3.1.1.2.1 Privilege Data Model
The server MUST maintain a list of privileges that it recognizes. A privilege is defined by a language-independent human-readable name, a locally unique identifier (LUID), and a language-dependent description of the privilege. Two different privileges MUST have different names as well as different LUIDs. The list of privileges known by the server SHOULD NOT change unless a major event, such as an operating system upgrade, takes place. The set of names identifying privileges and their LUIDs MUST be the same across all servers running the same revision of the operating system.
|
Name |
Type |
|---|---|
|
Name |
RPC_UNICODE_STRING |
|
Locally Unique Identifier |
LUID |
|
Privilege descriptions in different languages |
An array of RPC_UNICODE_STRINGs |
The Name and Locally Unique Identifier pair are communicated by the Local Security Authority (Domain Policy) Remote Protocol via the LSAPR_PRIVILEGE_ENUM_BUFFER structure.
Privilege Description is communicated by the Local Security Authority (Domain Policy) Remote Protocol via the LsarLookupPrivilegeDisplayName method.
The data model in this version of the protocol defines the privileges described in the table below. The descriptions that are provided are in English.<48>
|
Name |
LUID |
Privilege description |
|---|---|---|
|
SE_ASSIGNPRIMARYTOKEN_NAME "SeAssignPrimaryTokenPrivilege" |
{0,3} |
Replace a process-level token. |
|
SE_AUDIT_NAME "SeAuditPrivilege" |
{0,21} |
Generate security audits. |
|
SE_BACKUP_NAME "SeBackupPrivilege" |
{0,17} |
Back up files and directories. |
|
SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" |
{0,23} |
Bypass traverse checking. |
|
SE_CREATE_GLOBAL_NAME "SeCreateGlobalPrivilege" |
{0,30} |
Create global objects. |
|
SE_CREATE_PAGEFILE_NAME "SeCreatePagefilePrivilege" |
{0,15} |
Create a page file. |
|
SE_CREATE_PERMANENT_NAME "SeCreatePermanentPrivilege" |
{0,16} |
Create permanent shared objects. |
|
SE_CREATE_TOKEN_NAME "SeCreateTokenPrivilege" |
{0,2} |
Create a token object. |
|
SE_DEBUG_NAME "SeDebugPrivilege" |
{0,20} |
Debug programs. |
|
SE_ENABLE_DELEGATION_NAME "SeEnableDelegationPrivilege" |
{0,27} |
Enable computer and user accounts to be trusted for delegation. |
|
SE_IMPERSONATE_NAME "SeImpersonatePrivilege" |
{0,29} |
Impersonate a client after authentication. |
|
SE_INC_BASE_PRIORITY_NAME "SeIncreaseBasePriorityPrivilege" |
{0,14} |
Increase scheduling priority. |
|
SE_INCREASE_QUOTA_NAME "SeIncreaseQuotaPrivilege" |
{0,5} |
Adjust memory quotas for a process. |
|
SE_LOAD_DRIVER_NAME "SeLoadDriverPrivilege" |
{0,10} |
Load and unload device drivers. |
|
SE_LOCK_MEMORY_NAME "SeLockMemoryPrivilege" |
{0,4} |
Lock pages in memory. |
|
SE_MACHINE_ACCOUNT_NAME "SeMachineAccountPrivilege" |
{0,6} |
Add workstations to domain. |
|
SE_MANAGE_VOLUME_NAME "SeManageVolumePrivilege" |
{0,28} |
Manage the files on a volume. |
|
SE_PROF_SINGLE_PROCESS_NAME "SeProfileSingleProcessPrivilege" |
{0,13} |
Profile single process. |
|
SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" |
{0,24} |
Force shutdown from a remote system. |
|
SE_RESTORE_NAME "SeRestorePrivilege" |
{0,18} |
Restore files and directories. |
|
SE_SECURITY_NAME "SeSecurityPrivilege" |
{0,8} |
Manage auditing and security log. |
|
SE_SHUTDOWN_NAME "SeShutdownPrivilege" |
{0,19} |
Shut down the system. |
|
SE_SYNC_AGENT_NAME "SeSyncAgentPrivilege" |
{0,26} |
Synchronize directory service data. |
|
SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironment" |
{0,22} |
Modify firmware environment values. |
|
SE_SYSTEM_PROFILE_NAME "SeSystemProfilePrivilege" |
{0,11} |
Profile system performance. |
|
SE_SYSTEMTIME_NAME "SeSystemtimePrivilege" |
{0,12} |
Change system time. |
|
SE_TAKE_OWNERSHIP_NAME "SeTakeOwnershipPrivilege" |
{0,9} |
Take ownership of files or other objects. |
|
SE_TCB_NAME "SeTcbPrivilege" |
{0,7} |
Act as part of the operating system. |
|
SE_UNDOCK_NAME "SeUndockPrivilege" |
{0,25} |
Remove computer from docking station. |
|
SE_CREATE_SYMBOLIC_LINK_NAME "SeCreateSymbolicLinkPrivilege" |
{0,35} |
Create symbolic links. |
|
SE_INC_WORKING_SET_NAME "SeIncreaseWorkingSetPrivilege" |
{0,33} |
Increase a process working set. |
|
SE_RELABEL_NAME "SeRelabelPrivilege" |
{0,32} |
Modify an object label. |
|
SE_TIME_ZONE_NAME "SeTimeZonePrivilege" |
{0,34} |
Change time zone. |
|
SE_TRUSTED_CREDMAN_ACCESS_NAME "SeTrustedCredManAccessPrivilege" |
{0,31} |
Access Credential Manager as a trusted caller. |