How to Change User Rights Assignment Security Policy Settings in Windows 10


User Rights Assignment policies govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects.

Each group in Windows has its own default rights and permissions. When a user is a member of a group, the user will be assigned the rights and permissions of the group.

This tutorial will show you how to change User Rights Assignment security policy settings to control users and groups ability to perform tasks in Windows 10.

You must be signed in as an administrator to change User Rights Assignment.

If you remove a user or group from a user right policy, then that user or group will no longer be able to perform the policy on the local PC.

If you add a user or group to a user right policy, then that user or group will now be able to perform the actions of the policy on the local PC.

Contents

• Option One: To Add Users and Groups for User Rights Assignment in Local Security Policy
• Option Two: To Remove Users and Groups for User Rights Assignment in Local Security Policy
• Option Three: To Add and Remove Users and Groups for User Rights Assignment in Command Prompt

OPTION ONE

To Add Users and Groups for User Rights Assignment in Local Security Policy

Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option Three below.

1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy.

2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3)

3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to add users and/or groups to. (see screenshot below)

4 Click/tap on the Add User or Group button. (see screenshot below)

5 Click/tap on the Object Types button. (see screenshot below)

6 Check all the boxes for Object types, and click/tap on the OK. (see screenshot below)

7 Click/tap on the Advanced button. (see screenshot below)

8 Click/tap on the Find Now button, select the name of the user or group (ex: "Everyone") you want to add, and click/tap on OK. (see screenshot below)

If you like, you can press and hold the Ctrl key to select more than one user and/or group.

9 Click/tap on OK. (see screenshot below)

10 Click/tap on OK. (see screenshot below)

11 When finished, you can close Local Users and Groups if you like.

OPTION TWO

To Remove Users and Groups for User Rights Assignment in Local Security Policy

Local Security Policy is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option Three below.

1 Press the Win + R keys to open Run, type secpol.msc into Run, and click/tap on OK to open Local Security Policy.

2 Expand open Local Policies in the left pane of Local Security Policy, and click/tap on User Rights Assignment. (see screenshot below step 3)

3 In the right pane of User Rights Assignment, double click/tap on the policy (ex: "Shut down the system") you want to remove users and/or groups from. (see screenshot below)

4 Select the user or group (ex: "Everyone") you want to remove, and click/tap on the Remove button. (see screenshot below)

If you like, you can press and hold the Ctrl key to select more than one user and/or group.

5 Click/tap on OK. (see screenshot below)

6 When finished, you can close Local Security Policy if you like.

OPTION THREE

To Add and Remove Users and Groups for User Rights Assignment in Command Prompt

1 If you haven't already, you will need to do the following below before continuing on to step 2 below.

A) Download the ntrights.exe file below from the NTRIGHTS.exe (2003 Resource Kit).

Download

B) Save the ntrights.zip file to your desktop, and unblock it.

C) Open the ntrights.zip file, copy or move the ntrights.exe file into your C:\Windows\System32 folder, and click/tap on Continue to approve.

2 Open an elevated command prompt.

3 Type the command below you want to use into the elevated command prompt, and press Enter. (see screenshots below)

(Add user or group to user rights policy)
ntrights +r ConstantName -u "User or Group"

OR

(Remove user or group from user rights policy)
ntrights -r ConstantName -u "User or Group"

Substitute ConstantName in the command above with the actual constant name (ex: "SeShutdownPrivilege") from the table below for the user rights assignment security policy (ex: "Shut down the system") you want to add or remove a user or group.

Substitute User or Group in the command above with the actual name of the user or group (ex: "Everyone") you want to add or remove for the policy.

For example: ntrights -r SeShutdownPrivilege -u "Everyone"

Policy	Constant Name
Access Credential Manager as a trusted caller	SeTrustedCredManAccessPrivilege
Access this computer from the network	SeNetworkLogonRight
Act as part of the operating system	SeTcbPrivilege
Add workstations to domain	SeMachineAccountPrivilege
Adjust memory quotas for a process	SeIncreaseQuotaPrivilege
Allow log on locally	SeInteractiveLogonRight
Allow log on through Remote Desktop Services	SeRemoteInteractiveLogonRight
Back up files and directories	SeBackupPrivilege
Bypass traverse checking	SeChangeNotifyPrivilege
Change the system time	SeSystemtimePrivilege
Change the time zone	SeTimeZonePrivilege
Create a pagefile	SeCreatePagefilePrivilege
Create a token object	SeCreateTokenPrivilege
Create global objects	SeCreateGlobalPrivilege
Create permanent shared objects	SeCreatePermanentPrivilege
Create symbolic links	SeCreateSymbolicLinkPrivilege
Debug programs	SeDebugPrivilege
Deny access to this computer from the network	SeDenyNetworkLogonRight
Deny log on as a batch job	SeDenyBatchLogonRight
Deny log on as a service	SeDenyServiceLogonRight
Deny log on locally	SeDenyInteractiveLogonRight
Deny log on through Remote Desktop Services	SeDenyRemoteInteractiveLogonRight
Enable computer and user accounts to be trusted for delegation	SeEnableDelegationPrivilege
Force shutdown from a remote system	SeRemoteShutdownPrivilege
Generate security audits	SeAuditPrivilege
Impersonate a client after authentication	SeImpersonatePrivilege
Increase a process working set	SeIncreaseWorkingSetPrivilege
Increase scheduling priority	SeIncreaseBasePriorityPrivilege
Load and unload device drivers	SeLoadDriverPrivilege
Lock pages in memory	SeLockMemoryPrivilege
Log on as a batch job	SeBatchLogonRight
Log on as a service	SeServiceLogonRight
Manage auditing and security log	SeSecurityPrivilege
Modify an object label	SeRelabelPrivilege
Modify firmware environment values	SeSystemEnvironmentPrivilege
Perform volume maintenance tasks	SeManageVolumePrivilege
Profile single process	SeProfileSingleProcessPrivilege
Profile system performance	SeSystemProfilePrivilege
Remove computer from docking station	SeUndockPrivilege
Replace a process level token	SeAssignPrimaryTokenPrivilege
Restore files and directories	SeRestorePrivilege
Shut down the system	SeShutdownPrivilege
Synchronize directory service data	SeSyncAgentPrivilege
Take ownership of files or other objects	SeTakeOwnershipPrivilege

4 When finished, you can close the elevated command prompt if you like.

That's it,
Shawn

Related Tutorials

---

• How to Add or Remove Users from Groups in Windows 10
• How to Change Owner of File, Folder, Drive, or Registry Key in Windows 10
• How to Allow or Prevent Users and Groups to Change Time in Windows 10
• How to Allow or Prevent Users and Groups to Shut down System in Windows 10
• How to Allow or Prevent Users and Groups to Change Time Zone in Windows 10
• How to Allow or Prevent Users and Groups to Sign in Locally to Windows 10
• How to Deny Users and Groups to Sign in Locally to Windows 10
• How to Allow or Prevent Users and Groups to Log on with Remote Desktop in Windows 10
• How to Deny Users and Groups to Log on with Remote Desktop in Windows 10
• How to Allow or Prevent Users and Groups to Create a Pagefile in Windows 10

Windows 11 Tutorials