how to open user rights assignment

How to Give User Admin Rights in Windows 11: A Step-by-Step Guide

Giving someone admin rights in Windows 11 ensures they have full control over the computer, allowing them to install software, change system settings, and manage other user accounts. To complete this task, follow a simple set of steps that guides you through accessing and changing user account settings.

How to Give User Admin Rights in Windows 11

In the following steps, you will learn how to grant administrative privileges to a user account in Windows 11. This is useful if you want to empower another user to manage the machine or need to change permissions for specific tasks.

Step 1: Open the Settings Menu

Click on the Start menu and select "Settings."

This will open a window containing various options for personalizing and managing your Windows 11 experience.

Step 2: Go to Accounts

In the Settings window, select "Accounts" from the sidebar.

This section houses all the options related to user accounts, including family and other users.

Step 3: Select Family & Other Users

Under Accounts, click on "Family & other users."

This brings up a page where you can manage other users on your computer, including adding new users or modifying existing ones.

Step 4: Choose the User You Want to Modify

Find the user you want to grant admin rights to and click on their name.

This will expand a set of options for that user, including account type changes.

Step 5: Change Account Type

Click "Change account type" and select "Administrator" from the dropdown menu.

This step is crucial as it changes the user’s permissions from a standard user to an administrator.

Step 6: Confirm the Change

Click "OK" to apply the changes.

This finalizes the process, and the user now has administrative rights on the machine.

After completing these steps, the selected user will have full administrative rights, allowing them to install software, modify system settings, and manage other user accounts.

Tips for Giving Admin Rights in Windows 11

• Backup Important Data : Always back up important files before making significant changes to user accounts.
• Use Strong Passwords : Ensure the account receiving admin rights has a strong password to prevent unauthorized access.
• Monitor Admin Activity : Regularly check the activities of users with admin rights to ensure they are not making harmful changes.
• Create a Restore Point : Before granting admin rights, create a system restore point in case you need to revert changes.
• Limit Admin Accounts : Only give admin rights to users who truly need them to minimize security risks.

Frequently Asked Questions

What is an administrator account.

An administrator account has full control over the computer, allowing the user to install software, change settings, and manage other accounts.

Do I need admin rights for installing software?

Yes, admin rights are typically required to install software and make significant changes to the system.

Can I remove admin rights later?

Absolutely. You can follow the same steps to downgrade the user from an administrator to a standard account.

Is it safe to have multiple admin accounts?

While possible, having multiple admin accounts can be risky. It’s best to limit the number of admin accounts to maintain security.

What if I forget the admin password?

If you forget the admin password, you can use another admin account to reset it or use Windows recovery tools.

Summary of Steps

• Open the Settings Menu
• Go to Accounts
• Select Family & Other Users
• Choose the User You Want to Modify
• Change Account Type
• Confirm the Change

Giving user admin rights in Windows 11 is a straightforward process but should be done with caution. By following the steps outlined, you can easily grant administrative privileges to a user, allowing them full control over the system. Remember to follow best practices like using strong passwords and monitoring admin activity to keep your system secure.

If you found this guide helpful, consider exploring other Windows 11 features to make the most out of your system. Happy computing!

Matt Jacobs has been working as an IT consultant for small businesses since receiving his Master’s degree in 2003. While he still does some consulting work, his primary focus now is on creating technology support content for SupportYourTech.com.

