Appendix B: User Rights


User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system-wide resources on a computer and can override the permissions that are set on particular objects.

Logon Rights

Logon rights control how security principals are allowed access to the computer whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights one to allow logging on to the computer and another to deny logging on to the computer. Use a deny logon right as you would use a deny permission to exclude a subset of a group that has been assigned an allow logon right. For example, suppose that Alice wants all users except the members of the domain Marketing group to be able to log on locally at her computer s keyboard. With this in mind, Alice creates a local group, which she names LocalLogonDenied. Then she configures her computer as follows:

  1. She assigns the log on locally user right to the Users group.

  2. She assigns the deny local logon user right to the LocalLogonDenied group.

  3. She makes the Marketing group a member of the LocalLogonDenied group.

Deny rights take precedence over allow rights, so members of the Marketing group are denied the right to log on locally even though they are also members of the Users group, which is allowed to log on locally.

Warning 

The rule to keep in mind is: Allow a set, and then deny a subset. Reversing the order can be disastrous. For example, Alice might want to allow no one but herself to log on locally. If she allowed herself the right to log on locally and denied the Users group the right to log on locally, she would be unpleasantly surprised to find that she had locked herself out of the computer. Alice, after all, is a member of the Users group, so the deny right she assigned to the Users group would take precedence over the allow right she assigned to herself.

Logon rights are described in Table B-1. The display names for logon rights are followed by the string constant (in parentheses). Many command-line tools refer to rights by string constant rather than by display name. The default settings are taken from the Windows XP Professional Local Computer policy.

Table B-1: Logon Rights

Right

Description

Access this computer from the network

(SeNetworkLogonRight)

Allows a user to connect to the computer from the network.

Default setting: Administrators, Power Users, Users, Everyone, and Backup Operators.

Allow logon through Terminal Services

(SeRemoteInteractiveLogonRight)

Allows a user to log on to the computer by using a Remote Desktop connection.

Default setting: Administrators and Remote Desktop Users.

Log on as a batch job

(SeBatchLogonRight)

Allows a user to log on by using a batch-queue facility such as the Task Scheduler service.

Default setting: Administrator, System, and Support_xxxxxxxx.

When an administrator uses the Add Scheduled Task wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the Log on as a batch job right. When the scheduled time arrives, the Task Scheduler service logs the user on as a batch job rather than as an interactive user, and the task runs in the user s security context. The Support_xxxxxxxx account is the logon account for Remote Assistance.

Log on locally

(SeInteractiveLogonRight)

Allows a user to start an interactive session on the computer.

Default setting: Administrators, Power Users, Users, Guest, and Backup Operators.

Users who do not have this right can start a remote interactive session on the computer if they have the Allow logon through Terminal Services right.

Log on as a service

(SeServiceLogonRight)

Allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

Default setting: Network Service.

Deny access to this computer from the network

(SeDenyNetworkLogonRight)

Prohibits a user from connecting to the computer from the network.

Default setting: The Support_xxxxxxxx account used by Remote Assistance is denied this right.

Deny logon locally

(SeDenyInteractiveLogonRight)

Prohibits a user from logging on directly at the keyboard.

Default setting: Guest.

Deny logon as a batch job

(SeDenyBatchLogonRight)

Prohibits a user from logging on by using a batch-queue facility.

Default setting: Not assigned.

Deny logon as a service

(SeDenyServiceLogonRight)

Prohibits a user from logging on as a service.

Default setting: Not assigned.

Deny logon through Terminal Services

(SeDenyRemoteInteractiveLogonRight)

Prohibits a user from logging on to the computer using a Remote Desktop connection.

Default setting: Not assigned.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net