NTRIGHTS - CMD

Overview

NTRIGHTS is a Windows Command-line tool used for modifying user account rights on local or remote systems. The primary function of NTRIGHTS is to grant or revoke Windows user rights, both logon rights and privileges, which are crucial for controlling what users can and cannot do on a system. This tool is especially useful in managing server permissions or automating permission settings across large networks.

Syntax

The basic syntax for NTRIGHTS is as follows:

NTRIGHTS +r RightName -u UserName [-m \\\ComputerName] [-e Entry] 
NTRIGHTS -r RightName -u UserName [-m \\\ComputerName] [-e Entry]
  • +r RightName: Grants the specified user right.
  • -r RightName: Revokes the specified user right.
  • -u UserName: Specifies the username to modify rights for.
  • -m \\\ComputerName: Specifies a remote machine. This parameter is optional; if omitted, the local machine is assumed.
  • -e Entry: Provides a text explanation for why the right was added or removed. This is optional.

Options/Flags

  • +r RightName: Grants the specified right to a user. Replace RightName with the actual right’s name.
  • -r RightName: Revokes the specified right from a user.
  • -u UserName: Specifies the user account affected by the command.
  • -m \\ComputerName: Target a remote system for the update. By default, rights are modified on the local system.
  • -e Entry: An optional explanation which gets logged, providing a reason or context for the change.

Examples

  1. Granting a User the Right to Log on Locally:

    NTRIGHTS +r SeInteractiveLogonRight -u johndoe

    This command grants the user johndoe the right to log on locally to a computer.

  2. Revoking Administrative Privileges:

    NTRIGHTS -r SeTakeOwnershipPrivilege -u johndoe

    Here, administrative rights to take ownership of other user’s files are revoked from the user johndoe.

  3. Modifying Rights on a Remote Machine:

    NTRIGHTS +r SeRemoteShutdownPrivilege -u johndoe -m \\Server01

    This grants the user johndoe the ability to shut down a remote machine named Server01.

Common Issues

  • User or Group Does Not Exist: Ensure the user or group name is spelled correctly and exists on the system or domain.
  • Insufficient Permissions: The user executing NTRIGHTS must have administrative privileges to modify rights.
  • Network Issues: When targeting remote machines, ensure network connectivity and permissions are correctly set up.

Integration

NTRIGHTS can be integrated with batch scripts or PowerShell scripts for automating user rights assignments across multiple machines. For example:

FOR /F %%i IN (servers.txt) DO NTRIGHTS +r SeDenyInteractiveLogonRight -u johndoe -m \\%%i

This script would iterate over a list of server names in servers.txt, revoking the interactive logon right from the user johndoe on each.

  • GPUPDATE: Force a Group Policy update.
  • CACLS: Display or modify Access Control Lists (ACLs) for files and directories.
  • NET USER: Manage user accounts.

Further reading and additional details can be usually found in the Windows Server documentation or via the Help command in CMD (NTRIGHTS /?).