Edit

Share via

privilegeType Simple Type

  • Article

Privileges determine the type of system operations that a user account can perform. An administrator assigns privileges to user and group accounts. Each user's privileges include those granted to the user and to the groups to which the user belongs.

<xs:simpleType name="privilegeType">
    <xs:restriction
        base="string"
    >
        <xs:enumeration
            value="SeCreateTokenPrivilege"
         />
        <xs:enumeration
            value="SeAssignPrimaryTokenPrivilege"
         />
        <xs:enumeration
            value="SeLockMemoryPrivilege"
         />
        <xs:enumeration
            value="SeIncreaseQuotaPrivilege"
         />
        <xs:enumeration
            value="SeUnsolicitedInputPrivilege"
         />
        <xs:enumeration
            value="SeMachineAccountPrivilege"
         />
        <xs:enumeration
            value="SeTcbPrivilege"
         />
        <xs:enumeration
            value="SeSecurityPrivilege"
         />
        <xs:enumeration
            value="SeTakeOwnershipPrivilege"
         />
        <xs:enumeration
            value="SeLoadDriverPrivilege"
         />
        <xs:enumeration
            value="SeSystemProfilePrivilege"
         />
        <xs:enumeration
            value="SeSystemtimePrivilege"
         />
        <xs:enumeration
            value="SeProfileSingleProcessPrivilege"
         />
        <xs:enumeration
            value="SeIncreaseBasePriorityPrivilege"
         />
        <xs:enumeration
            value="SeCreatePagefilePrivilege"
         />
        <xs:enumeration
            value="SeCreatePermanentPrivilege"
         />
        <xs:enumeration
            value="SeBackupPrivilege"
         />
        <xs:enumeration
            value="SeRestorePrivilege"
         />
        <xs:enumeration
            value="SeShutdownPrivilege"
         />
        <xs:enumeration
            value="SeDebugPrivilege"
         />
        <xs:enumeration
            value="SeAuditPrivilege"
         />
        <xs:enumeration
            value="SeSystemEnvironmentPrivilege"
         />
        <xs:enumeration
            value="SeChangeNotifyPrivilege"
         />
        <xs:enumeration
            value="SeRemoteShutdownPrivilege"
         />
        <xs:enumeration
            value="SeUndockPrivilege"
         />
        <xs:enumeration
            value="SeSyncAgentPrivilege"
         />
        <xs:enumeration
            value="SeEnableDelegationPrivilege"
         />
        <xs:enumeration
            value="SeManageVolumePrivilege"
         />
        <xs:enumeration
            value="SeImpersonatePrivilege"
         />
        <xs:enumeration
            value="SeCreateGlobalPrivilege"
         />
        <xs:enumeration
            value="SeTrustedCredManAccessPrivilege"
         />
        <xs:enumeration
            value="SeRelabelPrivilege"
         />
        <xs:enumeration
            value="SeIncreaseWorkingSetPrivilege"
         />
        <xs:enumeration
            value="SeTimeZonePrivilege"
         />
        <xs:enumeration
            value="SeCreateSymbolicLinkPrivilege"
         />
    </xs:restriction>
</xs:simpleType>

Enumeration values

The privilegeType simple type defines the following values.

