Under the Local Policies node, there are three nodes: Audit Policy, User Rights Assignment, and Security Options. Audit Policy was explained in Chapter 12, "Auditing Resources and Events." In this lesson you learn how use the Group Policy snap-in to assign user rights. Security options are covered in Lesson 3.
You can assign specific rights to groups or individual user accounts. To simplify administration of user rights, Microsoft recommends that you assign user rights only to groups and not individual user accounts. Each user right allows the members of the group or the individual users assigned the right to perform a specific action, such as backing up files or changing the system time. If a user is a member of more than one group, the user rights applied to that user are cumulative, so the user has all the user rights assigned to all the groups of which he or she is a member.
You can configure user rights on a computer running Windows XP Professional by using the Group Policy snap-in as follows:
The Select Group Policy Object dialog box appears, allowing you to point the MMC console containing Group Policy at the local computer or at a remote computer. The Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line check box allows you to configure the MMC so that you can decide which computer to use Group Policy on when you start the MMC.
The console displays the current groups and user accounts that have this user right assigned, as shown in Figure 13.4. To add groups or user accounts, click Add. To remove a group or user, select the group or user and click Remove.
Figure 13.4 The Group Policy snap-in displaying User Rights Assignment
There are two types of user rights: privileges and logon rights.
A privilege is a user right that allows the members of the group to which it is assigned to perform a specific task, usually one that affects an entire computer system rather than one object. Table 13.3 explains the privileges you can assign in Windows XP Professional.
Table 13.3 Privileges Available in Windows XP Professional
Privilege | Description |
---|---|
Act As Part Of The Operating System | Allows a process to authenticate like a user and thus gain access to the same resources as a user. Do not grant this privilege unless you are certain it is needed. Only low-level authentication services should require this privilege. Processes that require this privilege should use the LocalSystem account because it already has this privilege assigned. A separate user account with this privilege allows a user or process to build an access token, granting them more rights than they should have, and does not provide a primary identity for tracking events in the audit log. |
Add Workstations To Domain | Allows a user to add a computer to a domain. The user specifies the domain being added on the computer, and an object is created in the Computer container of Active Directory in that domain. For this privilege to be effective, it must be assigned as part of the default domain controller policy for the domain. |
Back Up Files And Directories | Allows a user to back up the system without being assigned permissions to access all files and folders on the system. By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group have this privilege. |
Bypass Traverse Checking | Allows a user to move through folders that he or she has no permission to access. This privilege does not allow the user to view the contents of a folder, just to move through the folder. By default, members of the Administrators, Backup Operators, Power Users, Users, and Everyone groups have this privilege on workstations and member servers. |
Change The System Time | Allows a user to set the time for the internal clock of the computer. By default, members of the Administrators and Power Users groups, as well as the LocalSystem and NetworkService accounts, have this privilege on workstations and member servers. By default, members of the Administrators and Server Operators groups, as well as the LocalSystem and NetworkService accounts, have this privilege on domain controllers. |
Create A Token Object | Allows a process to create a token that it can then use to access any local resource when the process uses a token-creating application programming interface (API). Microsoft recommends that processes requiring this privilege use the LocalSystem account because it already has this privilege. |
Create Permanent Shared Objects | Allows a process to create a directory object in the Windows object manager. This privilege is useful to kernel-mode components that plan to extend the Windows object namespace. Components that run in kernel mode already have this privilege, so it is not necessary for you to assign it to them. |
Create A Pagefile | Allows a user to create a pagefile and modify the size of existing pagefiles. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Debug Programs | Allows a user to attach a debugger on any process. This privilege provides powerful access to sensitive and critical system operating components. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Enable Computer And User Accounts To Be Trusted For | Allows the user to set the Trusted For Delegation setting on a user or computer object. A server process running on a computer that is trusted for delegation or run by a user who is trusted fordelegation can access resources on another computer. Do not assign this privilege unless you understand that this privilege and the Trusted For Delegation setting can open your network to attacks from Trojan horse programs that impersonate incoming clients and use their credentials to access network resources. This privilege is not assigned to anyone on workstations or member servers. On domain controllers it is assigned by default to the members of the Administrators group. |
Force Shutdown From A Remote System | Allows a user to shut down a computer from a remote computer on the network. By default, members of the Administrators group have this privilege on workstations and member servers. By default, members of the Administrators and Server Operators groups have this privilege on domain controllers. |
Generate Security Audits | Allows a process to make entries in the security log for object access auditing. |
