how to find user rights assignment

Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

How to get it

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

All of the User Rights that can be set:

Note You may edit line 437 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

Note You may edit line 467 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the System Center Enterprise Management Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager products mostly, keep checking back for new posts. My goal is to post atleast once a month if possible.

• operationsManager
• troubleshooting
• certificates

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What are the defaults for the "user rights assignment" in an AD environment?

In a non-domain environment, gpedit.msc lets me associate various "user rights" (like "create a pagefile" or "create permanent shared objects") with users or accounts. This is in Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

Where exactly do I do this in AD? (Please don't just say e.g. "Group Policy Management Console". I've looked at all of the tools I can find, especially in GPMC, and I can't see it. I need either very explicit directions or screen snaps.

ADDED: Ok, I think I get it. You create a new GPO, click Edit, and this gets you to the Group Policy Management Editor where I find the familiar path. Then I link my new GPO to the domain or the OU or whatever where I want it to apply.

But I still have a question: none of the rights in the editor come pre-set to anything. Well, that makes sense because it's a brand new GPO. But is there any way to know what the defaults are, defaults that my new GPO will override? For example, what rights do members of the "Domain Admins" group get, by default?

• active-directory

• If the downvoter would like to explain the reason for the downvote, I'd love to read it. I've been looking for this answer for over an hour so "did not do any research" is not the case. –  Jamie Hanrahan Oct 17, 2018 at 20:10

2 Answers 2

The defaults are documented in:

Group Policy Settings Reference Spreadsheet https://www.microsoft.com/en-us/download/details.aspx?id=56946

On the Security tab. Covers all versions of Windows. (I don't believe it has been updated for 1809 yet).

It depends on what you're asking.

If you're asking for User Rights Assignment on a single computer, look for Local Security Policy.

If you're asking for User Rights Assignment as a group policy, well, it shows up just fine in my console. Are you using RSAT (Remote Server Administration Tools)? I'm using the RSAT available for Windows 10. Older versions of RSAT (or the version on the domain controller) may be missing some options.

• Yeah... I finally realized (after asking the first form of the question) that you can only see them when you open the Editor. It's surprising to me though that the Default Domain Policy comes with everything "Not defined" and yet the defaults are certainly being applied. Thanks! –  Jamie Hanrahan Oct 17, 2018 at 21:32

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged active-directory ..

• The Overflow Blog
• Like Python++ for AI developers
• Being creative with math: The immersive artist who traded a sketchpad for a...
• Featured on Meta
• Alpha test for short survey in banner ad slots starting on week of September...
• What should be next for community events?

Hot Network Questions

• "bieten" with the meaning of "to ensure"
• Can acid-base reaction occur if two compounds (one acidic and one basic) are added to each other while being in their molten states/pure form?
• What is the point of this double-ended spanner?
• I (rev)?(pal)? the source code, you (rev)?(pal)? the input!
• Is it possible to work on your personal idea as PhD thesis?
• general principles of piercing the protective cover of unfrozen microwave ready meals
• story ID question: planets in interstellar space run on "slow speed" with people awaking for a few years, then sleeping for centuries
• What's the meaning of "Courtesy: [Name]" in an advertisement?
• In countries using Single Transferable Vote, how are voting results presented?
• What attracted Abimelech to an old woman in her 80s or 90s?
• How do I intentionally fly into turbulence?
• Can this be an example of sophism?
• Does the increase in German exports to Russia's neighbors make up for losses in Russia proper?
• How late were 80-column punched cards relevant?
• Python program to properly format North American phone numbers
• Add description next to matrix
• Does Sonoma encrypt a disk without asking?
• Low-noise/Stable power source options
• How to move forward after microaggression allegations against my TA
• Iteration counts of AMG solver changes in parallel
• Why does ranges::for_each return the function?
• What are the differences between regular and limited version of Planescape - Adventures in the Multiverse set?
• Hidden dots in the center
• Why is each transaction broadcast twice in the Bitcoin network?