Value Description
SeCreateTokenPrivilege Required to create a primary token. User Right: Create a token object.
SeAssignPrimaryTokenPrivilege Required to assign the primary token of a process. User Right: Replace a process-level token.
SeLockMemoryPrivilege Required to lock physical pages in memory. User Right: Lock pages in memory.
SeIncreaseQuotaPrivilege Required to increase the quota assigned to a process. User Right: Adjust memory quotas for a process.
SeUnsolicitedInputPrivilege Required to read unsolicited input from a terminal device. User Right: Not applicable.
SeMachineAccountPrivilege Required to create a computer account. User Right: Add workstations to domain.
SeTcbPrivilege This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. User Right: Act as part of the operating system.
SeSecurityPrivilege Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator. User Right: Manage auditing and the security log.
SeTakeOwnershipPrivilege Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. User Right: Take ownership of files or other objects.
SeLoadDriverPrivilege Required to load or unload a device driver. User Right: Load and unload device drivers.
SeSystemProfilePrivilege Required to gather profiling information for the entire system. User Right: Profile system performance.
SeSystemtimePrivilege Required to modify the system time. User Right: Change the system time.
SeProfileSingleProcessPrivilege Required to gather profiling information for a single process. User Right: Profile single process.
SeIncreaseBasePriorityPrivilege Required to increase the base priority of a process. User Right: Increase scheduling priority.
SeCreatePagefilePrivilege Required to create a paging file. User Right: Create a pagefile.
SeCreatePermanentPrivilege Required to create a permanent object. User Right: Create permanent shared objects.
SeBackupPrivilege Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the RegSaveKey and RegSaveKeyExfunctions. The following access rights are granted if this privilege is held: READ_CONTROL, ACCESS_SYSTEM_SECURITY, FILE_GENERIC_READ, FILE_TRAVERSE. User Right: Back up files and directories.
SeRestorePrivilege Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group security identifier (SID) as the owner of a file. This privilege is required by the RegLoadKey function. The following access rights are granted if this privilege is held: WRITE_DAC, WRITE_OWNER, ACCESS_SYSTEM_SECURITY, FILE_GENERIC_WRITE, FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, DELETE. User Right: Restore files and directories.
SeShutdownPrivilege Required to shut down a local system. User Right: Shut down the system.
SeDebugPrivilege Required to debug and adjust the memory of a process owned by another account. User Right: Debug programs.
SeAuditPrivilege Required to generate audit-log entries. Give this privilege to secure servers. User Right: Generate security audits.
SeSystemEnvironmentPrivilege Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. User Right: Modify firmware environment values.
SeChangeNotifyPrivilege Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users. User Right: Bypass traverse checking.
SeRemoteShutdownPrivilege Required to shut down a system by using a network request. User Right: Force shutdown from a remote system.
SeUndockPrivilege Required to undock a laptop. User Right: Remove computer from docking station.
SeSyncAgentPrivilege Required for a domain controller to use the LDAP directory synchronization services. This privilege allows the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. User Right: Synchronize directory service data.
SeEnableDelegationPrivilege Required to mark user and computer accounts as trusted for delegation. User Right: Enable computer and user accounts to be trusted for delegation.
SeManageVolumePrivilege Required to enable volume management privileges. User Right: Manage the files on a volume.
SeImpersonatePrivilege Required to impersonate. User Right: Impersonate a client after authentication. Windows XP/2000: This privilege is not supported.
Note that this value is supported starting with Windows Server 2003, Windows XP with SP2, and Windows 2000 with SP4.
SeCreateGlobalPrivilege Required to create named file mapping objects in the global namespace during Terminal Services sessions. This privilege is enabled by default for administrators, services, and the local system account. User Right: Create global objects. Windows XP/2000: This privilege is not supported.
Note that this value is supported starting with Windows Server 2003, Windows XP with SP2, and Windows 2000 with SP4.
SeTrustedCredManAccessPrivilege Required to access Credential Manager as a trusted caller. User Right: Access Credential Manager as a trusted caller.
SeRelabelPrivilege Required to modify the mandatory integrity level of an object. User Right: Modify an object label.
SeIncreaseWorkingSetPrivilege Required to allocate more memory for applications that run in the context of users. User Right: Increase a process working set.
SeTimeZonePrivilege Required to adjust the time zone associated with the computer's internal clock. User Right: Change the time zone.
SeCreateSymbolicLinkPrivilege Required to create a symbolic link. User Right: Create symbolic links.

Requirements

Requirement Value
Minimum supported client
 Windows 7 [desktop apps only]
Minimum supported server
 Windows Server 2008 R2 [desktop apps only]