function GrantPrivilege(const Server, user, privilege: string; bRemove: boolean): DWORD;
var
  sid : PSID;
  strSID : PWideChar;
  sidSize, sidNameUse: DWORD;
  domainNameSize : DWORD;
  domainName : array[0..DNLEN] of char;
  attributes : TLsaObjectAttributes;
  policyHandle : LSA_HANDLE;
  lsaComputerName, rightsLsaUnicodeString: TLSAUnicodeStr;
  status : NTStatus;

begin
  result := 0;
  sidSize := 65536;
  GetMem(sid, sidSize);
  domainNameSize := DNLEN + 1;
  try
    if LookupAccountName(PChar(Server), PChar(user), sid, sidSize, domainName, domainNameSize, sidNameUse) then
    begin
      lsaComputerName := TLsaUnicodeStr.CreateFromStr(Server);
      try
        FillChar(attributes, SizeOf(attributes), 0);
        status := LsaOpenPolicy(lsaComputerName.value, attributes, POLICY_CREATE_ACCOUNT or POLICY_LOOKUP_NAMES, policyHandle);
        if status = STATUS_SUCCESS then
        try
          rightsLsaUnicodeString := TLsaUnicodeStr.CreateFromStr(privilege);
          try
            if bRemove then
              status := LsaRemoveAccountRights(PolicyHandle, sid, False, @rightsLsaUnicodeString.value, 1)
            else
              status := LsaAddAccountRights(PolicyHandle, sid, @rightsLsaUnicodeString.value, 1);

            if status <> STATUS_SUCCESS then
              result := (LsaNtStatusToWinError(status));
          finally
            rightsLsaUnicodeString.Free
          end
        finally
          LsaClose(PolicyHandle)
        end
      finally
        lsaComputerName.Free
      end
    end
  finally
    FreeMem(sid)
  end
end;

procedure TForm1.Button3Click(Sender: TObject);
var
  err: DWORD;
begin
  err := GrantPrivilege('hal9000', 'Benutzer', 'SeBackupPrivilege', False);
  if err <> 0 then
    ShowMessage(SysErrorMessage(err));
end;