His work can be found on many websites and focuses on topics such as Microsoft Office, Apple devices, Android devices, Photoshop, and more.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)

Related Posts

• How to Delete Administrator Account in Windows 11: A Step-by-Step Guide
• How to Get Permission from Administrator in Windows 11: A Step-by-Step Guide
• How to Install Software Without Admin Rights on Windows 11: A Guide
• How to Make My Account Administrator in Windows 11: A Step-by-Step Guide
• How to Get Administrator Privileges on Windows 11: A Step-by-Step Guide
• How to Run as Administrator Windows 11: Step-by-Step Guide
• SharePoint Admin Center on Windows 11: A Guide to Navigating
• How to Grant Administrator Permission in Windows 11: A Step-by-Step Guide
• How to Make Myself an Administrator on Windows 11: A Step-by-Step Guide
• How to Change Local Administrator Name in Windows 11: A Step-by-Step Guide
• How to Manage Administrator Passwords on Windows 11: A Guide
• How to Create a New User in Windows 11: Step-by-Step Guide
• How to Delete Outlook Account on iPhone 13
• How to Create Guest Account Windows 11: Step-by-Step Guide for Beginners
• How to Run Program as Administrator Windows 11: A Step-by-Step Guide
• How to Remove Work Account from Windows 11: A Step-by-Step Guide
• How to Switch Between Email Accounts on the iPhone: A Step-by-Step Guide
• How to Enable User Mode in Windows 11: A Step-by-Step Guide
• How to Add Another User on Windows 11: A Step-by-Step Guide
• How to Remove Email Account from Windows 11: A Step-by-Step Guide

Get Our Free Newsletter

How-to guides and tech deals

You may opt out at any time. Read our Privacy Policy

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Can't edit Local Security Policy

I'm trying to add users to the Access this computer from the network User Rights Assignment policy but the 'Add' button is disabled:

I'm connecting to the machine via RDP using the local Administrator account (not a domain user). I've also tried to do the same with a domain user that is in the Administrators group but the result is the same.

How can I add a user to this policy?

The machine is running Windows 7.

• remote-desktop
• administrator
• group-policy

• You need to be using a domain user in the Administrator user group –  Ramhound Commented Aug 27, 2015 at 12:38
• I am using it (the built-in account..), but I login via RDP. does it matter? –  etaiso Commented Aug 27, 2015 at 12:38
• Your not using one, you indicated your using the local Administrator account, you need to be using a user connected to the domain with Administrator permissions. –  Ramhound Commented Aug 27, 2015 at 12:44
• I also tried that . it's the same –  etaiso Commented Aug 27, 2015 at 12:46
• Update your question; If I had know that; I could have saved time responding. –  Ramhound Commented Aug 27, 2015 at 12:51

You cannot edit this User Rights Assignment policy because this setting is being managed by a domain-based Group Policy. In this case, the domain Group Policy setting has precedence and you are prevented from modifying the policy via Local Group Policy.

To modify this policy, either:

• Modify the policy in the applicable domain Group Policy Object.
• Prevent any domain-based GPOs from specifying this setting, then edit the computer's Local Group Policy.
• where can I find this policy in the GPO? –  marijnr Commented Jun 13, 2018 at 13:15
• 2 Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment –  I say Reinstate Monica Commented Jun 13, 2018 at 13:16

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows security remote-desktop administrator group-policy ..

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Why are poverty definitions not based off a person's access to necessities rather than a fixed number?
• In Lord Rosse's 1845 drawing of M51, was the galaxy depicted in white or black?
• how did the Apollo 11 know its precise gyroscopic position?
• Confusion about time dilation
• In roulette, is the frequency of getting long sequences of reds lower than that of shorter sequences?
• Is it helpful to use a thicker gage wire for part of a long circuit run that could have higher loads?
• Does the USA plan to establish a military facility on Saint Martin's Island in the Bay of Bengal?
• "It never works" vs "It better work"
• What are the most commonly used markdown tags when doing online role playing chats?
• Star Trek: The Next Generation episode that talks about life and death
• How can I give alternate numbered distance in a 2D array in Geometry Nodes?
• Fusion September 2024: Where are we with respect to "engineering break even"?
• A seven letter *
• Is it a good idea to perform I2C Communication in the ISR?
• Why isn't a confidence level of anything >50% "good enough"?
• Why does the church of latter day saints not recognize the obvious sin of the angel Moroni according to the account of Joseph Smith's own words?
• Using rule-based symbology for overlapping layers in QGIS
• Nausea during high altitude cycling climbs
• If a Palestinian converts to Judaism, can they get Israeli citizenship?
• Is there an error in Lurie, HTT, Proposition 6.1.2.6.?
• What would be a good weapon to use with size changing spell
• Why is there so much salt in cheese?
• Is "She played good" a grammatically correct sentence?
• Text wrapping in longtable not working

