User rights

News

User rights

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.




User rights

If you've dealt with NT at all, you're already familiar with the concepts of user rights and extended rights. Windows 2000 redefines both of these terms and calls them logon rights and privileges, respectively. Overall, the rights in Windows 2000 are the same; they just have different names. Windows 2000 also offers a few more user rights than was previously available.

While permissions are designed to affect one or more objects, a user right is an authorization that lets a security principal perform an operation across an entire computer. As I just mentioned, user rights and extended rights in Windows 2000 come in two distinct flavors: logon rights and privileges. Logon rights allow you to control the authorizations that govern how your users and other security principals access a computer. Privileges allow you to control the authorizations that govern how users are allowed to manipulate system resources. The logon rights and privileges available in Windows 2000 are listed in Table 5.3.

User right Type Description
Access this computer from the network Logon right Determines which accounts can connect to the computer over the network.
Act as part of the OS Privilege Allows a process to authenticate as any user.
Add workstations to the domain Privilege Determines which accounts can add computers to the domain.
Back up files and directories Privilege Determines which accounts can back up folders and files.
Bypass traverse checking Privilege Determines which accounts can bypass folder traverse checking.
Change the system time Privilege Determines which accounts can change the computer's time.
Create a pagefile Privilege Determines which accounts can create or modify the pagefile settings of a computer.
Create a token object Privilege Determines which accounts can create a token object that can be used to gain access to any local resource or object.
Create permanent shared objects Privilege Determines which accounts can create a folder in the kernel's object manager.
Debug programs Privilege Determines which accounts can attach a debugger to any process.
Deny access to this computer from the network Logon right Determines which accounts cannot connect to the computer over the network.
Deny logon as batch job Logon right Determines which accounts cannot log on to the computer as a batch job.
Deny logon as service Privilege Determines which accounts cannot log on to the computer as a service account.
Deny logon locally Logon right Determines which accounts cannot log on to the computer from the console.
Enable computer and user accounts to be trusted for delegation Privilege Determines which accounts can set the Trusted for Delegation setting on user and computer accounts.
Force shutdown from a remote system Privilege Determines which accounts can shut down a computer from a remote location on the network.
Generate security audits Privilege Determines which accounts can add entries to the security log.
Increase quotas Privilege Determines which accounts can increase the operating quotas of a process.
Increase scheduling priority Privilege Determines which accounts can increase the scheduling priority of a thread.
Load and unload device drivers Privilege Determines which accounts can load and unload system device drivers.
Lock pages in memory Privilege Is obsolete and shouldn't be used.
Log on as a batch job Logon right Determines which accounts can log on to the computer as a batch job.
Log on as a service Logon right Determines which accounts can log on to the computer as a service account.
Log on locally Logon right Determines which accounts can log on to the computer from the console.
Manage auditing and security log Privilege Determines which accounts can configure object access auditing for resources and objects.
Modify firmware environment variables Privilege Determines which accounts can modify system-wide environment variables.<
Profile single process Privilege Determines which accounts can profile the execution of a single process.
Remove computer from docking station Privilege Determines which accounts can remove a laptop from a docking station.
Replace a process-level token Privilege Determines which accounts can replace the token of a sub-process.
Restore files and directories Privilege Determines which accounts can restore folders and files.
Shut down the system Privilege Determines which accounts can shut down the computer.
Synchronize directory service data Privilege Isn't implemented and shouldn't be used.
Take ownership of files or other objects Privilege Determines which accounts can take ownership of files or other objects without regard to object permissions.

Table 5.3: Logon rights and privileges in Windows 2000.

You use Group Policy to control both logon rights and privileges in your Windows 2000 environment. If you need to change the user rights of a local or standalone computer, you can use the local Group Policy Object (GPO); otherwise, use a domain-level GPO to affect sets of computers.

Click for the next excerpt in this series: Permissions vs. privileges


Click for the book excerpt series or get the full e-book.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy