WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Replace process level token

Replace a process level token

AKA: SeAssignPrimaryTokenPrivilege, Replace a process level token

Default assignment: Administrators

This right is required in order to start a process under a different user account such as with the CreateProcessAsUser() Win32 API. See Create a token object for more information.

This right should normally only be granted to service and application accounts that will be starting new processes under various user accounts.

By default this right is not audited even if you enable Audit privilege use. See Full Privilege Auditing.

Back to top


Additional Resources