AssignPrimaryToken

None

Allows a user to modify the security access token of a process.

Audit

None

Generates security audits.

Backup

Administrators Backup Operators

Allows a user to back up files and directories. This privilege replaces all file and directory permissions.

BatchLogon

None

Allows a user to log in as a batch job.

ChangeNotify

Everyone

Usually, rights to files and subdirectories flow downward; that is, users who do not have rights to a specific directory do not also have rights to access the subdirectories below that directory. This privilege allows a user to access subdirectories, even if that user has no rights to the parent directories.

CreatePagefile

None

Allows a user to create a page file. Security is determined by a user's access to the key:

\CurrentControlSet\Control\
SessionManagement

CreatePermanent

None

Allows a user to create special permanent objects, such as \\Device

CreateToken

None

Creates a token object. Only the Local Security Authority can do this. The Local Security Authority ensures that the user has permission to access the system. It is not possible to audit the use of this right. For C2 certification, we recommend that it not be assigned to any user.

Debug

Administrator

Debugs programs or objects such as threads. You cannot audit this privilege. For C2 certification, we recommend that it not be assigned to any user, including system administrators.

IncreaseBasePriority

Administrators
Power Users

Allows a user to increase the execution priority of a process.

IncreaseQuota

None

Allows a user to increase the object quotas.

InteractiveLogon

Most groups

Allows the user to log in interactively.

LoadDriver

Administrators

Allows a user to install and remove device drivers.

LockMemory

None

Allows a user to lock pages in the memory of the computer so the pages cannot be automatically backed up on a backing store like PAGEFILE.SYS.

MachineAccount

None

Allows a user to add a new machine to a domain.

NetworkLogon

Everyone

Allows users to connect to a computer from anywhere in the network. This means users do not have to be at a specific place or terminal to log into their computer.

ProfileSingleProcess

Administrators
Power Users

Allows a user to use performance‑monitoring tools in order to monitor the performance of a single process.

RemoteShutdownPrivilege

Administrators
Power Users

Allows a user to shut down a Windows system remotely.

Restore

Administrators
Backup Operators

Allows a user to restore backed‑up files and directories. This right replaces all file and directory permissions.

Security

Administrators

Allows a user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log.

Note: This privilege does not allow the user to set system auditing policies using the Audit command from the Policy menu in Microsoft's User Manager. Administrators always have the ability to view and clear the security log.

ServiceLogon

None

Enables a process to register with the system as a service.

Shutdown

Administrators
Backup Operators
Everyone
Power Users
Users

Allows the user to shut down the system from the system console.

SystemEnvironment

Administrators

Allows a user to modify the system environment variables. This enables the user to set up the system environment at their workstation, and ensure that all other users working on the same workstation use the same setup.

SystemProfile

Administrators

Allows a user to perform profiling (performance sampling) on the system.

SystemTime

Administrators
Power Users

Allows a user to set the time for the internal clock of the computer.

TakeOwnership

Administrators

Allows a user to become the owner of files, directories, printers, and other objects on the computer. This right replaces all permissions protecting objects.

Tcb

None

Enables a process to perform as a secure, trusted part of the operating system. Some subsystems are granted this privilege.