user rights assignment install software

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to Set Logon User Rights with the Ntrights.exe in windows 10(64 bit) [duplicate]

I need to know whether ntrights.exe 64 bit version exists?

If not, which is the 64 bit equivalent of ntrights.exe?

Thanks in advance.

• command-line

What is an equivalent for ntrights.exe on Windows 10?

Set and Check User Rights Assignment via Powershell You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts.

Read the blakedrumm page for detailed instructions, and download the script .

I just tested it successfully on Windows 2022 Standard.

• 1 This look really useful but all of the links are broken. –  user2871239 Jan 26, 2023 at 13:35

Not the answer you're looking for? Browse other questions tagged windows-10 command-line 64-bit .

• The Overflow Blog
• Why do only a small percentage of GenAI projects actually make it into...
• Spreading the gospel of Python
• Featured on Meta
• Our Partnership with OpenAI
• What deliverables would you like to see out of a working group?

Hot Network Questions

• Does Popper's falsifiability criterion hold any utility?
• Why did the authors use the phrase "the quantity of people" in these examples?
• I lost the keys for a gate's lock. Where can I find a replacement cylinder or how can I get new keys?
• Is this "School of the Wyrm" wizard subclass I found balanced?
• Fully electric flamethrower
• Can I use a hose clamp to ground a wire to EMT?
• Not displaying bold chinese character in Times New Roman font
• Renewing UK passport also holding an Irish passport
• Order of the "children's card shuffle"
• How can I deal with a player that won't stop adding extras to their character?
• Why isn't LD_PRELOAD disabled by default in Linux?
• Extra NESTED LOOP / INNER JOIN causing NO JOIN PREDICATE warning
• For what kind of distributions could the joint distribution be determined uniquely by marginal distribution and correlation?
• Waste Products from Hydrogen Fuel Cells
• What could cause a society to collectively forget about an event?
• I cleaned the grease off an old floppy drive’s motor; do I need to lubricate it?
• Refused entry stamp (c) in Paris. Will it create problems?
• Python: Delete vertices by coordinates
• Bubbly foamed cone with insect inside
• Timetable for Cercanias AM narrow gauge railway in Spain
• Show don't tell with a blind character
• Does target of Geas know the penalty for disobeying?
• Simply Adjusting the Position of Dashed Lines in Nicematrix Package
• Viewing a 3D object from inside

How to apply Group Policy settings to specific users on Windows 11

Do you have to change policy settings but only for some users? Here's how on Windows 11.

On Windows 11 (similar to previous versions), the Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that provides an interface to allow administrators (and power users) to manage every Group Policy Object (GPO) on the local computer. It enables you to configure and customize system settings and control user accounts, security, and other administrative tasks that are typically not possible to configure through the Settings app (or Control Panel).

The only drawback about this management console is that the settings configured through the method will apply to every user as it doesn't offer an option to configure settings for a specific user or group. However, it's possible to roll out system changes to only some users by creating a User-Specific Local Group Policy (LGPO) snap-in.

This how-to guide will walk you through the steps to use the Local Group Policy Editor to apply settings only to specific users on Windows 11.

How to apply settings to specific user with Group Policy

To configure system settings that will only apply to specific users on Windows 11, use these steps:

• Use the  "Windows key + R"  keyboard shortcut to open the Run command.
• Type  MMC  and click the  OK  button.

• Open the  File  menu and select the  "Add/Remove Snap-in"  option.

• Under the "Available snap-ins" section, select the  "Group Policy Object Editor"  snap-in.
• Click the Under the "Available snap-ins" section, and select the  "Group Policy Object Editor"  snap-in.
• Click the  Add  button.

• Click the  Browse  button.
• Click the  User  tab.
• Select the user or group to apply the new configurations.

• Quick tip: To change settings for users with a "Standard user" account, select  Non-Administrators  from the list.
• Click the  OK  button.
• Click the  Finish  button.
• Open the  File  menu and select the  Save As  option.

• Confirm a name for the snap-in.
• Select a location to store the custom console with the configurations.
• Click the  Save  button.

After you complete the steps, you can open the newly created Microsoft Management Console to configure the settings you want to apply to a specific user.

For example, you can use these instructions to configure custom settings or restrict access to certain features, such as Registry , Command Prompt, Settings app, and others, allowing users to make unwanted system changes.

More resources

For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

• Windows 11 on Windows Central — All you need to know
• Windows 10 on Windows Central — All you need to know

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

• 2 Windows 11 will finally let you use a VPN again, here's how to fix your PC
• 3 OpenAI's new GPT-4o went viral with a video demoing a 'seeing' AI assisting its 'blind' counterpart, a spectacle that truly needs to be seen to be believed
• 4 The world's best-selling video game is now 15 years old, and Xbox is celebrating with over two weeks of gifts and fun
• 5 OpenAI just announced GPT-4o, but developers can already try it out through Microsoft Azure

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Policy CSP - UserRights

• 26 contributors

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds . These settings are subject to change and may have dependencies on other features or services in preview.

User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see Well-known SID structures .

Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.

General example

Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.

Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator.

Grant a user right to Administrators group via SID:

Grant a user right to multiple groups (Administrators, Authenticated Users) via SID:

Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings:

Grant a user right to multiple groups (Authenticated Users, Administrators) via strings:

Empty input indicates that there are no users configured to have that user right:

If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag ( <![CDATA[...]]> ) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.

&#xF000; is the entity encoding of 0xF000 .

