USER AUTHORIZE Privileges

http://msdn.microsoft.com/en-us/library/bb530716(v=vs.85).aspx

Privilege Constants

10 out of 15 rated this helpful - Rate this topicPrivileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.The functions that get and adjust the privileges in an access token use the locally unique identifier (LUID) type to identify privileges. Use the LookupPrivilegeValue function to determine the LUID on the local system that corresponds to a privilege constant. Use the LookupPrivilegeNamefunction to convert a LUID to its corresponding string constant.The operating system represents a privilege by using the string that follows "User Right" in the Description column of the following table. The operating system displays the user right strings in the Policy column of the User Rights Assignment node of the Local Security Settings Microsoft Management Console (MMC) snap-in.Constant/valueDescriptionSE_ASSIGNPRIMARYTOKEN_NAMETEXT("SeAssignPrimaryTokenPrivilege")Required to assign the primary token of a process.User Right: Replace a process-level token.SE_AUDIT_NAMETEXT("SeAuditPrivilege")Required to generate audit-log entries. Give this privilege to secure servers.User Right: Generate security audits.SE_BACKUP_NAMETEXT("SeBackupPrivilege")Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of theaccess control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the RegSaveKey and RegSaveKeyExfunctions. The following access rights are granted if this privilege is held:READ_CONTROLACCESS_SYSTEM_SECURITYFILE_GENERIC_READFILE_TRAVERSEUser Right: Back up files and directories.SE_CHANGE_NOTIFY_NAMETEXT("SeChangeNotifyPrivilege")Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users.User Right: Bypass traverse checking.SE_CREATE_GLOBAL_NAMETEXT("SeCreateGlobalPrivilege")Required to create named file mapping objects in the global namespace during Terminal Services sessions. This privilege is enabled by default for administrators, services, and the local system account.User Right: Create global objects.SE_CREATE_PAGEFILE_NAMETEXT("SeCreatePagefilePrivilege")Required to create a paging file.User Right: Create a pagefile.SE_CREATE_PERMANENT_NAMETEXT("SeCreatePermanentPrivilege")Required to create a permanent object.User Right: Create permanent shared objects.SE_CREATE_SYMBOLIC_LINK_NAMETEXT("SeCreateSymbolicLinkPrivilege")Required to create a symbolic link.User Right: Create symbolic links.SE_CREATE_TOKEN_NAMETEXT("SeCreateTokenPrivilege")Required to create a primary token.User Right: Create a token object.You cannot add this privilege to a user account with the "Create a token object" policy. Additionally, you cannot add this privilege to an owned process using Windows APIs.Windows Server 2003 and Windows XP with SP1 and earlier:  Windows APIs can add this privilege to an owned process.SE_DEBUG_NAMETEXT("SeDebugPrivilege")Required to debug and adjust the memory of a process owned by another account.User Right: Debug programs.SE_ENABLE_DELEGATION_NAMETEXT("SeEnableDelegationPrivilege")Required to mark user and computer accounts as trusted for delegation.User Right: Enable computer and user accounts to be trusted for delegation.SE_IMPERSONATE_NAMETEXT("SeImpersonatePrivilege")Required to impersonate.User Right: Impersonate a client after authentication.SE_INC_BASE_PRIORITY_NAMETEXT("SeIncreaseBasePriorityPrivilege")Required to increase the base priority of a process.User Right: Increase scheduling priority.SE_INCREASE_QUOTA_NAMETEXT("SeIncreaseQuotaPrivilege")Required to increase the quota assigned to a process.User Right: Adjust memory quotas for a process.SE_INC_WORKING_SET_NAMETEXT("SeIncreaseWorkingSetPrivilege")Required to allocate more memory for applications that run in the context of users.User Right: Increase a process working set.SE_LOAD_DRIVER_NAMETEXT("SeLoadDriverPrivilege")Required to load or unload a device driver.User Right: Load and unload device drivers.SE_LOCK_MEMORY_NAMETEXT("SeLockMemoryPrivilege")Required to lock physical pages in memory.User Right: Lock pages in memory.SE_MACHINE_ACCOUNT_NAMETEXT("SeMachineAccountPrivilege")Required to create a computer account.User Right: Add workstations to domain.SE_MANAGE_VOLUME_NAMETEXT("SeManageVolumePrivilege")Required to enable volume management privileges.User Right: Manage the files on a volume.SE_PROF_SINGLE_PROCESS_NAMETEXT("SeProfileSingleProcessPrivilege")Required to gather profiling information for a single process.User Right: Profile single process.SE_RELABEL_NAMETEXT("SeRelabelPrivilege")Required to modify the mandatory integrity level of an object.User Right: Modify an object label.SE_REMOTE_SHUTDOWN_NAMETEXT("SeRemoteShutdownPrivilege")Required to shut down a system using a network request.User Right: Force shutdown from a remote system.SE_RESTORE_NAMETEXT("SeRestorePrivilege")Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. This privilege is required by the RegLoadKey function. The following access rights are granted if this privilege is held:WRITE_DACWRITE_OWNERACCESS_SYSTEM_SECURITYFILE_GENERIC_WRITEFILE_ADD_FILEFILE_ADD_SUBDIRECTORYDELETEUser Right: Restore files and directories.SE_SECURITY_NAMETEXT("SeSecurityPrivilege")Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.User Right: Manage auditing and security log.SE_SHUTDOWN_NAMETEXT("SeShutdownPrivilege")Required to shut down a local system.User Right: Shut down the system.SE_SYNC_AGENT_NAMETEXT("SeSyncAgentPrivilege")Required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.User Right: Synchronize directory service data.SE_SYSTEM_ENVIRONMENT_NAMETEXT("SeSystemEnvironmentPrivilege")Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.User Right: Modify firmware environment values.SE_SYSTEM_PROFILE_NAMETEXT("SeSystemProfilePrivilege")Required to gather profiling information for the entire system.User Right: Profile system performance.SE_SYSTEMTIME_NAMETEXT("SeSystemtimePrivilege")Required to modify the system time.User Right: Change the system time.SE_TAKE_OWNERSHIP_NAMETEXT("SeTakeOwnershipPrivilege")Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.User Right: Take ownership of files or other objects.SE_TCB_NAMETEXT("SeTcbPrivilege")This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege.User Right: Act as part of the operating system.SE_TIME_ZONE_NAMETEXT("SeTimeZonePrivilege")Required to adjust the time zone associated with the computer's internal clock.User Right: Change the time zone.SE_TRUSTED_CREDMAN_ACCESS_NAMETEXT("SeTrustedCredManAccessPrivilege")Required to access Credential Manager as a trusted caller.User Right: Access Credential Manager as a trusted caller.SE_UNDOCK_NAMETEXT("SeUndockPrivilege")Required to undock a laptop.User Right: Remove computer from docking station.SE_UNSOLICITED_INPUT_NAMETEXT("SeUnsolicitedInputPrivilege")Required to read unsolicited input from a terminal device.User Right: Not applicable.

