The Programmatic Version of NTRights.exe

I was curious today as to the implementation of NTRights.exe, which comes in the Windows Server 2003 Resource Kit and is essentially the command-line version of User Rights Assignment. I did some research, and discovered these Lsa-prefixed Windows API functions:

• LsaEnumerateAccountsWithUserRight gets the list of principals with a given right (like viewing the properties of a privilege in User Rights Assignment)
• LsaAddAccountRights adds a principal to the list of things with a given right (like adding it to the list in URA). It will also create an account with the provided SID if it does not exist.
• LsaRemoveAccountRights strips a principal of a given right (like removing it from the URA list). It can also be used to delete an account if you pass a special flag.

They all look really gnarly to use in .NET with P/Invoke, but CodeProject does have an article on using LsaAddAccountRights from C#. (Careful: some comments on the article say it has some bugs.)