NT_LsaOpenPolicy ?serverName?

This function returns a handle to the policy system on the specified computer, or the local one if one isn't specified.

NT_LsaSetPrivilege lsaHandle user_or_group_name privilegeName grant|revoke

NT_LsaSetPrivilege grants or revokes the specified privilege to/from the specified user or group. For example:

set lsahandle [NT_LsaOpenPolicy]
NT_LsaSetPrivilege $lsahandle jsmith SeBackupPrivilege grant

would grant the user "jsmith" the Backup right. Note that this function seems not to work on BDCs.

NT_LsaEnumUserPrivileges lsaHandle user_or_group_name

NT_LsaEnumUserPrivileges returns a list of the privileges held by this user or group. This API call seems to have a bug in it: instead of returning each privilege as a separate element, some are combined into a single element, so, you might get a return string that contains "SeBatchLogonRight SeSystemEnvironmentPrivilegeSeSystemProfilePrivilegeSeProfileSingleProcessPrivilege" You should use the "string match" command to find out if a specified privilege is in the list, like this:

set lsahandle [NT_LsaOpenPolicy]
set rightslist [NT_LsaEnumUserPrivileges $lsahandle administrators]

if {[string match *SeSystemEnvironmentPrivilege* $rightslist]} {
  puts "You can modify the system environment."
}

NT_LsaEnumUsersWithPrivilege lsaHandle privilegeName

NT_LsaEnumUsersWithPrivilege returns a list of users with the specified privilege. An example:

set lsahandle [NT_LsaOpenPolicy]
set userlist [NT_LsaEnumUsersWithPrivilege $lsahandle SeBackupPrivilege]

puts "These users have the right to backup the system: $userlist"