Access Credential Manager as trusted caller |
Used by Credential Manager during backup and recovery operations. No user accounts should be assigned this privilege. |
None; used by Winlogon |
Workstations |
Access this computer from the network |
Determines which users and groups can connect to this computer over the network. |
Administrators, Authenticated Users, Backup Operators, Users, Everyone |
Workstations, Servers, and Domain Controllers |
Act as part of the operating system |
Allows a process to impersonate any user account on the system with no additional authentication. |
None* |
Workstations, Servers, and Domain Controllers |
Add workstations to domain |
Determines which user accounts or groups can add workstations to the domain. |
Authenticated Users |
Domain Controllers |
Adjust memory quotas for a process |
Determines which user accounts can change the maximum memory consumption allowed for a process. |
Administrators, Local Service, Network Service |
Workstations, Servers, and Domain Controllers |
Allow logon locally |
Determines which user accounts can sign in to the computer. |
On workstations/servers: Administrators, Backup Operators, Power Users, Users, Guest
On domain controllers: Account Operators, Administrators, Backup Operators, Print Operators |
Workstations, Servers, and Domain Controllers |
Allow logon through Remote Desktop Services |
Determines which user accounts can access the computer by using Remote Desktop Connections. |
On workstations/servers: Administrators, Remote Desktop Users
On domain controllers: Administrators |
Workstations, Servers, and Domain Controllers |
Back up files and directories |
Determines which user accounts or groups can bypass persistent object permissions for the purposes of backing up a computer. |
On workstations and servers: Administrators, Backup Operators
On domain controllers: Administrators, Backup Operators, Server Operators* |
Workstations, Servers, and Domain Controllers |
Bypass traverse checking |
Determines which user accounts can traverse directories even though
the user account might not have permissions to do so on the object. |
On workstations and servers: Administrators, Backup Operators, Users, Everyone, Local Service, Network Service
On domain controllers: Administrators, Authenticated Users,
Everyone, Local Service, Network Service, Pre–Windows 2000 Compatible
Access |
Workstations, Servers, and Domain Controllers |
Change the system time |
Determines which user accounts and groups can change the time on a computer. |
On workstations and servers: Administrators, Local Service
On domain controllers: Administrators, Server Operators, Local Service |
Workstations, Servers, and Domain Controllers |
Change the time zone |
Determines which user accounts and groups can change the time zone. |
Administrators, Users |
Workstations, Servers, and Domain Controllers |
Create a page file |
Determines which user accounts or groups can call an application programming interface (API) to create a page file. |
Administrators |
Workstations, Servers, and Domain Controllers |
Create a token object |
Determines which accounts can be used by processes to create tokens used for accessing local resources. |
None* |
Workstations, Servers, and Domain Controllers |
Create global objects |
Determines which user accounts can create global objects available to all sessions. |
Administrators, Local Service, Network Service, Service* |
Workstations, Servers, and Domain Controllers |
Create permanent shared objects |
Determines which accounts can be used by processes to create directory objects by using Object Manager. |
None | |
Create symbolic links |
Determines whether a user account can create a symbolic link from the computer where the user is signed in. |
Administrators |
Workstations, Servers, and Domain Controllers |
Debug programs |
Determines which accounts can attach a debugger to any process or to the Windows kernel. |
Administrators* |
Workstations, Servers, and Domain Controllers |
Deny access to this computer from the network |
Determines which accounts are prevented from accessing the computer over the network. |
Guest |
Workstations, Servers, and Domain Controllers |
Deny logon as a batch job |
Determines which accounts are prevented from signing in as a batch job. |
None |
Workstations, Servers, and Domain Controllers |
Deny logon as a service |
Determines which service accounts are prevented from registering a process as a service. |
None |
Workstations, Servers, and Domain Controllers |
Deny logon locally |
Determines which user accounts are denied the ability to sign in locally to a computer. |
Guest |
Workstations, Servers, and Domain Controllers |
Deny logon through Remote Desktop Services |
Determines which user accounts are denied access to a computer by using Remote Desktop Services. |
None |
Workstations, Servers, and Domain Controllers |
Enable computer and user accounts to be trusted for delegation |
Determines which user accounts can set the Trusted For Delegation property on a user or a computer object. |
