Privilege

Description

User Right

SeAssignPrimaryTokenPrivilege

Required to assign the primary token of a process.

Replace a process level token.

SeAuditPrivilege

Required to generate audit-log entries. Give this privileg to secure servers.

Generate security audits.

SeBackupPrivilege

Required to perform backup operations.

Back up files and directories.

SeBatchLogonRight

Required for an account to log on using the batch logon type

Log on using the batch logon

SeChangeNotifyPrivilege

Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users.

Bypass traverse checking.

SeCreatePagefilePrivilege

Required to create a paging file.

Create a pagefile.

SeCreateGlobalPrivilege

Required to Create global objects

Create global objects

Note: Windows 2000 security setting that was first introduced in Windows 2000 SP4

SeCreatePermanentPrivilege

Required to create a permanent object.

Create permanent shared objects.

SeCreateTokenPrivilege

Required to create a primary token.

Create a token object.

SeDebugPrivilege

Required to debug a process.

Debug programs.

SeDenyBatchLogonRight

Explicitly denies an account the right to log on using the batch logon type

Denies an account the right to log on using the batch logon type

SeDenyInteractiveLogonRight

Explicitly denies an account the right to log on using the interactive logon type.

Denies an account the right to log on using the interactive logon type.

SeDenyNetworkLogonRight

Explicitly denies an account the right to log on using the network logon type.

Denies an account the right to log on using the network logon type.

SeDenyRemoteInteractiveLogonRight

Determines which users and groups are prohibited from logging on as a Terminal Services client.

Deny logon through Terminal Services.

SeDenyServiceLogonRight

Explicitly denies an account the right to log on using the service logon type.

Denies an account the right to log on using the service logon type.

SeEnableDelegationPrivilege

Required to mark user and computer accounts as trusted for delegation.

Enable computer and user accounts to be trusted for delegation.

SeImpersonatePrivilege

Required to impersonate.

Impersonate a client after authentication.

Note: Windows 2000 security setting that was first introduced in Windows 2000 SP4

SeIncreaseBasePriorityPrivilege

Required to increase the base priority of a process.

Increase scheduling priority.

SeIncreaseQuotaPrivilege

Required to increase the quota assigned to a process.

Increase quotas.

SeInteractiveLogonRight

Required for an account to log on using the interactive logon type.

Log on using the interactive logon

SeLoadDriverPrivilege

Required to load or unload a device driver.

Load and unload device drivers.

SeLockMemoryPrivilege

Required to lock physical pages in memory.

Lock pages in memory

SeMachineAccountPrivilege

Required to create a machine account.

Add workstations to domain.

SeManageVolumePrivilege

Required to enable volume management privileges.

Manage the files on a volume.

SeNetworkLogonRight

Required for an account to log on using the network logon type.

Log on using the network logon type.

SeProfileSingleProcessPrivilege

Required to gather profiling information for a single process.

Profile single process.

SeRemoteInteractiveLogonRight

Determines which users or groups have permission to log on as a Terminal Services client.

Allow logon through Terminal Services

SeRemoteShutdownPrivilege

Required to shut down a system using a network request.

Force shutdown from a remote system.

SeRestorePrivilege

Required to perform restore operations. This privilege enables you to set any valid user or group SID as the owner of an object.

Restore files and directories.

SeSecurityPrivilege

Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.

Manage auditing and security log.

SeServiceLogonRight

Required for an account to log on using the service logon type.

Log on using the service logon type.

SeShutdownPrivilege

Required to shut down a local system.

Shut down the system.

SeSyncAgentPrivilege

Required for a domain controller to use the LDAPdirectory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.

Synchronize directory service data.

SeSystemEnvironmentPrivilege

Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.

Modify firmware environment values.

SeSystemProfilePrivilege

Required to gather profiling information for the entire system.

Profile system performance.

SeSystemtimePrivilege

Required to modify the system time.

Change the system time.

SeTakeOwnershipPrivilege

Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.

Take ownership of files or other objects.

SeTcbPrivilege

This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. This privilege is required to call the LogonUser function.

Act as part of the operating system.

SeUndockPrivilege

Required to undock laptop.

Remove computer from docking station.

SeUnsolicitedInputPrivilege

Required to read unsolicited input from a terminal device.

Read unsolicited input from a terminal device.