Adjust Memory Quotas For A Process | Allows a process to increase the processor quota assigned to another process. The process must have write access to the process for which it increases the processor quota. |
Increase Scheduling Priority | Allows a process to increase the execution priority of another process. The process must have write access to the process for which it increases the execution priority. Allows users to change the scheduling priority of a process through Task Manager. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Load And Unload Device Drivers | Allows a user to install and uninstall Plug and Play device drivers. Non-Plug and Play device drivers are not affected by this privilege. By default, only Administrators have this privilege. Exercise caution in granting this privilege. Device drivers run as trusted programs and only device drivers with correct digital signatures should be installed. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Lock Pages In Memory | Allows a process to lock data in physical memory and prevent Windows XP Professional from paging the data to virtual memory (a pagefile) on disk. This privilege is not assigned to anyone by default. Some system processes have this privilege. |
Manage Auditing And Security Log | Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log from the Event Viewer. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Modify Firmware Environment Values | Allows a user to use the System Properties program to modify system environment variables. Allows a process to use an API to modify the system environment variables. |
Perform Volume Maintenance Tasks | Allows users to run disk tools, such as Disk Cleanup or Disk Defragmenter. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Profile A Single Process | Allows a user to use performance-monitoring tools to monitor the performance of nonsystem processes. By default, on workstations and member servers, Administrators and Power Users have this privilege. On domain controllers, only Administrators have this privilege. |
Profile System Performance | Allows a user to use performance-monitoring tools to monitor the performance of system processes. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
Remove Computer From Docking Station | Allows a user to undock a portable computer. By default, members of the Administrators, Power Users, and Users groups have this privilege on workstations and member servers. |
Replace A Process- Level Token | Allows a parent process to replace the access token associated with a child process. |
Restore Files And Directories | Allows a user to restore backed up files and directories without being assigned the appropriate file and folder permissions, and allows a user to set any valid security principal as the owner of the object. By default, members of the Administrators and Backup Operators groups have this privilege on workstations, member servers, and domain controllers. On domain controllers, members of the Server Operators group also have this privilege. |
Shut Down The System | Allows a user to shut down the local computer. By default, members of the Administrators, Backup Operators, Power Users, and Users groups have this privilege on workstations. By default, members of the Administrators, Backup Operators, and Power Users groups have this privilege on member servers. By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups have this privilege on domain controllers. |
Synchronize Directory Service Data | Allows a process to provide directory service synchronization services. This privilege is relevant only on domain controllers. |
Take Ownership Of Files Or Other Objects | Allows a user to take ownership of objects in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. By default, members of the Administrators group have this privilege on workstations, member servers, and domain controllers. |
A logon right is a user right assigned to a group or an individual user account. Logon rights control the way users can log on to a system. Table 13.4 explains the logon rights you can assign in Windows XP Professional.
Table 13.4 Logon Rights Available in Windows XP Professional
Logon right | Description |
---|---|
Access This Computer From The Network | Allows a user to connect to the computer over the network. By default, members of the Administrators, Power Users, and Everyone groups are granted this logon right on workstations, member servers, and domain controllers. |
Deny Access To This Computer From The Network | Prevents a user from connecting to the computer over the network. By default, this right is not granted to anyone. |
Log On As A Batch Job | Allows a user to log on using a batch-queue facility. By default, members of the Administrators group are granted this logon right on workstations, member servers, and domain controllers. If Internet Information Services (IIS) is installed, the right is automatically assigned to the built-in account for anonymous access to IIS. |
Deny Logon As A Batch Job | Prevents a user from logging on using a batch-queue facility. By default, this right is not granted to anyone. |
Log On As A Service | Allows a security principal (an account holder such as a user, computer, or service) to log on as a service. Services can be configured to run under the LocalSystem, LocalService, or NetworkService accounts, which have the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone. |
Deny Logon As A Service | Prevents a security principal from logging on as a service. By default, this right is not granted to anyone. |
Log On Locally | Allows a user to log on at the computer's keyboard. By default, members of the Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators groups are granted this logon right. |
Deny Logon Locally | Prevents a user from logging on at the computer's keyboard. By default, this right is not granted to anyone. |
Allow Logon Through Terminal Services | Allows a user to log on using Terminal Services. By default, members of the Administrators and Remote Desktop Users groups are granted this logon right on workstations and member servers. On domain controllers, only Administrators are granted this logon right. |
Deny Logon Through Terminal Services | Prevents a user from logging on using Terminal Services. By default, this right is not granted to anyone. |
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."