This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: None Countermeasure: Configure this setting so that only authorized users are allowed to modify object labels. Potential Impact: None, by default the Administrators group has this user right. Fix: (1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify an object label (2) REG: ### (3) WMI: root sopcomputer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeRelabelPrivilege' and precedence=1

[list_of_users_followed_by_comma]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label (2) REG: ### (3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeRelabelPrivilege' and precedence=1