Act as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.


Assigning this user right can be a security risk. Only assign this user right to trusted users.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\User Rights Assignment


Logoff required



Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

User Rights security settings are not registry keys

Reboot required: 


Related content