Privileges

Windows privileges can be assigned to individual user accounts and groups. Administrators can assign privileges to a user with the chusr or editusr command, or to a group with the chgrp or editgrp command. Users who are added to a group automatically gain all the privileges assigned to the group.
capamsc141
Windows privileges can be assigned to individual user accounts and groups. Administrators can assign privileges to a user with the chusr or editusr command, or to a group with the chgrp or editgrp command. Users who are added to a group automatically gain all the privileges assigned to the group.
You can use the name of the privilege, or user right, exactly as it appears in the list, or you can add Se to the beginning and Privilege to the end of the name (except for BatchLogon, InteractiveLogon, NetworkLogon, and ServiceLogon, to which you add Right instead of Privilege).
Following are the privileges available in Windows.
Privilege
Default Assignment
Description
AssignPrimaryToken
None
Allows a user to modify the security access token of a process.
Audit
None
Generates security audits.
Backup
Administrators Backup Operators
Allows a user to back up files and directories. This privilege replaces all file and directory permissions.
BatchLogon
None
Allows a user to log in as a batch job.
ChangeNotify
Everyone
Usually, rights to files and subdirectories flow downward; that is, users who do not have rights to a specific directory do not also have rights to access the subdirectories below that directory. This privilege allows a user to access subdirectories, even if that user has no rights to the parent directories.
CreatePagefile
None
Allows a user to create a page file. Security is determined by a user's access to the key:
\CurrentControlSet\Control\SessionManagement
CreatePermanent
None
Allows a user to create special permanent objects, such as \\Device
CreateToken
None
Creates a token object. Only the Local Security Authority can do this. The Local Security Authority ensures that the user has permission to access the system. It is not possible to audit the use of this right. For C2 certification, we recommend that it not be assigned to any user.
Debug
Administrator
Debugs programs or objects such as threads. You cannot audit this privilege. For C2 certification, we recommend that it not be assigned to any user, including system administrators.
IncreaseBasePriority
Administrators PowerUsers
Allows a user to increase the execution priority of a process.
IncreaseQuota
None
Allows a user to increase the object quotas.
InteractiveLogon
Most groups
Allows the user to log in interactively.
LoadDriver
Administrators
Allows a user to install and remove device drivers.
LockMemory
None
Allows a user to lock pages in the memory of the computer so the pages cannot be automatically backed up on a backing store like PAGEFILE.SYS.
MachineAccount
None
Allows a user to add a new machine to a domain.
NetworkLogon
Everyone
Allows users to connect to a computer from anywhere in the network. This means users do not have to be at a specific place or terminal to log into their computer.
ProfileSingleProcess
Administrators PowerUsers
Allows a user to use performance-monitoring tools in order to monitor the performance of a single process.
RemoteShutdownPrivilege
Administrators PowerUsers
Allows a user to shut down a Windowssystem remotely.
Restore
Administrators Backup Operators
Allows a user to restore backed-up files and directories. This right replaces all file and directory permissions.
Security
Administrators
Allows a user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log.
Note:
This privilege does not allow the user to set system auditing policies using the Audit command from the Policy menu in Microsoft's User Manager. Administrators always have the ability to view and clear the security log.
ServiceLogon
None
Enables a process to register with the system as a service.
Shutdown
Administrators BackupOperators Everyone PowerUsers Users
Allows the user to shut down the system from the system console.
SystemEnvironment
Administrators
Allows a user to modify the system environment variables. This enables the user to set up the system environment at their workstation, and ensure that all other users working on the same workstation use the same setup.
SystemProfile
Administrators
Allows a user to perform profiling (performance sampling) on the system.
SystemTime
Administrators Power Users
Allows a user to set the time for the internal clock of the computer.
TakeOwnership
Administrators
Allows a user to become the owner of files, directories, printers, and other objects on the computer. This right replaces all permissions protecting objects.
Tcb
None
Enables a process to perform as a secure, trusted part of the operating system. Some subsystems are granted this privilege.