Ntrights

is a legacy command-line tool originally released as part of the Windows Server 2003 Resource Kit . It allows administrators to programmatically grant or revoke specific user rights (privileges) to users or groups, such as the ability to "Log on as a service" or "Shut down the system".

is a versatile command-line utility from the Windows Resource Kit that allows administrators to grant or revoke specific user rights on local or remote Windows computers. While it originated in the era of Windows NT and Windows Server 2003, it remains a valuable tool for automated security configuration and system administration in environments where legacy scripts are still in use. Core Functionality and Syntax

echo Configuration Complete.

If you’ve spent any significant time managing Windows Server environments or hardening workstations, you know that the Local Security Policy console ( secpol.msc ) is your best friend—until it isn’t.

ntrights +r [RightName] -u [UserOrGroup] ntrights -r [RightName] -u [UserOrGroup] ntrights

Short for , ntrights.exe is a command-line tool included in the Windows Server 2003 Resource Kit Tools. Despite its age, it remains surprisingly relevant and functional on modern versions of Windows (including Windows 10/11 and Server 2019/2022).

: Used to grant ( +r ) or revoke ( -r ) a specific right. is a legacy command-line tool originally released as

In legacy Windows environments (NT 4.0, 2000, XP, Server 2003), assigning or revoking specific privileges for a user or group often required manual registry edits or third-party tools. The ntrights.exe utility provided a command-line interface to modify the Local Security Policy (LSA policy) by directly manipulating the Se* privileges stored in the security database.

ntrights +r SeServiceLogonRight -u "CONTOSO\svc_webapp" While it originated in the era of Windows

Instead, it requires the internal . Here is a quick cheat sheet for the most common mappings:

This is the classic use case. You have a domain service account that needs to run a Windows Service, but it keeps failing because it lacks the privilege.