Lesson 2: Managing User Rights
User rights control security operations that can be performed on a computer by specific user accounts. User rights are not like permissions because they don't apply to specific secured objects, they apply to functions that can be performed throughout the computer's operating system, such as shutting down the computer or logging on to the local console. It is the application of user rights that makes administrative accounts different from typical user accounts.
Understand the purpose of user rights
Manage user rights assignment
Assigning User Rights
User rights are managed the same way as other Group Policy settings: by determining the appropriate GPO for a site, domain, or OU, and changing the user rights assignment settings in that object. User rights assignments in a GPO apply to all computers within that Active Directory container. Figure 3.4 shows the user rights that are available under Local Policies in a GPO.
Figure 3-4. The user rights available in a Group Policy Object
User rights are assigned to user accounts and to group accounts, thereby allowing a user or group the ability to perform whatever function the user right allows on computers to which the GPO containing the user right setting applies.
Normally, user rights are applied to groups, and individual user accounts are made members of those groups to obtain the user right. However, specific user accounts frequently require the application of user rights to correctly run service software within that user account's security context. For example, a user account that is used as the security context for a backup service must have the user right to back up files and directories, and the user right to restore files and directories.
User rights take priority over permissions. Activities that might be disallowed by permissions can be overridden by the application of user rights. For example, the owner of a file applies a user right to change the access control list (ACL) of an object regardless of whether permissions in the ACL allow the owner access to the file.
The default user rights assignments are appropriate for the vast majority of organizations. Modifying user rights assignments can have wide-ranging and negative impacts on the ability of users and services to operate. You should change them only when you have specific information about a vulnerability from either Microsoft or a trusted security vendor, and you should modify them only to configurations that have been verified to work correctly in a production environment. When you need to assign user rights to users, make the users a part of an existing group that has the appropriate rights assigned.
Practice: Modifying User Rights
Engineers at Fabrikam, Inc. frequently write drivers to control the devices that Fabrikam produces. For this reason, they must be able to test, debug, and profile the performance of their software on machines inside the domain. In this practice, you expand the engineers' user rights to allow these activities, which are normally restricted due to their potential for abuse.
To expand user rights for engineers
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.
Right-click domain.fabrikam.com, and choose Properties. The domain.fabrikam.com Properties dialog box appears.
Click the Group Policy tab.
Double-click Domain Security Policy. The Group Policies management console appears with the Domain Security Policy GPO opened.
Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, and click User Rights Assignment to view the settings as shown in Figure 3.5.
Figure 3-5. Local policies settings
Double-click Debug Programs. The Security Policy Setting dialog box appears, as shown in Figure 3.6.
Figure 3-6. The Security Policy Setting dialog box
Select the Define These Policy Settings check box, and then click Add. The Add User Or Group dialog box appears.
Click Browse. The Select Users Or Groups dialog box appears with a list of domain users and groups.
Select Engineering Users from the domain.fabrikam.com list, and then click OK to close the Select Users Or Groups dialog box.
Click OK to close the Add User Or Group dialog box.
Click OK to close the Security Policy Setting dialog box.
Double-click Profile Single Process. The Security Policy Setting dialog box (Figure 3.6) appears.
Select the Define These Policy Settings check box, and then click Add. The Add User Or Group dialog box appears.
Click Browse. The Select Users Or Groups dialog box appears with a list of domain users and groups listed.
Select Engineering Users from the domain.fabrikam.com list, and then click OK to close the Select Users Or Group dialog box.
Click OK to close the Add User Or Group dialog box.
Click OK to close the Security Policy Setting dialog box.
Double-click Profile System Performance. The Security Policy Setting dialog box (Figure 3.6) appears.
Select the Define These Policy Settings check box, and then click Add. The Add User Or Group dialog box appears.
Click Browse. The Select Users Or Groups dialog box appears.
Select Engineering Users from the domain.fabrikam.com list, and then click OK to close the Select Users Or Groups dialog box.
Click OK to close the Add User Or Group dialog box.
Click OK to close the Security Policy Setting dialog box.
The group policy settings you've just defined are now in effect.
Close the Group Policies management console.
Click OK to close the domain.fabrikam.com Properties dialog box.
Close the Active Directory Users And Computers management console.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
How are user rights managed?
At what level in the Active Directory are user rights applied?
What is the typical use of user rights?
How often do user rights need to be modified by administrators?
Lesson Summary
User rights are operations that can be granted to security principals to perform important operations that involve security risk on the system as a whole, rather than to specific secured objects within the system.
User rights are managed through GPOs linked to Active Directory containers. The computers inside these containers apply the user rights settings locally.
Rather than modifying user rights for a specific account, you make user accounts members of a group that has the right you want to assign. However, software applications and services frequently modify the rights of the user context under which they operate to perform their function.
User rights take priority over permissions and allow users to perform activities that their permissions would otherwise not allow.