This is proving hard to do.
I found the following in an old mcsd study guide (WMA I and WMA II – Prendergast) :
The problem is that there is no one place to find the documentation to be able to secure a WIndows 2000 or above machine – especially when you include Active Directory.
This is especially fun when windows helpfully performs actions on your behalf silently.
This can cause deployment nughmares.
For example when you use DCOMCNFG to specify the identity for a COM object and specify the password it quietly grants you the “log on as a batch job right”. When active directory is involved in the mix it notices that acording to it’s information (gpo) that you should not have that right and takes it away. This can cause an application to fail upto a day after it was deployed and tested. This gets really fun when the deployment engineer has now left the country.
I have also been looking for the means to determine what Privilege are requested.
Finally I have found it!
Under Local Security Settings| Local Policies | Audit Policy there is an option to “Audit privilege use”
Between the settings of audit on success and audit on failure we now have enough tools to identify the use of privileges. This information is written to the event viewer | security section (a point that is not clearly documented anywhere that I could find on the msdn site).