• IT Administration Forum
• PowerShell Forum
• Community Forum
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – 30 Days
• Author Leaderboard – 365 Days
• Cloud Computing
• Write for 4sysops
• User rights assignment in Windows Server 2016

4sysops - The online community for SysAdmins and DevOps

Built-in local security principals and groups

Center for internet security, local policies/user rights assignment.

• Recent Posts

• Microsoft Remote Desktop for Mac not working after upgrade (errors 0x3000064 and 0x3000066) - Thu, Aug 15 2024
• UniGetUI (formerly WingetUI): GUI for winget, Chocolatey, and PowerShell Gallery - Wed, Jul 17 2024
• What is Microsoft Dev Home? - Wed, Jul 3 2024

Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:

• Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.
• Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state.

As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:

• Domain Controllers (DC)
• Member Servers (MS)
• User Workstations

Configuring user rights assignment via Goup Policy

If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.

Security policies do not support generated group names

The following groups are used throughout this article:

• Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group.
• Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account.
• Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement).
• Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP).
• Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today.

The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:

• CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks.
• CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more.

Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.

Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.

CIS Benchmarks example

User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.

For each setting, the following format is used:

Name of the setting: Recommended value, or values

Access Credential Manager as a trusted caller: No one (empty value)

Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.

Access this computer from the network: Administrators, Authenticated Users

Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.

Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.

Allow log on locally: Administrators

The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.

Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users

It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.

Note: On the DC, it is recommended to allow only administrators to connect via RDP.

Back up files and directories: Administrators

This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.

Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests

The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.

Force shutdown from a remote system/Shut down the system: Administrators

Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.

Manage auditing and security log: Administrators

This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.

Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.

Restore files and directories: Administrators

Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.

Take ownership of files or other objects: Administrators

User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.

Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests

To increase security, you should include the Guests group in these three settings.

Debug programs/Profile single process/Profile system performance: Administrators

This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.

Change the system time: Administrators, Local Service

Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.

Create a token object: No one (empty value)

Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.

Impersonate a client after authentication: Administrators, Local Service, Network Service, Service

An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.

Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.

Load and unload device drivers: Administrators

Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.

I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.

• Windows Server security features and best practices
• Security options in Windows Server 2016: Accounts and UAC
• Security options in Windows Server 2016: Network security

IT Administration News

• Elon Musk’s X could still face sanctions for training Grok on Europeans’ data | TechCrunch
• Understanding RAG: How to integrate generative AI LLMs with your business knowledge | ZDNET
• OpenAI co-founder’s Safe Superintelligence startup inhales $1B in funding
• Commission signed the Council of Europe Framework Convention on Artificial Intelligence and human rights, democracy and the rule of law | Shaping Europes digital future
• xAI breaks records with ‘Colossus’ AI training system

Read All IT Administration News

Join our IT community and read articles without ads!

Do you want to write for 4sysops? We are looking for new authors.

How not to block AI crawlers: robots.txt, authentication, CAPTCHA

Determine effective password policy for AD users with PowerShell

Microsoft Purview AI Hub – Monitor and block AI applications

Send email notifications about expiring Active Directory passwords with a PowerShell script

Unifying endpoint management and security: An overview of ManageEngine Endpoint Central

New storage features in Windows Server 2025: NVMe-OF initiator, update for S2D, deduplication for ReFS

