When you set up a user account, you can grant the user specific capabilities. You generally assign these capabilities by making the user a member of one or more groups, thus giving the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups. You withdraw capabilities by removing group membership. In Windows Server 2003, you can assign various types of capabilities to an account. These capabilities include -
Privileges A type of user right that grants permissions to perform specific administrative tasks . You can assign privileges to both user and group accounts. An example of a privilege is the ability to shut down the system. -
Logon rights A type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. An example of a logon right is the ability to log on locally. -
Built-in capabilities A type of user right that is assigned to groups and includes the group's automatic capabilities. Built-in capabilities are predefined and unchangeable, but they can be delegated to users with permission to manage objects, organizational units, or other containers. An example of a built-in capability is the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account operators. Thus, if a user is a member of the Administrators group, the user can create, delete, and manage user accounts. -
Access permissions A type of user right that defines the operations that can be performed on network resources. You can assign access permissions to users, computers, and groups. An example of an access permission is the ability to create a file in a directory. Access permissions are discussed in Chapter 13. As an administrator, you'll be dealing with account capabilities every day. To help track built-in capabilities, refer to the following sections. Keep in mind that although you can't change a group's built-in capabilities, you can change a group's default rights. For example, an administrator could revoke network access to a computer by removing a group's right to access the computer from the network. Privileges A privilege is a type of user right that grants permissions to perform a specific administrative task. You assign privileges through group policies, which can be applied to individual computers, organizational units, and domains. Although you can assign privileges to both users and groups, you'll usually want to assign privileges to groups. In this way, users are automatically assigned the appropriate privileges when they become members of a group. Assigning privileges to groups also makes it easier to manage user accounts. Table 8-3 provides a brief summary of each of the privileges that you can assign to users and groups. To learn how to assign privileges, see Chapter 9 . Table 8-3. Windows Server 2003 Privileges for Users and Groups Privilege | Description | Act As Part Of The Operating System | Allows a process to authenticate as any user and gain access to resources as any user. Processes that require this privilege should use the LocalSystem account, which already has this privilege. | Add Workstations To Domain | Allows users to add computer to the domain. | Adjust Memory Quotas For A Process | Allows users to adjust process-based memory usage quotas. | Back Up Files And Directories | Allows users to back up the system regardless of the permissions set on files and directories. | Bypass Traverse Checking | Allows users to pass through directories while navigating an object path regardless of permissions set on the directories. The privilege doesn't allow the user to list directory contents. | Change The System Time | Allows users to set the time for the system clock. | Create A Pagefile | Allows users to create and change paging file size for virtual memory. | Create A Token Object | Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege should use the LocalSystem account, which already has this privilege. | Create Permanent Shared Objects | Allows processes to create directory objects in the Windows 2000, Windows XP Professional, or Windows Server 2003 object manager. Most components already have this privilege, and it's not necessary to specifically assign it. | Debug Programs | Allows users to perform debugging. | Enable User And Computer Accounts To Be Trusted For Delegation | Allows users and computers to change or apply the trusted for delegation setting, provided they have write access to the object. | Force Shutdown Of A Remote System | Allows users to shut down a computer from a remote location on the network. | Generate Security Audits | Allows processes to make security log entries for auditing object access. | Impersonate A Client After Authentication | Allows Web applications to act as clients during processing of requests . Services and users can also act as clients . | Increase Scheduling Priority | Allows processes to increase the scheduling priority assigned to another process, provided they have write access to the process. | Load And Unload Device Drivers | Allows users to install and uninstall Plug and Play device drivers. This doesn't affect device drivers that aren't Plug and Play, which can only be installed by administrators. | Lock Pages In Memory | Allows processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk. | Manage Auditing And Security Log | Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first. | Modify Firmware Environment Values | Allows users and processes to modify system environment variables . | Perform Volume Maintenance Tasks | Allows administration of removable storage, disk defragmenter, and disk management. | Profile A Single Process | Allows users to monitor the performance of nonsystem processes. | Profile System Performance | Allows users to monitor the performance of system processes. | Remove Computer From Docking Station | Allows undocking a laptop and removing it from the network. | Replace A Process Level Token | Allows processes to replace the default token for subprocesses. | Restore Files And Directories | Allows users to restore backed -up files and directories, regardless of the permissions set on files and directories. | Shut Down The System | Allows users to shut down the local computer. | Synchronize Directory Service Data | Allows users to synchronize directory service data on domain controllers. | Take Ownership Of Files Or Other Objects | Allows users to take ownership of any Active Directory objects. | Logon Rights A logon right is a type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. As with privileges, you assign logon rights through group policies, and you'll usually want to assign logon rights to groups rather than to individual users. Table 8-4 provides a brief summary of each of the logon rights that you can assign to users and groups. To learn how to assign logon rights, see Chapter 9 . Table 8-4. Windows Server 2003 Logon Rights for Users and Groups Logon Right | Description | Access This Computer From The Network | Grants remote access to the computer. | Allow Logon Locally | Grants permission to log on at the computer's keyboard. On servers, this right is restricted by default and only members of these groups can log on locally: Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators. | Allow