Privileges and Logon Rights

 < Day Day Up > 



In addition to permissions, Windows Small Business Server includes assignable rights, which are of two types: privileges and logon rights. Privileges include such things as the ability to run security audits or force shutdown from a remote system—obviously not things that are handled by most users. Logon rights are self-explanatory; they involve the ability to connect to a computer in specific ways. Rights are automatically assigned to the built-in groups in Windows Small Business Server, although they can be assigned to individual users as well as groups. Whenever possible, you should assign rights by group membership to keep administration simple. When membership in groups defines rights, rights can be removed from a user by simply removing the user from the group. Tables 10-6 and 10-7 list the most-used logon rights and privileges and the groups to which they are assigned by default.

Table 10-6: Logon rights assigned to groups by default

Name

Description

Groups Assigned the Right by Default

Access Windows Small Business Server from the network

Permits connection to the computer through the network

Administrators, Domain Power Users, Everyone.

Log on as a service

Allows logging on as a service using a specific user account and security context

None.

Log on to Windows Small Business Server locally

Permits logon at the computer’s keyboard

Administrators, Account Operators, Backup Operators, Print Operators, Server Operators.

Allow Logon through Terminal Services

Permits logon as a Terminal Services client

Administrators on Domain Controllers. Administrators and Remote Desktop Users on workstations and stand-alone servers.

Table 10-7: Privileges assigned to groups by default

Privilege

Description

Groups Assigned the Privilege by Default

Act as part of the operating system

Allows a process to authenticate as any user. A process that requires this privilege should use the LocalSystem account, which already includes this privilege.

None.

Add workstations to domain

Allows a user to add new workstations to an existing domain.

Authenticated Users on domain controllers.

Backup files and directories

Allows backing up the system; overrides specific file and folder permissions.

Administrators, Backup Operators.

Change the system time

Allows the setting of the computer’s internal clock.

Administrators and Service Operators on domain controllers. Administrators, Domain Power Users on workstations and stand-alone servers.

Force shutdown from a remote system

Allows the shutdown of a computer from a remote location on the network.

Administrators and Server Operators on domain controllers. Administrators on workstations and stand-alone servers.

Generate security audits

Sets which accounts can use a process to make entries in a security log.

None.

Increase scheduling priority

Allows the use of Task Manager to change the scheduling priority of a process.

Administrators.

Lock pages in memory

Allows a process to keep data in physical memory. This is an obsolete privilege that can have a seriously negative effect on system performance. Avoid assigning it.

None.

Restore files and directories

Allows restoring files and folders to a system; overrules specific file and folder permissions.

Administrators, Backup Operators, and Server Operators on domain controllers. Administrators and Backup Operators on workstations and stand-alone servers.

Take ownership of files or other objects

Allows a user to take ownership of any security object including files and folders, printers, registry keys, and processes. Overrules specified permissions.

Administrators.

Caution 

Privileges can sometimes override permission settings. For example, a user can create a file and set permissions that deny access to all users, but members of the Backup Operators group can still access the file and back it up, and Administrators (as we saw earlier in this chapter) can take ownership of the file.



 < Day Day Up > 



Microsoft Windows Small Business Server 2003 Administrator's Companion
Microsoft Windows Small Business Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735620202
EAN: 2147483647
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net