Remarks

Privilege constants are defined as strings in Winnt.h. For example, the SE_AUDIT_NAME constant is defined as "SeAuditPrivilege".

Requirements

Minimum supported clientWindows XP [desktop apps only]Minimum supported serverWindows Server 2003 [desktop apps only]HeaderWinnt.h

See also

Privileges  Send comments about this t


Privileges

8 out of 15 rated this helpful - Rate this topicA privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time. Privileges differ from access rights in two ways:Privileges control access to system resources and system-related tasks, whereas access rights control access to securable objects.A system administrator assigns privileges to user and group accounts, whereas the system grants or denies access to a securable object based on the access rights granted in the ACEs in the object's DACL.Each system has an account database that stores the privileges held by user and group accounts. When a user logs on, the system produces an access token that contains a list of the user's privileges, including those granted to the user or to groups to which the user belongs. Note that the privileges apply only to the local computer; a domain account can have different privileges on different computers.When the user tries to perform a privileged operation, the system checks the user's access token to determine whether the user holds the necessary privileges, and if so, it checks whether the privileges are enabled. If the user fails these tests, the system does not perform the operation.To determine the privileges held in an access token, call theGetTokenInformation function, which also indicates which privileges are enabled. Most privileges are disabled by default.The Windows API defines a set of string constants, such as SE_ASSIGNPRIMARYTOKEN_NAME, to identify the various privileges. These constants are the same on all systems and are defined in Winnt.h. For a table of the privileges defined by Windows, see Privilege Constants. However, the functions that get and adjust the privileges in an access token use the LUID type to identify privileges. The LUIDvalues for a privilege can differ from one computer to another, and from one boot to another on the same computer. To get the current LUID that corresponds to one of the string constants, use the LookupPrivilegeValuefunction. Use the LookupPrivilegeName function to convert a LUID to its corresponding string constant.The system provides a set of display names that describe each of the privileges. These are useful when you need to display a description of a privilege to the user. Use theLookupPrivilegeDisplayName function to retrieve a description string that corresponds to the string constant for a privilege. For example, on systems that use U.S. English, the display name for the SE_SYSTEMTIME_NAME privilege is "Change the system time".You can use the PrivilegeCheck function to determine whether an access token holds a specified set of privileges. This is useful primarily to server applications that are impersonating a client.A system administrator can use administrative tools, such as User Manager, to add or remove privileges for user and group accounts. Administrators can programmatically use the Local Security Authority (LSA) functions to work with privileges. The LsaAddAccountRights andLsaRemoveAccountRights functions add or remove privileges from an account. TheLsaEnumerateAccountRights function enumerates the privileges held by a specified account. TheLsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified privilege.

Related topics

Authorization ConstantsEnabling and Disabling Privileges in C++  Send comments about this topic to Microsoft