DOCUMENT:Q163905 10-AUG-2001 [winnt] TITLE :Auditing User Right Assignment Changes PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.5,3.51,4.0 OPER/SYS: KEYWORDS:kbenv ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0 - Microsoft Windows NT Server versions 3.51, 4.0 ------------------------------------------------------------------------------- SUMMARY ======= Windows NT can audit when a user or group is added to or removed from a User Right. To audit these types of action, choose the auditing category, Security Policy Changes in User Manager under the Policies menu, auditing. This is the only needed audit category to audit these specific actions. Only the audit category File and Object Access will add additional security events, but these events simply show objects being opened and handles being closed for user account access that populate the Add Users and Groups dialog boxes. MORE INFORMATION ================ Below is the sample output from the Security Event Log when a user is added to each of the User Right. Although User Manager does not differentiate between User Privileges and Rights, in actuality only Privileges are currently audited. Actions that are not audited are actually "rights." 1. Access this computer from the network: no events 2. Act as part of the operating system: (Advanced Right) 2/17/97 2:29:19 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeTcbPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 3. Add workstations to domain: 2/17/97 2:18:11 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeMachineAccountPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 4. Back up files and directories: 2/17/97 2:19:03 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeBackupPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 5. Bypass traverse checking: (Advanced Right) 2/17/97 2:30:06 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeChangeNotifyPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 6. Change the system time: 2/17/97 2:19:57 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeSystemtimePrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 7. Create a pagefile: (Advanced Right) 2/17/97 2:30:57 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeCreatePagefilePrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 8. Create a token object: (Advanced Right) 2/17/97 2:31:45 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeCreateTokenPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 9. Create permanent shared objects: (Advanced Right) 2/17/97 2:32:40 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeCreatePermanentPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 10. Debug programs: (Advanced Right) 2/17/97 2:33:41 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeDebugPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 11. Force shutdown from a remote system: 2/17/97 2:20:46 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeRemoteShutdownPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 12. Generate security audits: (Advanced Right) 2/17/97 2:34:31 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeAuditPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 13. Increase quotas: (Advanced Right) 2/17/97 2:35:12 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeIncreaseQuotaPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 14. Increase scheduling priority: (Advanced Right) 2/17/97 2:35:52 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeIncreaseBasePriorityPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 15. Load and unload device drivers: 2/17/97 2:21:43 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeLoadDriverPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 16. Lock pages in memory: (Advanced Right) 2/17/97 2:36:57 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeLockMemoryPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 17. Log on as a batch job: (Advanced Right) no events 18. Log on as a service: (Advanced Right) no events 19. Log on locally: no events 20. Manage auditing and security log: 2/17/97 2:25:18 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeSecurityPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 21. Modify firmware environment values: (Advanced Right) 2/17/97 2:41:54 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeSystemEnvironmentPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 22. Profile single process: (Advanced Right) 2/17/97 3:20:18 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeProfileSingleProcessPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 23. Profile system performance: (Advanced Right) 2/17/97 3:21:11 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeSystemProfilePrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 24. Replace a process level token: (Advanced Right) 2/17/97 3:21:57 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeAssignPrimaryTokenPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 25. Restore files and directories: 2/17/97 2:26:13 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeRestorePrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 26. Shut down the system: 2/17/97 2:27:00 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeShutdownPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) 27. Take ownership of files or other objects: 2/17/97 2:27:41 PM Security Success Audit Policy Change 608 randymc RANDYMC1 User Right Assigned: User Right: SeTakeOwnershipPrivilege Assigned To: S-1-5-21-2092848103-1120294241-1737835142-7944 Assigned By: User Name: randymc Domain: RANDYMCD Logon ID: (0x0,0x1EDC) Additional query words: ====================================================================== Keywords : kbenv Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS351search Version : winnt:3.5,3.51,4.0 Hardware : x86 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.