Administrators* |
Domain Controllers |
Force shutdown from a remote system |
Determines which accounts can shut down a computer from a remote location. |
On workstations and servers: Administrators
On domain controllers: Administrators, Server Operators |
Workstations, Servers, and Domain Controllers |
Generate security audits |
Determines which accounts can be used by a process to trigger a security audit. |
Local Service, Network Service |
Workstations, Servers, and Domain Controllers |
Impersonate a client after authentication |
Allows programs running on behalf of the designated account to impersonate a client. |
Administrators, Local Service, Network Service, Service |
Workstations, Servers, and Domain Controllers |
Increase a process working set |
Determines which accounts can increase or decrease the size of a
working set. (A working set defines the memory needed by a process
within a given time interval.) |
Users |
Workstations, Servers, and Domain Controllers |
Increase scheduling priority |
Determines which accounts can use a process with write-property
access to a different process to increase the execution priority
assigned to that process. |
Administrators |
Workstations, Servers, and Domain Controllers |
Load and unload device drivers |
Determines which accounts can dynamically load and unload device drivers into kernel
mode. (When an application or driver runs in kernel mode, it is
operating at the highest protection ring within the operating system.) |
On workstations and servers: Administrators
On domain controllers: Administrators, Print Operators* |
Workstations, Servers, and Domain Controllers |
Lock pages in memory |
Determines which users can use a process to keep data in physical memory. |
None |
Workstations, Servers, and Domain Controllers |
Log on as a batch job |
Allows a user account to be signed in through a batch-queue facility. Provided for compatibility with earlier versions of Windows. |
Administrators, Backup Operators |
Workstations, Servers, and Domain Controllers |
Log on as a service |
Allows a security principal to sign in as a service. |
None |
Workstations, Servers, and Domain Controllers |
Manage auditing and security log |
Determines which accounts can specify object access auditing options for resources. |
Administrators |
Workstations, Servers, and Domain Controllers |
Modify an object label |
Determines which accounts can modify the integrity label of objects,
including files, registry keys, or processes owned by other users. |
None |
Workstations, Servers, and Domain Controllers |
Modify firmware environment values |
Determines which accounts can modify the firmware environment
variables stored in nonvolatile RAM. For x86 computers, the last-known
good configuration is modifiable. For Itanium-based systems, boot
information is stored and can be modified. |
Administrators |
Workstations, Servers, and Domain Controllers |
Perform volume maintenance tasks |
Determines which accounts can perform maintenance on a volume. |
Administrators* |
Workstations, Servers, and Domain Controllers |
Profile single process |
Determines which accounts can use performance-monitoring tools to monitor nonsystem processes. |
Administrators, Power Users |
Workstations, Servers, and Domain Controllers |
Profile system performance |
Determines which users can monitor performance of system processes. |
Administrators |
Workstations, Servers, and Domain Controllers |
Remove computer from docking station |
Determines whether an account can undock a portable computer. |
Administrators, Power Users, Users |
Workstations, Servers, and Domain Controllers |
Replace a process-level token |
Determines which user accounts can call the Create Process As User() API so one service can start another service. |
Network Service, Local Service |
Workstations, Servers, and Domain Controllers |
Restore files and directories |
Determines which accounts can bypass file, directory, registry, and
other persistent permissions when restoring backed-up objects. |
On workstations and servers: Administrators, Backup Operators.
On domain controllers: Administrators, Backup Operators, Server Operators* |
Workstations, Servers, and Domain Controllers |
Shut down the system |
Determines which accounts, when signed in locally, can shut down the operating system. |
On workstations: Administrators, Backup Operators, Users.
On domain controllers: Administrators, Backup Operators, Server Operators, Print Operators |
Workstations, Servers, and Domain Controllers |
Synchronize directory service data |
Determines which accounts can synchronize data with a directory service such as Active Directory. |
None |
Domain Controllers |
Take ownership of files or other objects |
Determines which accounts can take ownership of any securable object
in the system, including Active Directory objects, files, folders,
printers, and registry keys. |
Administrators* |
Workstations, Servers, and Domain Controllers |