E-MailRelay: Free SMTP server for Windows

Receive critical Microsoft security alerts by email

Addressing OpenSSH vulnerabilities CVE-2024-6387 and CVE-2024-6409

Authenticator backup: Microsoft, Google, Amazon, Authy

Delegated Managed Service Accounts in Windows Server 2025

List groups in Linux

Install Let’s Encrypt certificates on Windows with Certbot and export as PFX

Create and remove group in Linux, add user, switch primary group

Audit and disable NTLMv1

Enable FIDO passkey authentication for IAM users in AWS

Enable Microsoft Entra ID passkey authentication

KeePassXC: A free cross-platform password manager for Windows, macOS and Linux

Configuring external authentication methods in Microsoft 365 with Microsoft Entra ID

Integrate Microsoft Graph activity logs for Microsoft 365 with Azure Monitor

Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.

Gave that account local admin access on the broker servers and then was able to get further.

Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.

Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.

I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.

I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.

Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.

Leave a reply Click here to cancel the reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What are the defaults for the "user rights assignment" in an AD environment?

In a non-domain environment, gpedit.msc lets me associate various "user rights" (like "create a pagefile" or "create permanent shared objects") with users or accounts. This is in Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

Where exactly do I do this in AD? (Please don't just say e.g. "Group Policy Management Console". I've looked at all of the tools I can find, especially in GPMC, and I can't see it. I need either very explicit directions or screen snaps.

ADDED: Ok, I think I get it. You create a new GPO, click Edit, and this gets you to the Group Policy Management Editor where I find the familiar path. Then I link my new GPO to the domain or the OU or whatever where I want it to apply.

But I still have a question: none of the rights in the editor come pre-set to anything. Well, that makes sense because it's a brand new GPO. But is there any way to know what the defaults are, defaults that my new GPO will override? For example, what rights do members of the "Domain Admins" group get, by default?

• active-directory

• If the downvoter would like to explain the reason for the downvote, I'd love to read it. I've been looking for this answer for over an hour so "did not do any research" is not the case. –  Jamie Hanrahan Commented Oct 17, 2018 at 20:10

2 Answers 2

The defaults are documented in:

Group Policy Settings Reference Spreadsheet https://www.microsoft.com/en-us/download/details.aspx?id=56946

On the Security tab. Covers all versions of Windows. (I don't believe it has been updated for 1809 yet).

It depends on what you're asking.

If you're asking for User Rights Assignment on a single computer, look for Local Security Policy.

If you're asking for User Rights Assignment as a group policy, well, it shows up just fine in my console. Are you using RSAT (Remote Server Administration Tools)? I'm using the RSAT available for Windows 10. Older versions of RSAT (or the version on the domain controller) may be missing some options.

• Yeah... I finally realized (after asking the first form of the question) that you can only see them when you open the Editor. It's surprising to me though that the Default Domain Policy comes with everything "Not defined" and yet the defaults are certainly being applied. Thanks! –  Jamie Hanrahan Commented Oct 17, 2018 at 21:32

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged active-directory ..

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Why does this theta function value yield such a good Riemann sum approximation?
• Is it a good idea to perform I2C Communication in the ISR?
• Short story about humanoid creatures living on ice, which can swim under the ice and eat the moss/plants that grow on the underside of the ice
• Are all citizens of Saudi Arabia "considered Muslims by the state"?
• Why would autopilot be prohibited below 1000 AGL?
• Fusion September 2024: Where are we with respect to "engineering break even"?
• Can this dragon fly with a rider?
• Can a quadrilateral polygon have 3 obtuse angles?
• how did the Apollo 11 know its precise gyroscopic position?
• What are the most commonly used markdown tags when doing online role playing chats?
• Deleting all files but some on Mac in Terminal
• What would be a good weapon to use with size changing spell
• I'm rewriting a 2019 oneshot and am up to 37,000 words already. Should I make them chapters or keep it as a long oneshot?
• Trill with “no turn” in Lilypond
• Why is Haji Najibullah's case being heard in federal court in the Southern District of NY?
• 99 camaro overheating
• Nausea during high altitude cycling climbs
• Using rule-based symbology for overlapping layers in QGIS
• How rich is the richest person in a society satisfying the Pareto principle?
• What was the first "Star Trek" style teleporter in SF?
• Stained passport am I screwed
• Does the average income in the US drop by $9,500 if you exclude the ten richest Americans?
• Is there an error in Lurie, HTT, Proposition 6.1.2.6.?
• Why is a USB memory stick getting hotter when connected to USB-3 (compared to USB-2)?

