How to view and modify User Rights Assignments
To run SWPM or other SAP applications/tools, it is required that your user accounts have assigned a specific set of rights/privileges. For example, the required privileges/user rights for <SID>adm and SAPService<SID> are (1837765 – Security policies for <SID>adm and SAPService<SID> on Windows):
- Act as part of the operating system
- Adjust memory quotas for a process
- Replace a process-level token
- Restore files and directories
A description of all available user rights/privileges is available at https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment.
The User Rights Assignment on a server can be viewed and modified locally via “Local Security Policy”. Modifications can be done only with administrative rights.
Note: If privileges/user rights are set via Domain Group Policy, the values overwrite the Local Security Policy.
View and modify User Rights Assignment on the local system
To view the current User Rights Assignment, open the Local Security Policy tool (secpol.msc) either via Start menu or Control Panel:
- Start Menu –> Windows Administrative Tools –> Local Security Policy
- Control Panel –> System and Security –> Administrative Tools –> Local Security Policy
Within the Local Security Policy application, navigate to Security Settings à Local Policies à User Rights Assignments:
To view or modify the list of users and groups, that are assigned to a specific privilege/user right (column “Policy”), select the item from the list and open the properties dialog:
View User Rights Assignments set by Domain Group Policy
To view the list of privileges/user rights that are set via Group Policy, you can use the command line tool gpresult.exe.
- Open an elevated command prompt (= Run as Administrator)
- Run the command: exe /H C:\Temp\gpres.html
- Open the file C:\Temp\gpres.html using a web browser
- Select “Show all” (upper right corner)
- Search for “User Rights Assignment”
- If any privilege/user right is set via group policy, you will find a list like this:
If you must modify a privilege/user right that is set via Group Policy (see above), ask your Windows AD domain administrators to assign a modified Group Policy to your windows host.