Act as part of the operating system
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Counter Measure:
Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which has this privilege inherently. Do not create a separate account and assign this user right to it.
Potential Impact:
There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account.
[list_of_users_followed_by_comma]
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system
(2) REG: ###
(3) WMI: root\rsop\computer
RSOP_UserPrivilegeRight
AccountList
UserRight='SeTcbPrivilege' and precedence=1
oval:org.secpod.oval:def:36553
SCAP Repo OVAL Definition
2016-08-05