Peter Hinchley

Learning in Public

✪ Override User Rights set via Group Policy using SecEdit

You are a local administrator on a server, and you are about to install an application. The installation package requires a specific user right, and guess what, you don't have it. To make matters worse, the required user right is managed via group policy, and you don't have the permissions needed to change it. Wouldn't it be great if you could define a local override for the user right set via group policy? Unfortunately, this isn't possible using the Local Security Policy editor (secpol.msc). Fear not. There is a quick solution. Open an elevated command prompt and run the following command to export the currently configured user rights:

secedit /export /cfg policy.inf /areas USER_RIGHTS

Now edit policy.inf and grant yourself the required rights. For example, let's say the Debug Programs user right is cleared via group policy (i.e. not assigned to anyone). To grant the right to the local administrators group, add the following line to the policy file:

SeDebugPrivilege = *S-1-5-32-544

Where SeDebugPrivilege is the identifier for the Debug Programs user right, and S-1-5-32-544 is the SID of the local administrators group.

After you have made the required changes, you can use the following command to apply the new user rights:

secedit /configure /db secedit.sdb /cfg policy.inf /overwrite /areas USER_RIGHTS

And that's it. If you now run secpol.msc you will see the Debug Programs user right has been assigned to the local administrators group.

Note: While this approach is useful for temporarily overriding the user rights set via group policy, the changes made via secedit will not be permanent; the user rights will be restored to their previous values during the next group policy refresh cycle.