For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:

For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:

For example, the following syntax grants user rights to a specific user or group, by using the SID of the account or group:

AccessCredentialManagerAsTrustedCaller

This user right is used by Credential Manager during Backup/Restore. No accounts should've this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.

Description framework properties :

Group policy mapping :

AccessFromNetwork

This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services aren't affected by this user right.

Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

ActAsPartOfTheOperatingSystem

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

Assigning this user right can be a security risk. Only assign this user right to trusted users.

AdjustMemoryQuotasForProcess

Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.

AllowLocalLogOn

This user right determines which users can log on to the computer.

Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.

AllowLogOnThroughRemoteDesktop

Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.

BackupFilesAndDirectories

This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read.

Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users.

BypassTraverseChecking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege doesn't allow the user to list the contents of a directory, only to traverse directories.

ChangeSystemTime

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

When you configure user rights, it replaces existing users or groups that were previously assigned to those user rights. The system requires that the Local Service account (SID S-1-5-19 ) always has the ChangeSystemTime right. Always specify Local Service , in addition to any other accounts that you need to configure in this policy.

If you don't include the Local Service account, the request fails with the following error:

ChangeTimeZone

This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and isn't affected by a change in the time zone.

CreateGlobalObjects

This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.

Assigning this user right can be a security risk. Assign this user right only to trusted users.

CreatePageFile

This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users.

CreatePermanentSharedObjects

This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it isn't necessary to specifically assign it.

CreateSymbolicLinks

This user right determines if the user can create a symbolic link from the computer he is logged-on to.

This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.

CreateToken

This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System.

Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.

DebugPrograms

This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

DenyAccessFromNetwork

This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

DenyLocalLogOn

This security setting determines which service accounts are prevented from registering a process as a service.

This security setting doesn't apply to the System, Local Service, or Network Service accounts.

DenyLogOnAsBatchJob

This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

DenyLogOnAsService

Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

This security setting doesn't apply to the System, Local Service, or Network Service accounts. Default: None.

DenyRemoteDesktopServicesLogOn

This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.

EnableDelegation

This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that's granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that's trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set.

Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

GenerateSecurityAudits

This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.

ImpersonateClient

Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they've created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they're started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that's being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users don't usually need this user right.

If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.

IncreaseProcessWorkingSet

Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.

IncreaseSchedulingPriority

This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

If you remove Window Manager\Window Manager Group from the Increase scheduling priority user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver.

On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.

LoadUnloadDeviceDrivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users.

This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

LogOnAsBatchJob

This security setting allows a user to be logged-on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

LogOnAsService

This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

ManageAuditingAndSecurityLog

This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

ManageVolume

This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

ModifyFirmwareEnvironment

This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.

This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.

ModifyObjectLabel

This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

ProfileSingleProcess

This user right determines which users can use performance monitoring tools to monitor the performance of system processes.

ProfileSystemPerformance

This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

RemoteShutdown

This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

ReplaceProcessLevelToken

This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.

RestoreFilesAndDirectories

This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write.

Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.

ShutDownTheSystem

This security setting determines which users who are logged-on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

TakeOwnership

This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.

Related articles

Policy configuration service provider

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Contribute to the Windows forum! Click  here  to learn more  💡

May 10, 2024

Contribute to the Windows forum!

Click  here  to learn more  💡

Windows 11 Forum Top Contributors: Ramesh Srinivasan  -  Kapil Arya MVP  -  neilpzz  -  RAJU.MSC.MATHEMATICS  -  _AW_   ✅

Windows 11 Forum Top Contributors:

Ramesh Srinivasan  -  Kapil Arya MVP  -  neilpzz  -  RAJU.MSC.MATHEMATICS  -  _AW_   ✅

• Search the community and support articles
• Search Community member

Ask a new question

Windows 11 will not allow access to the Local Administrator account

Report abuse

Reported content has been submitted​

Replies (6) 

• Independent Advisor

1 person found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Thank you Kelly,

I did activate the Administrator account however when I try and Type "gpedit.msc" and press "Enter" to open the Local Group Policy Editor.

I get an error:

gpedit.msc : The term 'gpedit.msc' is not recognized as the name of a cmdlet, function, script file, or operable

program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:1

+ gpedit.msc

+ ~~~~~~~~~~

    + CategoryInfo          : ObjectNotFound: (gpedit.msc:String) [], CommandNotFoundException

    + FullyQualifiedErrorId : CommandNotFoundException

You need to have Windows 11 Pro to access Group Editor, do you have Windows 11 Home?

Apperantly, yes

Windows 11 Home. Is it Upgradeable?

You would have to buy the upgrade to Pro edition but there is no guaranty it would fix the problem.

Are you talking about the built-in Administrator and how are you trying to access the account.

Perhaps system file scans will help:

Run DISM tool and check the issue. Please follow these steps:

a. Press Windows + X keys and click command prompt (admin). Or PowerShell (Admin).

b. Type the following command in command prompt.

DISM.exe /Online /Cleanup-image /Scanhealth [press return]

let the scan run and then

DISM.exe /Online /Cleanup-image /Restorehealth [press return]

once the scan is complete then use method 2.

System file checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files.

Run system file checker (SFC) and see if it helps. Please follow these steps:

sfc /scannow [press return]

After completing the scans restart using Start > Power > Restart.

Or a repair install using the latest ISO from Microsoft.

Repair Install Windows 10 with an In-place Upgrade | Tutorials (tenforums.com)

PS it's the same process for Windows 11 but you need to use the Windows 11 media creation tool for the ISO.

Download Windows 11 (microsoft.com)

Question Info

• Accounts, profiles, and login
• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語