Account Rights Constants
Account rights determine the type of logon that a user account can perform. An administrator assigns account rights to user and group accounts. Each user's account rights include those granted to the user and to the groups to which the user belongs.
A system administrator can use the Local Security Authority (LSA) functions to work with account rights. The LsaAddAccountRights and LsaRemoveAccountRights functions add or remove account rights from an account. The LsaEnumerateAccountRights function enumerates the account rights held by a specified account. The LsaEnumerateAccountsWithUserRight function enumerates the accounts that hold a specified account right.
The following account right constants are used to control the logon ability of an account. The LogonUser or LsaLogonUser functions fail if the account being logged on does not have the account rights required for the type of logon being performed.
Constant/value | Description |
---|---|
|
Required for an account to log on using the batch logon type. |
|
Explicitly denies an account the right to log on using the batch logon type. |
|
Explicitly denies an account the right to log on using the interactive logon type. |
|
Explicitly denies an account the right to log on using the network logon type. |
|
Explicitly denies an account the right to log on remotely using the interactive logon type. |
|
Explicitly denies an account the right to log on using the service logon type. |
|
Required for an account to log on using the interactive logon type. |
|
Required for an account to log on using the network logon type. |
|
Required for an account to log on remotely using the interactive logon type. |
|
Required for an account to log on using the service logon type. |
Remarks
The SE_DENY rights override the corresponding account rights. An administrator can assign an SE_DENY right to an account to override any logon rights that an account might have as a result of a group membership. For example, you could assign the SE_NETWORK_LOGON_NAME right to Everyone but assign the SE_DENY_NETWORK_LOGON_NAME right to Administrators to prevent remote administration of computers.
All of the LSA functions mentioned in the introduction above support both account rights and privileges. Unlike privileges, however, account rights are not supported by the LookupPrivilegeValue and LookupPrivilegeName functions. The GetTokenInformation function will obtain information on account rights if TokenGroups, and not TokenPrivileges, is specified as the value of the TokenInformationClass parameter.
The preceding account right constants are defined as strings in Ntsecapi.h. For example, the SE_INTERACTIVE_LOGON_NAME constant is defined as "SeInteractiveLogonRight".
Requirements
Requirement | Value |
---|---|
Minimum supported client |
Windows XP [desktop apps only] |
Minimum supported server |
Windows Server 2003 [desktop apps only] |
Header |
|