Skip to main content

Overview

The UserRightAssignments command enumerates user rights assignments configured on the system. User rights (different from privileges) control which users and groups can perform specific system operations like network logon, batch jobs, service logons, and local logon. These assignments are critical for access control and privilege escalation assessment.

Syntax

# Local system
Seatbelt.exe UserRightAssignments

# Remote computer
Seatbelt.exe "UserRightAssignments <computername>"
This command does not support standard remote execution with -computername parameter.

Output

Returns user right assignments:
  • User right name
  • Assigned users and groups (SIDs and names)
  • Description of the right

Use Cases

  • Red Team
  • Blue Team
  • Identify who can log on locally or remotely
  • Find users with SeBackupPrivilege or SeRestorePrivilege
  • Discover accounts that can run as services
  • Locate privilege escalation opportunities
  • Identify restricted logon rights

Example Output

====== UserRightAssignments ======

SeNetworkLogonRight (Access this computer from the network):
  Everyone
  BUILTIN\Administrators
  BUILTIN\Users
  CORP\Domain Users

SeDenyNetworkLogonRight (Deny access to this computer from the network):
  NT AUTHORITY\LOCAL ACCOUNT
  CORP\Blocked Users

SeInteractiveLogonRight (Allow log on locally):
  BUILTIN\Administrators
  BUILTIN\Users
  CORP\Help Desk

SeDenyInteractiveLogonRight (Deny log on locally):
  CORP\Service Accounts

SeRemoteInteractiveLogonRight (Allow log on through Remote Desktop Services):
  BUILTIN\Administrators
  BUILTIN\Remote Desktop Users
  CORP\IT Support

SeBackupPrivilege (Back up files and directories):
  BUILTIN\Administrators
  BUILTIN\Backup Operators

SeRestorePrivilege (Restore files and directories):
  BUILTIN\Administrators
  BUILTIN\Backup Operators

SeServiceLogonRight (Log on as a service):
  NT SERVICE\ALL SERVICES
  CORP\svc_sql
  CORP\svc_backup

SeBatchLogonRight (Log on as a batch job):
  BUILTIN\Administrators
  BUILTIN\Backup Operators
  CORP\svc_task

Remote Execution

This command does NOT support standard remote execution.
However, you can specify a computer name as an argument: Seatbelt.exe "UserRightAssignments <computername>"

Detection Considerations

Low detection risk - queries Local Security Policy.
  • API Calls: Uses LsaEnumerateAccountRights and related LSA functions
  • Privilege Required: May require elevated privileges
  • Policy Access: Accesses Local Security Policy database

Important User Rights

SeBackupPrivilege - Can read any file (bypass ACLs) SeRestorePrivilege - Can write any file (bypass ACLs) SeDebugPrivilege - Can debug processes (credential access) SeImpersonatePrivilege - Can impersonate tokens SeLoadDriverPrivilege - Can load kernel drivers SeTakeOwnershipPrivilege - Can take ownership of objects SeAssignPrimaryTokenPrivilege - Can assign primary tokens SeServiceLogonRight - Can run as a service SeRemoteInteractiveLogonRight - Can RDP to system SeTcbPrivilege - Act as part of operating system