USER_RIGHTS_POLICY

This policy item checks for the following value defined in Security Settings > Local Policies > User Rights Assignment. The check is performed by calling the function LsaEnumerateAccountsWithUserRight on the LSA policy handle.

Usage

<custom_item>

type: USER_RIGHTS_POLICY

description: ["description"]

value_type: [value type]

value_data: [value]

(optional) check_type: [value]

right_type: [right]

(optional) use_domain : [YES|NO]

</custom_item>

Note: User rights tests perform many requests against the domain controller. These tests must be included in a separate policy file and only launched against the Domain Controller and ONE system of the domain.

right_type

The right_type field corresponds to the right to test. Allowed values are:

right_type: RIGHT

Note: There must be no quotes around the RIGHT type as it is parsed as a token.

Where RIGHT can be:

SeAssignPrimaryTokenPrivilege

SeAuditPrivilege

SeBackupPrivilege

SeBatchLogonRight

SeChangeNotifyPrivilege

SeCreateGlobalPrivilege

SeCreatePagefilePrivilege

SeCreatePermanentPrivilege

SeCreateTokenPrivilege

SeDenyBatchLogonRight

SeDenyInteractiveLogonRight

SeDenyNetworkLogonRight

SeDenyRemoteInteractiveLogonRight

SeDenyServiceLogonRight

SeDebugPrivilege

SeEnableDelegationPrivilege

SeImpersonatePrivilege

SeIncreaseBasePriorityPrivilege

SeIncreaseWorkingSetPrivilege

SeIncreaseQuotaPrivilege

SeInteractiveLogonRight

SeLoadDriverPrivilege

SeLockMemoryPrivilege

SeMachineAccountPrivilege

SeManageVolumePrivilege

SeNetworkLogonRight

SeProfileSingleProcessPrivilege

SeRemoteShutdownPrivilege

SeRemoteInteractiveLogonRight

SeRelabelPrivilege

SeRestorePrivilege

SeSecurityPrivilege

SeServiceLogonRight

SeShutdownPrivilege

SeSyncAgentPrivilege

SeSystemEnvironmentPrivilege

SeSystemProfilePrivilege

SeSystemTimePrivilege

SeTakeOwnershipPrivilege

SeTcbPrivilege

SeTimeZonePrivilege

SeUndockPrivilege

SeUnsolicitedInputPrivilege

value_type

value_type: USER_RIGHT

value_data

value_data: "user1" && "user2" && "group1" && ... && "groupn"

use_domain

The use_domain option is used to add the account domain names to the output of the check.

If you set use_domain to YES, you must modify value_data to include the Windows domain the user or group is a member of.

For example, value_data: "BUILTIN\Administrators" && "NT SERVICE\WdiServiceHost"

Example

<custom_item>

type: USER_RIGHTS_POLICY

description: "Create a token object"

value_type: USER_RIGHT

value_data: "Administrators" && "Backup Operators"

right_type: SeCreateTokenPrivilege

</custom_item>