Create a token object

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description

Determines which accounts can be used by processes to create a token which can then be used to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.