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Windows security encyclopedia

#microsoft #windows #security

Search form

User rights assignment, related content.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Super User is a question and answer site for computer enthusiasts and power users. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to list windows privileges for any user

I am trying to write a script to list the privileges (eg SeShutDownPrivilege etc) of all user accounts. I'd prefer it if my script could be run as a standard user, but I can run it as an admin account if I had to. Here are the approaches I have tried so far:

using tokensz (from https://blogs.technet.microsoft.com/askds/2007/11/02/whats-in-a-token/ ): works ( tokensz /compute_tokensize /dump_groups ) for the currently logged in user. But when logged in even as a domain administrator, when trying for another user ( tokensz /compute_tokensize /dump_groups /user:[another.user] ), I get the error SEC_E_LOGON_DENIED

whoami /all works but only for the currently logged in user

ntrights.exe doesn't appear to be able to list privileges, only add and remove.

secedit /export /areas USER_RIGHTS /cfg out.txt : lists all privileges and the SIDs that have that privilege, but that list appears incomplete; the output from tokensz shows a user John.Smith with SeShutdownPrivilege , but the output from secedit for SeShutdownPrivilege lists groups that John.Smith is not a member of.

I can use portable executables (eg tokensz.exe , ntrights.exe ) and built in utilities but will not be able to install applications or extensions

• windows-domain

• I believe your last proposal should really be secedit /export /mergedpolicy /areas USER_RIGHTS /cfg out.txt : this way it should list all the privileges that the security database will apply, should they come from the machine policies (as you got) as well as those granted through the Active Directory policies ("GPOs") –  AntoineL Oct 29, 2016 at 21:26

3 Answers 3

You can use AccessChk in accomplish this task.

Accesschk “domain\user” -a * will list all the permissions of a given domain user.

You can call this program within a PowerShell script, concatenate the results into a text file, then filter out just the permissions you want to know about.

For anybody looking for a PowerShell script, this ought to do it:

It gets the list of users who have a profile on the local machine , determines their names from the SID, and invokes accesschk - as recommended by Ramhound - on them. Each user's record starts with the username in DOMAIN\user format, contains each right on a line, and ends with a blank line. (SID translation courtesy of this article .) You can dump its stuff to a file with the redirection operator, > .

A caveat of AccessChk is that it seems to produce an empty list for domain users that don't have local admin rights. Therefore, this version that produces the above information for every known user in the domain and on the machine is a little lame, but may become useful with a future version of the tool:

If you're wondering what secedit is talking about, it's just getting the list of principals (in SID form) to which the rights have been assigned in User Rights Assignment (see secpol.msc ). Therefore, you'll usually see the SIDs for groups like Users or Administrators rather than specific people.

• I approve of this answer. –  Ramhound Apr 13, 2016 at 17:17
• My accesschk.exe does not list a -q option. Seems to be silently ignored. What is it supposed to do? –  StackzOfZtuff Jun 26, 2017 at 11:04
• @StackzOfZtuff -q removes the banner with the name, version, copyright, and description of the tool, so accesschk only prints the stuff we need. I see it listed here on Accesschk v5.2, but somewhere along the way to v6.1 it seems to have been renamed to -nobanner . –  Ben N Jun 26, 2017 at 13:56

This script may help you. It offers the following functions, all using pure PowerShell:

• Grant-UserRight
• Revoke-UserRight
• Get-UserRightsGrantedToAccount
• Get-AccountsWithUserRight
• Grant-TokenPrivilege
• Revoke-TokenPrivilege

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-7 powershell windows-domain vbscript privileges ..

• The Overflow Blog
• Like Python++ for AI developers
• Being creative with math: The immersive artist who traded a sketchpad for a...
• Featured on Meta
• Alpha test for short survey in banner ad slots starting on week of September...
• What should be next for community events?

