3. Understanding Group Policies: User Rights Assignment Policies

    undefined. User Rights Assignment is one of those meat and potatoes features of the operating system that we all have a cursory understanding of but rarely think about in depth. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on.

  4. Change User Rights Assignment Security Policy Settings in Windows 10

    1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3) 3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or ...

  5. Set and Check User Rights Assignment via Powershell

    Personal File Server - Get-UserRights.ps1 Alternative Download Link. or. Personal File Server - Get-UserRights.txt Text Format Alternative Download Link. In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

  6. Configuring user access control and permissions

    Open the Local Users and Groups tool and navigate to the Groups tab. Select the Windows Admin Center Readers group. In the Details pane at the bottom, select Add User and enter the name of a user or security group that should have read-only access to the server through Windows Admin Center.

  7. Understanding User Rights Assignment

    To control the rights that any user has, you'll need to find the right place to take control of it. The User Rights Assignment section of Windows Policy is where you get to manage this stuff. To see for yourself, open the default domain controllers Group Policy Object (GPO) or run gpedit.msc. With the policy management window open, navigate to ...

  8. User Rights Assignments

    User Rights Assignments. Although in this section they are called user rights, these authority assignments are more commonly called privileges. Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users.

  9. Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    How to Allow or Prevent Shutdown/Reboot Options in Windows via GPO. You can set the permissions to restart or shutdown Windows using the Shut down the system parameter in the GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.This GPO option allows you to specify which locally logged-on users can shut down an ...

  10. How to list windows privileges for any user

    9. You can use AccessChk in accomplish this task. Accesschk "domain\user" -a * will list all the permissions of a given domain user. You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about. Share.

  11. windows server 2008 r2

    The default rights on a server for local built-in groups are set in the local security settings. To access the local security settings, click Start, type secpol.msc and hit enter. In the Local Security Policy editor, expand Local Policies, and click on User Rights Assignment. There you will see what groups/users are granted which rights.

  12. User Rights Assignment

    Windows 11; Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain.

  13. How to Set Logon User Rights with the Ntrights.exe in windows 10 (64

    What is an equivalent for ntrights.exe on Windows 10? Set and Check User Rights Assignment via Powershell You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts.

  14. Access this computer from the network

    Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ... If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage.

  15. Add User or Group button is grayed out in User Rights Assignment

    Navigate to the path below: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. In the details pane on the right, double-click the ...

  16. Blocking Remote Use of Local Accounts

    In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to "Local account" (S-1-5-113) for all Windows client and server configurations, which blocks all remote access for all local accounts. We have since discovered that Failover Clustering relies on a non-administrative ...

  17. Edit Local Security Policy Settings on Windows Server Core

    First, we need to find the constant of the privilege we want to assign. We can look this up in the Security Policy Settings Reference ( User Rights Assignment / Log On As A Service ). There it says, the constant is SeServiceLogonRight. After we identified the constant, create a new temporary working directory, then export the current security ...

  18. windows

    You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy. To modify this policy, either: Modify the policy in the applicable domain Group Policy Object.

  19. Grant users rights to manage services

    In this article. Method 1: Use Group Policy. Method 2: Use Security Templates. This article describes how to grant users the authority to manage system services in Windows Server. By default, only members of the Administrators group can start, stop, pause, resume, or restart a service. This article describes methods that you can use to grant ...

  20. Allow or Prevent Users and Groups to Sign in Locally to Windows 10

    1. Press the Win+R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy. 2. Expand open Local Policies in the left pane of Local Security Policy, click/tap on User Rights Assignment, and double click/tap on the Allow log on locally policy in the right pane. (see screenshot below) 3.

  21. windows

    2. I'm new to PowerShell (PS). Currently I'm using windows server 2012 and I'm interested to know whether there is any way to export User Rights Assignment into a txt file. I tried. secedit /export /areas USER_RIGHTS /cfg d:\policies.txt. The above should should export it. So, I get this: Current Output.