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

How to view user privileges using windows cmd?

I am trying to view the user privileges using the command prompt in Windows. User account & User privileges such as:

I tried using ntrights but it's not working. I can't use any tool as I am trying to create an automated script for an OS audit.

• When you say ntrights is "not working", what exactly goes wrong? –  Harry Johnston Commented Jul 24, 2012 at 0:08
• Assuming it does not necessarily have to be cmd.exe: maybe you can do this wih powershell? if so, maybe ask the question again here, this time with "powershell" tag. –  knb Commented Oct 25, 2012 at 13:09

9 Answers 9

You can use the following commands:

For more information, check whoami @ technet .

• 2 Note that it's only available out of the box since Vista. In XP, it's in the "Windows XP SP2 Support Tools" download. –  ivan_pozdeev Commented Aug 3, 2015 at 11:27
• This is the best answer. IMHO Anyone still using XP needs to upgrade –  Burt_Harris Commented May 25, 2017 at 15:54
• Note that this will work for privileges but not for rights. –  Harry Johnston Commented Jun 5, 2017 at 22:15

Mark Russinovich wrote a terrific tool called AccessChk that lets you get this information from the command line. No installation is necessary.

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

For example:

Returns this for me:

By contrast, whoami /priv and whoami /all were missing some entries for me, like SeServiceLogonRight .

• 3 Tremendous -- not least, allows verification of the right for another user without impersonation with RUNAS. –  Jeremy McGee Commented Oct 1, 2014 at 11:47
• 2 Yes, whoami /priv will only work for privileges, not rights, because it works by examining the current user token. Rights are only used at logon time, so there's no need for them to be kept in the token. –  Harry Johnston Commented Jun 5, 2017 at 22:13
• 1 In later versions of acceschk, -q has been replaced with -nobanner –  Dennis Commented Nov 10, 2023 at 10:22
• AccessChk only works with domain accounts. –  Dennis Commented Jun 13 at 17:56

I'd start with:

Then examine the line for the relevant privilege. However, the problem now is that the accounts are listed as SIDs, not usernames.

• 19 Worth a mention... To find out which privs the current user has, use WHOAMI /PRIV. –  Simon Catlin Commented Apr 27, 2013 at 22:07
• 1 More details on secedit here . –  not2qubit Commented Mar 4, 2014 at 17:09
• Would be good if you could explain the details of this command better. I didn't get any sensible output from that on Win8.1. –  not2qubit Commented Mar 4, 2014 at 17:15
• This is pretty horrible to use but it works well. After exporting the template using Simon's command above, you can import it again using: Secedit /configure /db secedit.sdb /cfg outfile.cfg /quiet /areas USER_RIGHTS –  NikG Commented Mar 20, 2015 at 17:51
• I'm not sure whether this will work for rights that are acquired indirectly, e.g., via group membership. –  Harry Johnston Commented Jun 5, 2017 at 22:14

Go to command prompt and enter the command,

Will show your local group memberships.

If you're on a domain, use localgroup instead:

Check the list of local groups with localgroup on its own.

• 6 I need the detailed privileges of all users as i am logged in as admin... not the basic user info... –  AJINKYA Commented Jul 23, 2012 at 6:47
• Group membership is a different concept than user privileges. Use whoami /priv –  Burt_Harris Commented May 25, 2017 at 16:01

I wrote an open source tool that might be of assistance:

https://github.com/Bill-Stewart/PrivMan

To view a specific account (user or group) privileges/rights, you would use:

The output will be the list of privileges/rights (e.g., SeServiceLogonRight , etc.) directly assigned to that account.