Hot Network Questions

• Does interspecies breastfeeding occur in the wild?
• How to move forward after microaggression allegations against my TA
• Story about a secret agent or spy with skill set by personas
• Low-noise/Stable power source options
• Same flight taking one hour longer with same aircraft on different dates
• Does a company have to have your login information to verify your identity?
• How can I force an arrow in TikZ to go horizontally into a node?
• What is the purpose of this indoor crawlspace grate/vent?
• I have a distribution block buried under my center console. Would getting 12v from that line vs directly from the battery present any fire hazard?
• Is this revision of the level 2 Transmutation Wizard feature balanced? [Version 3]
• Why would people join a bloc party?
• Colourful Scenery
• Python program to properly format North American phone numbers
• What would be the range of a cargo 777 full of usable fuel up to MTOW?
• Can you "open" RAW camera files?
• What was the big pillar-shaped Beholder in 3.5?
• Daisy chaining APs or connect them into the central router?
• New chain coming off under torque
• What is meant by software and hardware implementations? How to do it?
• How to get the current value of LC_CTYPE etc. in Bash?
• What do we know about Andy Kaufman's SNL audition?
• Geometrical verifications for Algebraic formulae
• What was the purpose of the breastplate rings on samurai armor?
• Is there a resource for learning to read mathematical notation/equations/formulae?

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

• NIST 800-53
• Common Controls Hub

The Allow log on locally user right must only be assigned to the Administrators and Users groups.

Tim’s Tech Blurbs

Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else.

How to move Windows 10 User Rights Assignment to Endpoint Manager / Intune

Should you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship)

If you ask the Security team, the answer is a yes. We should set them.

Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.

First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need.

Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544.

Now we check the local account and we get S-1-5-113.

So Lets set up a polcy. Lets open Endpoint Mananger.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile

Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.

Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.

Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way)

Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.

Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot.

You should also do the testing on a test machine. Just in case you lock your self out.

How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things.

Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege

Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions.

Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college

Published by Tim Wood

Privacy overview.

User Rights Assignment Policy

Check that your User Rights Assignment policy settings comply with security standards in both your Group Policy Objects and on all your Windows computers at once with our reporting tool XIA Configuration .

Use the built-in Windows compliance benchmark to expose servers and workstations that do not meet your security policies.

XIA Configuration has a non-intrusive architecture with agentless data collection and PowerShell support .

User Rights Assignment in Group Policy

User Rights Assignment policy settings are typically viewed in the Group Policy Management Console in the following section:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

XIA Configuration presents this data in a modern, intuitive web interface and provides reporting functionality allowing you to audit all your Group Policy Objects at once.

Audit and document your User Rights Assignment settings

If you're performing a security audit on your network, checking group policy settings is essential. As well as getting data from Group Policy, XIA Configuration also automates the retrieval of applied security settings across all your Windows computers.

• The reporting feature allows you to query all your computers at once
• The Windows compliance benchmark allows you to check your data complies with security standards
• Report filters allow you to get the data you need for external auditors

Check your User Rights Assignment security settings

Both the privileges and the user rights that have been assigned to user accounts are covered.

• Display name - for example "Access to this computer from the network"
• Internal right or privilege name - for example "SeNetworkLogonRight"
• Configuration Source (Local / Group Policy (GPO))
• Users and groups with this right assigned

Press the Show details link to view all the user rights retrieved by XIA Configuration.

• Access Credential Manager as a trusted caller
• Access this computer from the network
• Act as part of the operating system
• Add workstations to domain
• Adjust memory quotas for a process
• Allow log on locally
• Allow log on through Remote Desktop Services
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Change the time zone
• Create a pagefile
• Create a token object
• Create global objects
• Create permanent shared objects
• Create symbolic links
• Debug programs
• Deny access to this computer from the network
• Deny log on as a batch job
• Deny log on as a service
• Deny log on locally
• Deny log on through Remote Desktop Services
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase a process working set
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify an object label
• Modify firmware environment values
• Obtain an impersonation token for another user in the same session
• Perform volume maintenance tasks
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process-level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files or other objects

To see all the Windows settings supported by XIA Configuration, navigate up to Windows .