Logon Through Terminal Services | Grants access through Terminal Services; necessary for remote assistance and remote desktop. | Deny Access To This Computer From The Network | Denies remote access to the computer through network services. | Deny Logon As Batch Job | Denies the right to log on through a batch job or script. | Deny Logon As Service | Denies the right to log on as a service. | Deny Logon Locally | Denies the right to log on to the computer's keyboard. | Deny Logon Through Terminal Services | Denies the right to log on through Terminal Services. | Log On As A Batch Job | Grants permission to log on as a batch job or script. | Log On As A Service | Grants permission to log on as a service. LocalSystem account has this right. Service that runs under a separate account should be assigned this right. | Built-In Capabilities for Groups in Active Directory The built-in capabilities for groups in Active Directory are fairly extensive . The tables that follow summarize the most common capabilities that are assigned by default. Table 8-5 shows the default user rights for groups in Active Directory domains. This includes both privileges and logon rights. Note that any action that's available to the Everyone group is available to all groups, including the Guests group. This means that although the Guests group doesn't have explicit permission to access the computer from the network, a member of the Guests group can still access the system because the Everyone group has this right. Table 8-5. Default User Rights for Groups in Active Directory User Right | Groups Assigned | Access This Computer From The Network | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, IWAM_host, IUSR_host, Pre “Windows 2000 Compatible Access | Add Workstations To Domain | Authenticated Users | Adjust Memory Quotas For A Process | Administrators, IWAM_host, Local Service, Network Service | Allow Logon Locally | Account Operators, Administrators, Backup Operators, IUSR_host, Print Operators, Server Operators | Back Up Files And Directories | Administrators, Server Operators, Backup Operators | Bypass Traverse Checking | Everyone, Authenticated Users, Administrators, Pre “Windows 2000 Compatible Access | Change The System Time | Administrators, Server Operators | Create A Pagefile | Administrators | Debug Programs | Administrators | Deny Access To This Computer From The Network | Support | Deny Logon Locally | Support | Enable Computer And User Accounts To Be Trusted For Delegation | Administrators | Force Shutdown From A Remote System | Administrators, Server Operators | Generate Security Audits | Local Service, Network Service | Increase Quotas | Administrators | Increase Scheduling Priority | Administrators | Load And Unload Device Drivers | Administrators, Print Operators | Log On As Batch Job | Administrator, IUSR_host, IWAM_host, Support, Local Service, IIS_WPG | Log On As A Service | Network Service | Manage Auditing And Security Log | Administrators | Modify Firmware Environment Variables | Administrators | Profile Single Process | Administrators | Profile System Performance | Administrators | Remove Computer From Docking Station | Administrators | Replace A Process Level Token | IWAM_host, Local Service, Network Service | Restore Files And Directories | Administrators, Backup Operators, Server Operators | Shut Down The System | Account Operators, Administrators, Backup Operators, Print Operators, Server Operators | Take Ownership Of Files Or Other Objects | Administrators | Table 8-6 shows the default user rights for local groups on member servers. Again, this includes both privileges and logon rights. Note that on these systems Power Users have privileges that normal users don't. Table 8-6. Default User Rights for Workgroups and Member Servers User Right | Groups Assigned | Adjust Memory Quotas For A Process | Administrators, Local Service, Network Service, IWAM_host | Allow Logon Through Terminal Services | Administrators, Remote Desktop Users | Back Up Files And Directories | Administrators, Backup Operators | Bypass Traverse Checking | Everyone, Administrators, Users, Power Users, Backup Operators | Change The System Time | Administrators, Power Users | Create A Pagefile | Administrators | Debug Programs | Administrators | Deny Access To The Computer From The Network | Support | Deny Logon Locally | Support | Deny Logon Through Terminal Services | ASPNET | Force Shutdown From A Remote System | Administrators | Generate Security Audits | Local Service, Network Service | Impersonate A Client After Authentication | Administrators, ASPNET, IIS_WPG, Service | Increase Scheduling Priority | Administrators | Load And Unload Device Drivers | Administrators | Log On As A Batch Job | ASPNET, IIS_WPG, IUSR_host, IWAM_host, Local Service | Log On As Service | ASPNET, Network Service | Log On Locally | IUSR_host, Administrators, Users, Power Users, Backup Operators | Manage Auditing And Security Log | Administrators | Modify Firmware Environment Variables | Administrators | Perform Volume Maintenance Tasks | Administrators | Profile Single Process | Administrators, Power Users | Profile System Performance | Administrators | Remove Computer From Docking Station | Administrators, Power Users | Replace A Process Level Token | Local Service, Network Service, IWAM_host | Restore Files And Directories | Administrators, Backup Operators | Shut Down The System | Administrators, Backup Operators, Power Users | Take Ownership Of Files Or Other Objects | Administrators | Table 8-7 summarizes capabilities that you can delegate to other users and groups. As you study the table, note that restricted accounts include the Administrator user account, the user accounts of administrators, and the group accounts for Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Because these accounts are restricted, Account Operators can't create or modify them. Table 8-7. Other Capabilities for Built-In and Local Groups Task | Description | Group Normally Assigned | Assign User Rights | Allows user to assign user rights to other users | Administrators | Create, Delete, And Manage User Accounts | Allows user to administer domain user accounts | Administrators, Account Operators | Modify The Membership Of A Group | Allows user to add and remove users from domain groups | Administrators, Account Operators | Create And Delete Groups | Allows user to create new group and delete existing groups | Administrators, Account Operators | Reset Passwords On User Accounts | Allows user to reset passwords on user accounts | Administrators, Account Operators | Read All User Information | Allows user to view user account information | Administrators, Server Operators, Account Operators | Manage Group Policy Links | Allows user to apply existing group policies to sites, domains, and organizational units for which they have write access to the related objects | Administrators | Manage Printers | Allows user to modify printer settings and manage print queues | Administrators, Server Operators, Printer Operators | Create And Delete Printers | Allows user to create and delete printers | Administrators, Server Operators, Printer Operators | |