This is not using windows command but leaving it hear because it came handy for me.

There is a tool https://github.com/winsiderss/systeminformer/ (successor of Process Hacker) which allows inspecting the token for each process and lists privileges available on the token. So if we find a process executing as the user we care about, we can check privileges availble to the token which is essentially the privileges availble to the user. If we start System Informer as NT Authority\System using a tool like psexec we can inspect tokens for every user.

Install the newly released modul Carbon.Security which works on both local accounts and domain accounts

Get-CPrivilege -Identity <user>

Carbon has been around a long while, but it's gotten pretty big. So the new release splits Carbon into several smaller modules instead.

You may also use Windows PowerShell or the PowerShell window in Visual Studio and use the following command:

If you want the specific information attached to each role, you can do it this way:

Use whoami /priv command to list all the user privileges.

• 6 You should not duplicate existing answers, especially that there already is a more complete answer . –  Roman Ryltsov Commented Jun 5, 2017 at 13:23

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged windows powershell cmd privileges wmic or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• How do I learn more about rocketry?
• What's "the archetypal book" called?
• What are the most commonly used markdown tags when doing online role playing chats?
• Is it a good idea to perform I2C Communication in the ISR?
• How can I prevent solid mix-ins from sinking or floating in my sous vide egg bites
• What does "Two rolls" quote really mean?
• When can the cat and mouse meet?
• How do I safely download and run an older version of software for testing without interfering with the currently installed version?
• What would be a good weapon to use with size changing spell
• Did Babylon 4 actually do anything in the first shadow war?
• Word for when someone tries to make others hate each other
• How do I apologize to a lecturer who told me not to ever call him again?
• Could an empire rise by economic power?
• Which weather condition causes the most accidents?
• Fusion September 2024: Where are we with respect to "engineering break even"?
• How to Interpret Statistically Non-Significant Estimates and Rule Out Large Effects?
• What should I do if my student has quarrel with my collaborator
• How can I play MechWarrior 2?
• What does "dare not" mean in a literary context?
• Short story about humanoid creatures living on ice, which can swim under the ice and eat the moss/plants that grow on the underside of the ice
• Does a party have to wait 1d4 hours to start a Short Rest if no healing is available and an ally is only stabilized?
• Why is a USB memory stick getting hotter when connected to USB-3 (compared to USB-2)?
• In which town of Europe (Germany ?) were this 2 photos taken during WWII?
• What was the first "Star Trek" style teleporter in SF?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Allow log on locally - security policy setting

• 1 contributor
• Windows 11
• Windows 10

Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.

This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.

Note:   Users who do not have this right are still able to start a remote interactive session on the device if they have the Allow logon through Remote Desktop Services right.

Constant: SeInteractiveLogonRight

Possible values

• User-defined list of accounts
• Not Defined

By default, the members of the following groups have this right on workstations and servers:

• Administrators
• Backup Operators

By default, the members of the following groups have this right on domain controllers:

• Account Operators
• Enterprise Domain Controllers
• Print Operators
• Server Operators

Best practices

• Restrict this user right to legitimate users who must log on to the console of the device.
• If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Default values

The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.

Policy management

Restarting the device is not required to implement this change.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices. If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the Allowed logon locally system right or grant the right to that user account. The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain. If the Users group is listed in the Allow log on locally setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member.

Group Policy

Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:

• Local policy settings
• Site policy settings
• Domain policy settings
• OU policy settings

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

Any account with the Allow log on locally user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.

Countermeasure

For domain controllers, assign the Allow log on locally user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group. Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the Deny log on locally user right.

Potential impact

If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the Allow log on locally user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR_ <ComputerName> account. You should confirm that delegated activities are not adversely affected by any changes that you make to the Allow log on locally user rights assignments.

Related topics

• User Rights Assignment

Additional resources