Configuring User Rights Policies

Configuring User Rights Policies

Chapter 8 covered built-in capabilities and user rights. Although you can't change built-in capabilities for accounts, you can administer user rights for accounts. Normally, you apply user rights to users by making them members of the appropriate group or groups. You can also apply rights directly, and you do this by managing the user rights for the user's account.

You assign user rights through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, you can configure local policies and then import them into Active Directory. You can also configure these local policies as part of an existing group policy for a site, domain, or organizational unit. When you do this, the local policies apply to computer accounts in the site, domain, or organizational unit.

To administer user rights policies, complete the following steps:

1. Access the group policy container you want to work with, and then access the Local Policies node by working your way down the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and then Local Policies.

2. Expand User Rights Assignment and you can now manage user rights. To configure user rights assignment, double-click a user right or right-click it and select Security. This opens a Properties dialog box.

3. You can now configure the user rights as described in Steps 1 “4 of the section of this chapter entitled "Configuring User Rights Locally" or Steps 1 “6 of the following section, "Configuring User Rights Globally."

Configuring User Rights Globally

For a site, domain, or organizational unit, you configure individual user rights by completing the following steps:

1. Open the Properties dialog box for the user right, which will be similar to the one shown in Figure 9-5. If the policy isn't defined, select Define These Policy Settings.

   Figure 9-5. Use the Properties dialog box to define the user right and then apply the right to users and groups.

   

2. To apply the right to a user or group, click Add User Or Group. Then, in the Add User Or Group dialog box, click Browse. This opens the Select Users, Computers, Or Groups dialog box shown in Figure 9-6.

   Figure 9-6. Use the Select Users, Computers, Or Groups dialog box to apply the user right to users and groups.

   

3. Type the name of the user or group you want to use in the field provided and then click Check Names . By default, the search is configured to find built-in security principals and user accounts. To add groups to the search, click Object Types in the list box, select Groups and then click OK.

4. After you select the account names or groups to add, click OK. The Add User Or Group dialog box should now show the selected accounts. Click OK again.

5. The Properties dialog box is updated to reflect your selections. If you made a mistake, select a name and remove it by clicking Remove.

6. When you're finished granting the right to users and groups, click OK.

Configuring User Rights Locally

For local computers, you apply user rights by completing the following steps:

1. Open the Properties dialog box for the user right, which will be similar to the one shown in Figure 9-7.

2. Remember that site, domain, and organizational unit policies have precedence over local policies.

3. The Properties dialog box shows current users and groups that have been given a user right. To remove the user right, select a user or group and click Remove.

4. You can apply the user right to additional users and groups by clicking Add User or Group. This opens the Select Users, Computers, Or Groups dialog box shown previously in Figure 9-6. You can now add users and groups.

   Figure 9-7. Use the Properties dialog box to define the user right and then apply the right to users and groups.