User rights assignment on Windows 10 is crucial to system security and management. It defines a user's administrative privileges, determining their ability to perform specific tasks and access certain features.

Within an Active Directory domain, some users and groups are unique because they have all user rights assigned to them, and we cannot remove any of these rights/privileges.

• The Administrator user is special
• The ‘Domain Admins’ group is special
• The ‘Enterprise Admins’ group is special

Log in as UnTrustedUser on Windows 11 and open PowerShell

Type:

whoami /priv

UntrustedUser has the user rights seen above.

• Important: Disabled privileges are privileges that this user can access but are currently disabled within the current running process (PowerShell).
• The user ‘UnTrustedUser’ has the SeShutDownPrivilege, but it is in a disabled state.
  • The PowerShell session would need to ‘enable’ this privilege to be used.
  • (Powershell is special. It can enable certain privileges when needed. So, this privilege might as well be ‘enabled,’ which we’ll see shortly.)

Key concept: User privileges and process tokens.

• The situation described above can be summarized as follows:
  • The user ‘UnTrustedUser’ has the SeShutDownPrivilege assigned.
  • Any time we start a process on Windows, it receives a copy of all our privileges and group membership inside a process token.

Process Tokens

A process token is a security object in Windows that contains the security context of a process. This includes:

1. User SID (Security Identifier): The identifier for the user account associated with the process.
   1. Every object on Windows will have a unique SID, which is just a long series of numbers separated by hyphens.
   2. Example SID (They all look like this.): S-1-5-21-57923126-3692238891-973255253-1280
2. Group SIDs: The identifiers for the groups to which the user belongs. This includes both local and domain groups.
3. Privileges: The list of privileges granted to the user. Privileges are specific rights that allow the user to perform certain system-level operations, such as shutting down the system (SeShutDownPrivilege), changing the system time (SeSystemTimePrivilege), or managing auditing and security log (SeSecurityPrivilege).