Set and Check User Rights Assignment via Powershell

You can add, remove, and check user rights assignment (remotely / locally) with the following powershell scripts..

Posted by : blakedrumm on Jan 5, 2022

increase quotas user rights assignment

Local Computer

Remote computer, output types.

This post was last updated on August 29th, 2022

I stumbled across this gem ( weloytty/Grant-LogonAsService.ps1 ) that allows you to grant Logon as a Service Right for a User. I modified the script you can now run the Powershell script against multiple machines, users, and user rights.

Set User Rights

How to get it.

:arrow_left:

All of the User Rights that can be set:

Privilege PrivilegeName
SeAssignPrimaryTokenPrivilege Replace a process level token
SeAuditPrivilege Generate security audits
SeBackupPrivilege Back up files and directories
SeBatchLogonRight Log on as a batch job
SeChangeNotifyPrivilege Bypass traverse checking
SeCreateGlobalPrivilege Create global objects
SeCreatePagefilePrivilege Create a pagefile
SeCreatePermanentPrivilege Create permanent shared objects
SeCreateSymbolicLinkPrivilege Create symbolic links
SeCreateTokenPrivilege Create a token object
SeDebugPrivilege Debug programs
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session
SeDenyBatchLogonRight Deny log on as a batch job
SeDenyInteractiveLogonRight Deny log on locally
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyRemoteInteractiveLogonRight Deny log on through Remote Desktop Services
SeDenyServiceLogonRight Deny log on as a service
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeImpersonatePrivilege Impersonate a client after authentication
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeIncreaseWorkingSetPrivilege Increase a process working set
SeInteractiveLogonRight Allow log on locally
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeMachineAccountPrivilege Add workstations to domain
SeManageVolumePrivilege Perform volume maintenance tasks
SeNetworkLogonRight Access this computer from the network
SeProfileSingleProcessPrivilege Profile single process
SeRelabelPrivilege Modify an object label
SeRemoteInteractiveLogonRight Allow log on through Remote Desktop Services
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeRestorePrivilege Restore files and directories
SeSecurityPrivilege Manage auditing and security log
SeServiceLogonRight Log on as a service
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeSystemEnvironmentPrivilege Modify firmware environment values
SeSystemProfilePrivilege Profile system performance
SeSystemtimePrivilege Change the system time
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeTcbPrivilege Act as part of the operating system
SeTimeZonePrivilege Change the time zone
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
SeUndockPrivilege Remove computer from docking station
Note You may edit line 558 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Here are a few examples:

Add Users Single Users Example 1 Add User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -AddRight -UserRight SeInteractiveLogonRight Example 2 Add User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Add User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -AddRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Add User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -AddRight -Username S-1-5-11 -UserRight SeBatchLogonRight Add Multiple Users / Rights / Computers Example 5 Add User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -AddRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2
Remove Users Single Users Example 1 Remove User Right “Allow log on locally” for current user: . \Set-UserRights.ps1 -RemoveRight -UserRight SeInteractiveLogonRight Example 2 Remove User Right “Log on as a service” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeServiceLogonRight Example 3 Remove User Right “Log on as a batch job” for CONTOSO\User: . \Set-UserRights.ps1 -RemoveRight -Username CONTOSO\User -UserRight SeBatchLogonRight Example 4 Remove User Right “Log on as a batch job” for user SID S-1-5-11: . \Set-UserRights.ps1 -RemoveRight -Username S-1-5-11 -UserRight SeBatchLogonRight Remove Multiple Users / Rights / Computers Example 5 Remove User Right “Log on as a service” and “Log on as a batch job” for CONTOSO\User1 and CONTOSO\User2 and run on, local machine and SQL.contoso.com: . \Set-UserRights.ps1 -RemoveRight -UserRight SeServiceLogonRight , SeBatchLogonRight -ComputerName $ env : COMPUTERNAME , SQL.contoso.com -UserName CONTOSO\User1 , CONTOSO\User2

Check User Rights

In order to check the Local User Rights, you will need to run the above (Get-UserRights), you may copy and paste the above script in your Powershell ISE and press play.

UserAccountsRights

Note You may edit line 494 in the script to change what happens when the script is run without any arguments or parameters, this also allows you to change what happens when the script is run from the Powershell ISE.

Get Local User Account Rights and output to text in console:

Get Remote SQL Server User Account Rights:

Get Local Machine and SQL Server User Account Rights:

Output Local User Rights on Local Machine as CSV in ‘C:\Temp’:

Output to Text in ‘C:\Temp’:

PassThru object to allow manipulation / filtering:

:v:

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email : [email protected]

Website : https://blakedrumm.com

My name is Blake Drumm, I am working on the Azure Monitoring Enterprise Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager and Azure Automation products, keep checking back for new posts. My goal is to post atleast once a month if possible.

