| < Day Day Up > |
|
In addition to permissions, Windows Small Business Server includes assignable rights, which are of two types: privileges and logon rights. Privileges include such things as the ability to run security audits or force shutdown from a remote system—obviously not things that are handled by most users. Logon rights are self-explanatory; they involve the ability to connect to a computer in specific ways. Rights are automatically assigned to the built-in groups in Windows Small Business Server, although they can be assigned to individual users as well as groups. Whenever possible, you should assign rights by group membership to keep administration simple. When membership in groups defines rights, rights can be removed from a user by simply removing the user from the group. Tables 10-6 and 10-7 list the most-used logon rights and privileges and the groups to which they are assigned by default.
Name | Description | Groups Assigned the Right by Default |
---|---|---|
Access Windows Small Business Server from the network | Permits connection to the computer through the network | Administrators, Domain Power Users, Everyone. |
Log on as a service | Allows logging on as a service using a specific user account and security context | None. |
Log on to Windows Small Business Server locally | Permits logon at the computer’s keyboard | Administrators, Account Operators, Backup Operators, Print Operators, Server Operators. |
Allow Logon through Terminal Services | Permits logon as a Terminal Services client | Administrators on Domain Controllers. Administrators and Remote Desktop Users on workstations and stand-alone servers. |
Privilege | Description | Groups Assigned the Privilege by Default |
---|---|---|
Act as part of the operating system | Allows a process to authenticate as any user. A process that requires this privilege should use the LocalSystem account, which already includes this privilege. | None. |
Add workstations to domain | Allows a user to add new workstations to an existing domain. | Authenticated Users on domain controllers. |
Backup files and directories | Allows backing up the system; overrides specific file and folder permissions. | Administrators, Backup Operators. |
Change the system time | Allows the setting of the computer’s internal clock. | Administrators and Service Operators on domain controllers. Administrators, Domain Power Users on workstations and stand-alone servers. |
Force shutdown from a remote system | Allows the shutdown of a computer from a remote location on the network. | Administrators and Server Operators on domain controllers. Administrators on workstations and stand-alone servers. |
Generate security audits | Sets which accounts can use a process to make entries in a security log. | None. |
Increase scheduling priority | Allows the use of Task Manager to change the scheduling priority of a process. | Administrators. |
Lock pages in memory | Allows a process to keep data in physical memory. This is an obsolete privilege that can have a seriously negative effect on system performance. Avoid assigning it. | None. |
Restore files and directories | Allows restoring files and folders to a system; overrules specific file and folder permissions. | Administrators, Backup Operators, and Server Operators on domain controllers. Administrators and Backup Operators on workstations and stand-alone servers. |
Take ownership of files or other objects | Allows a user to take ownership of any security object including files and folders, printers, registry keys, and processes. Overrules specified permissions. | Administrators. |
Caution | Privileges can sometimes override permission settings. For example, a user can create a file and set permissions that deny access to all users, but members of the Backup Operators group can still access the file and back it up, and Administrators (as we saw earlier in this chapter) can take ownership of the file. |
| < Day Day Up > |
|