Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.

[list of users followed by comma]

(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment!Replace a process level token (2) WMI: root sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeAssignPrimaryTokenPrivilege' and precedence=1