  • operationsManager
  • troubleshooting
  • certificates
  • containerapps

UCF STIG Viewer Logo

  • NIST 800-53
  • Common Controls Hub

The Adjust memory quotas for a process user right must only be assigned to Administrators, Local Service, and Network Service.

Finding ID Version Rule ID IA Controls Severity
V-63849 WN10-UR-000020 SV-78339r1_rule Medium
Description
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Adjust memory quotas for a process" user right can adjust memory that is available to processes, and could be used in a denial of service (DoS) attack.
STIG Date
2015-11-30
Check Text ( C-64599r1_chk )
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment.

If any groups or accounts other than the following are granted the "Adjust memory quotas for a process" user right, this is a finding:

Administrators
LOCAL SERVICE
NETWORK SERVICE
Fix Text (F-69777r1_fix)
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Adjust memory quotas for a process" to only include the following groups or accounts:

Administrators
LOCAL SERVICE
NETWORK SERVICE

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Is it possible to limit the memory usage of a particular process on Windows

A user is doing calculations in Excel on very large sheets (upwards of 500mb) even with 16GB of ram, Excel (64-bit) will eat up all existing memory,I have seen it use upwards of 11GB of system memory.

Is there a way to say limit it somewhere reasonable at like 8GB so the system isn't bogged down and swapping through the pagefile to open a new tab in Chrome?

screampuff's user avatar

  • 1 If you limited it, as soon as it hit that limit, it would bog down and swap through the pagefile. –  David Schwartz Commented Oct 27, 2017 at 17:51
  • I'm ok with Excel bogging down, it's the rest of the computer and other applications having no avilable memory that is the issue. –  screampuff Commented Oct 27, 2017 at 17:52
  • 2 Swapping will bog down the whole system. Everything competes for the available I/O bandwidth. Everything competes for access to the kernel subsystem that transitions memory between free and in use. And so on. If you could memory constrain one process, you would make the whole system slow. You're almost certainly better off getting the calculations done quickly and efficiently. –  David Schwartz Commented Oct 27, 2017 at 18:18
  • 1 Unsure what the sheets are for, but it might be that Excel is the wrong tool: maybe a database would be a better choice. –  Yorik Commented Oct 27, 2017 at 18:43
  • 4 system job object? - lowleveldesign.org/2013/11/21/… might allow you to see the behaviour and if it's worth while. –  HelpingHand Commented Oct 27, 2017 at 20:15

4 Answers 4

I understand here the question is to find a way to limit the memory used by a process, no matter the impact of performance.

On Windows Server, you could do this using a tool called the Windows System Resource Manager which can limit the amount of working set that a process uses. This tool is installable (not installed by default) through the Add Features console on Windows Server 2008 R2.

On Windows 7/8/10 there is no Microsoft solution able to do this. You have to install a third party software like the following :

Process Tamer : https://www.donationcoder.com/Software/Mouser/proctamer/

Process Lasso : https://bitsum.com/

Sly Mat's user avatar

  • 4 In their web page they say it modifies CPU usage. How can memory-usage be managed in them? –  Ernesto Iglesias Commented Apr 27, 2021 at 4:56
  • To control quotas for memory and/or CPU usage, see @Mikhail’s answer discussing the free Processor Governor tool. (My 2022 answer also has a few additional details, fwiw.) –  Jim Grisham Commented Aug 28, 2022 at 19:41

Process Governor worked great for me. Open source, MIT License, easy to use:

Mikhail's user avatar

  • The --maxmem option didn't work for me. –  cxxl Commented May 16, 2019 at 12:30
  • Where is the exe file? –  secr Commented May 30, 2020 at 19:20
  • @secr see the Releases section in the right-hand pane, e.g. github.com/lowleveldesign/process-governor/releases/tag/… –  Ekus Commented May 11, 2021 at 14:43

As mentioned in @Mikhail’s answer , one can now easily utilize the Windows built-in system ‘Job Object’ using the free Processor Governor tool to set per-launch or persistent (via a registry entry) limits on CPU usage/allocation/affinity, memory usage, and network usage.

  • Using that tool as documentation, I suspect manual registry entries might make this possible without installing any third-party software.
  • Note for Process Governor : use the --recursive option with programs such as web browsers (and the apps based on them, such as ‘Electron’ apps) to make sure all of their (often numerous) child processes fall within the desired quotas.

Other possible options, as of 2022:

Not sure if there is an operational method to do this, but there is a GPO security setting for users controlling process memory limits.

