Act as part of the operating system This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Counter Measure: Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which has this privilege inherently. Do not create a separate account and assign this user right to it. Potential Impact: There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account. [list_of_users_followed_by_comma] (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system (2) REG: ### (3) WMI: root\rsop\computer RSOP_UserPrivilegeRight AccountList UserRight='SeTcbPrivilege' and precedence=1 oval:org.secpod.oval:def:36553 SCAP Repo OVAL Definition 2016-08-05