Try auditing your user rights assignment settings for free

No commitments. No costs. Try XIA Configuration today.

Up to Windows

This website uses cookies

By continuing to browse, you are agreeing to our use of cookies as explained in our Cookie Policy .

• Assigning User Rights

The most efficient way to assign user rights is to make the user a member of a group that already has the right. In some cases, however, you might want a user to have a particular right but not have all the other rights of the group. One way to resolve this problem is to give the user the rights directly. Another way to resolve this is to create a special group for users that need the right. This is the approach used with the Remote Desktop Users group, which was created by Microsoft to grant Allow Logon Through Terminal Services to groups of users.

You assign user rights through the Local Policies node of Group Policy. Local policies can be set on a per-computer basis using a computer's local security policy or on a domain or OU basis through an existing group policy for the related domain or OU. When you do this, the local policies apply to all accounts in the domain or OU.

Assigning User Rights for a Domain or OU

You can assign user rights for a domain or OU by completing the following steps:

• In the Group Policy Management Console, select the policy you want to work with, and then click Edit. Access the User Rights Assignment node by working your way down the console tree. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and User Rights Assignment.
• To configure a user right, double-click a user right or right-click it and select Properties. This opens a Properties dialog box. If the policy isn't defined, select Define These Policy Settings. To apply the right to a user or group, click Add User Or Group. Then, in the Add User Or Group dialog box, click Browse. This opens the Select Users, Computers, Or Groups dialog box.
• Type the name of the user or group you want to use in the field provided, and then click Check Names. By default, the search is configured to find built-in security principals, groups, and user accounts. After you select the account names or groups to add, click OK. The Add User Or Group dialog box should now show the selected accounts. Click OK again.
• The Properties dialog box is updated to refl ect your selections. If you made a mistake, select a name and remove it by clicking Remove. When you're fi nished granting the right to users and groups, click OK.

Assigning User Rights on a Specific Computer

User rights can also be applied to a specific computer. However, remember that domain and OU policy take precedence over local policy. This means that any settings in these policies will override settings you make on a local computer.

You can apply user rights locally by completing the following steps:

• Start Local Security Policy by clicking Start, Programs or All Programs, Administrative Tools, Local Security Policy. All computers, even domain controllers, have Local Security Policy. Settings available in the Local Security Policy console are a subset of the computer's local policy.
• Under Security Settings, expand Local Policies and then select User Rights Assignment.
• Double-click the user right you want to modify. The Properties dialog box shows current users and groups that have been given the user right.
• You can apply the user right to additional users and groups by clicking Add User Or Group. This opens the Select Users, Computers, Or Groups dialog box, which you can use to add users and groups.
• Click OK twice to close the open dialog boxes.

Note: If the options in the Properties dialog box are dimmed, it means the policy has been set at a higher level and can't be overridden locally.

In this tutorial:

• Managing Users, Groups, and Computers
• Managing Domain User Accounts
• Configuring User Account Policies
• Enforcing Password Policy
• Configuring Account Lockout Policy
• Creating Password Settings Objects and Applying Secondary Settings
• Understanding User Account Capabilities, Privileges, and Rights
• Creating and Configuring Domain User Accounts
• Configuring Account Options
• Configuring Profile Options
• Troubleshooting User Accounts
• Implementing and Creating Preconfigured Profiles
• Configuring Local User Profiles
• Implementing Mandatory User Profiles
• Managing User Data
• Using Offline Files
• Configuring Offline Files on Clients
• Maintaining User Accounts
• Moving User Accounts
• Resetting a User's Domain Password
• Creating a User Account Password Backup
• Managing Groups
• Understanding the Scopes of Groups
• Creating a Group
• Creating group accounts at the command line
• Modifying Groups
• Managing Computer Accounts
• Moving a Computer Account
• Configuring Properties of Computer Accounts
• Troubleshooting Computer Accounts
• MS PowerPoint
• Windows Vista
• Adobe Photoshop
• A+ Certification

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.

User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local computer by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see How to Configure Security Policy Settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Additional resources