This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Countermeasure: Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which has this privilege inherently. Do not create a separate account and assign this user right to it. Potential Impact: There should be little or no impact because the Act as part of the operating system user right is rarely needed by any accounts other than the Local System account.

[list_of_users_followed_by_comma]

(1) GPO: Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment\\Act as part of the operating system (2) REG: ### (3) WMI: root\\rsop\\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeTcbPrivilege' and precedence=1