  • Policy location: Computer Configuration\Windows Settings\Security Settings\User Rights Assignment\
  • see Adjust memory quotas for a process @ Microsoft Docs

Running the 32-bit version of Excel should intrinsically limit the amount of memory it can use to 2GB (or 3GB/4GB, depending on Windows version and settings) of RAM.

  • (Sadly, this won’t work for web browsers such as Google Chrome or Microsoft Edge that use a different process for ~every~ tab.)

Run Excel within a VM (e.g. Hyper-V) or a container (e.g. native Windows or via Kubernetes) that has a built-in method for limiting CPU and RAM usage.

  • i.e.: Excel running in a Kubernetes namespace (with ‘resource quota’ enabled for that namespace)
  • Some native Windows OS-level virtualization software, such as the now open-sourced Sandboxie-Plus , do not appear to currently support directly limiting CPU or memory usage (as of August 2022) .

Older questions with possible leads or solutions:

  • Set Windows process (or user) memory limit @ StackOverflow

Jim Grisham's user avatar

If the problem is that you're having trouble doing other things on the computer at the same time, you might want to try reducing Excel's CPU priority. So if you run something else, Excel will be forced to stop and wait since your program has a higher priority. It will take longer to finish, but you should be able to do other things at the same time.

Instructions for Windows 7:

  • Open the Task Manager (Ctrl+Alt+Del)
  • Open the Processes tab. Right-click on excel.exe and go to Set Priority.
  • Choose a new priority. Most processes run at Normal, so you can use either Below Normal or Low.

This is temporary, so you'll have to do it again if you quit Excel.

Source: https://www.sevenforums.com/tutorials/83361-priority-level-set-applications-processes.html

NotReallyHere12's user avatar

  • What does “using memory that isn't being used by anything else” mean?  I believe that your answer would still allow Excel to gobble up all the memory, but it would cause it to hold onto it for a longer period of (real) time .   Do you have a reason to believe otherwise? Please do not respond in comments; edit your answer to make it clearer and more complete. –  Scott - Слава Україні Commented Mar 6, 2018 at 20:59
  • 1 Edit made. I think some RAM might get reallocated by Superfetch but the point is to make other programs run faster. I might have the wrong idea though. –  NotReallyHere12 Commented Mar 7, 2018 at 2:53

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows-7 memory ..

  • The Overflow Blog
  • Rust is evolving from system-level language to UI and frontend development
  • Featured on Meta
  • Preventing unauthorized automated access to the network
  • Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

  • Overlapping Polygons in same shapefile
  • Decide symmetry of fractions
  • Does the bottom rotor on a Coaxial quadcopter spins faster?
  • If a semigroup embeds into a group, then is it a subdirect product of groups?
  • calling python within bash script
  • Does “redeeming quality” simply mean “positive quality” today?
  • Why isn't Listable listed as an attribute of functions such as QuantityMagnitude and UnitConvert?
  • How long should a direct quote be in order to be put in quotation marks?
  • Can weapon special abilities be activated at the same time with a single command?
  • How would a Magic-Fueled Industrial Revolution shape social classes in cities?
  • How does "attempting to influence a public servant by means of deceit" affect political activity?
  • How to permanently delete in QGIS an Annotations Layer?
  • Can this constraint be linearized?
  • Thesis part was flagged as AI generated even though it is all original
  • Best way to run cat 6 flat network cable under house
  • 64-pin chips in the 1980s
  • Is it practical in real life to drill magnetic screws into someone's skull in order to wear a wig?
  • How did “way to go” come to mean “well done”?
  • Why would sending true names in space not work?
  • What is the term for types that are not type variables?
  • Is LetsEncrypt activity Public?
  • Is it always possible to do a hohmann transfer orbit between two planets in a star system
  • Why do I need a USB-C controller for PD?
  • Growing food by firelight

increase quotas user rights assignment

increase quotas user rights assignment

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Increase scheduling priority

  • 1 contributor

Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.

This policy setting determines which user accounts can increase the base priority class of a process. It is not a privileged operation to increase relative priority within a priority class. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools.

Specifically, this security setting determines which accounts can use a process with Write Property access to another process to increase the run priority that is assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

Constant: SeIncreaseBasePriorityPrivilege

Possible values

  • User-defined list of accounts
  • Not defined
  • Administrators

Best practices

  • Retain the default value as the only accounts responsible for controlling process scheduling priorities.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Policy management

This section describes features, tools, and guidance to help you manage this policy.

A restart of the computer is not required for this policy setting to be effective.

Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy

Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:

  • Local policy settings
  • Site policy settings
  • Domain policy settings
  • OU policy settings

When a local setting is greyed out, it indicates that a GPO currently controls that setting.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

A user who is assigned this user right could increase the scheduling priority of a process to Real-Time, which would leave little processing time for all other processes and could lead to a denial-of-service condition.

Countermeasure

Verify that only Administrators and Window Manager\Window Manager Group have the Increase scheduling priority user right assigned to them.

Potential impact

None. Restricting the Increase scheduling priority user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.

If you remove Window Manager\Window Manager Group from the Increase scheduling priority user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.

On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.

Related topics

  • User Rights Assignment
  • Increase scheduling priority for Windows Server 2012 and earlier

Additional resources

Windows security encyclopedia

Windows security encyclopedia

#microsoft #windows #security

Search form

Adjust memory quotas for a process.

This privilege determines who can change the maximum memory that can be consumed by a process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Note: This privilege is useful for system tuning, but it can be misused, for example, in a denial-of-service attack.

Policy path: 

Comments: , default: , supported on: , registry settings: , reboot required: , related content.

WinSecWiki  > Security Settings  > Local Policies  > User Rights  > User Rights In-Depth  > Adjust Memory Quotas

Adjust memory quotas for a process

Default assignment: Administrators

Microsoft documentation is conflicting about this privilege. While the name itself and Windows Server 2003 documentation indicates this right has to do with changing memory quotas, XP documentation and a number of discussion groups indicate this right actually has more to do with being able to change the CPU time a process gets.

Other research shows this right is required for what would seem unrelated actions such as starting a process under a different user account with CreateProcessAsUser() API.  http://support.microsoft.com/kb/285879

In any case this is a right seldom needed by actual human users; it is sometimes needed by service/application accounts that start and manage other processes. For instance the IIS_WPG group which provides IIS worker processes with what they need to run, requires this right in order to run CGI processes.

Back to top

Adjust Memory Quotas

increase quotas user rights assignment

User name:
Password:
 
 
October 2024
Patch Tuesday
| | Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact [email protected].
| |

IMAGES

  1. View and increase resource quotas

    increase quotas user rights assignment

  2. Quota adjuster

    increase quotas user rights assignment

  3. Increasing quotas

    increase quotas user rights assignment

  4. Service quotas and limits

    increase quotas user rights assignment

  5. Tactic 4: Defend Your Domain Controllers

    increase quotas user rights assignment

  6. Quotas

    increase quotas user rights assignment

VIDEO

  1. Manage Customer Access and Advance User Rights

  2. 44 Configuring User and Group Quotas

  3. Overview of the Advance User Rights in Fast Accounts

  4. Fundamentals rights assignment and activities by standard 8th students #divinepublicschool #madanpur

  5. LeadSquared Product Updates: Learn What’s New!

  6. HUMAN RIGHTS (ASSIGNMENT)

COMMENTS

  1. Change User Rights Assignment Security Policy Settings in ...

    This tutorial will show you how to change User Rights Assignment security policy settings to control users and groups ability to perform tasks in Windows 10. You must be signed in as an administrator to change User Rights Assignment.

  2. Adjust memory quotas for a process - Windows 10 | Microsoft Learn

    Restrict the Adjust memory quotas for a process user right to only users who require the ability to adjust memory quotas to perform their jobs. If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account.

  3. User Rights Assignment - Windows 10 | Microsoft Learn

    User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions.

  4. Set and Check User Rights Assignment via Powershell

    You can add, remove, and check User Rights Assignment (remotely / locally) with the following Powershell scripts.

  5. The Adjust memory quotas for a process user right must only ...

    Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Adjust memory quotas for a process" user right can adjust memory that is available to processes, and could be used in a denial of service (DoS) attack.

  6. Is it possible to limit the memory usage of a particular ...

    Running the 32-bit version of Excel should intrinsically limit the amount of memory it can use to 2GB (or 3GB/4GB, depending on Windows version and settings) of RAM. (Sadly, this won’t work for web browsers such as Google Chrome or Microsoft Edge that use a different process for ~every~ tab.)

  7. Understanding Group Policies: User Rights Assignment Policies

    We created the video below to explain the different User Rights Assignment policies that are available and how you can use those policies to control who is able to log onto a device and what they are able to do once they've logged on.

  8. Increase scheduling priority - Windows 10 | Microsoft Learn

    User Rights Assignment. Increase scheduling priority for Windows Server 2012 and earlier. Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.

  9. Adjust memory quotas for a process | Windows security ...

    Adjust memory quotas for a process. This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

  10. Adjust memory quotas for a process - Ultimate Windows Security

    WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Adjust Memory Quotas.