Network security FAQ: Managing user rights

User rights management raises many questions in Windows networking environments. Check out this FAQ with Windows network security expert Wes Noonan and learn to manage user rights and access permissions in your network.

User rights management raises many questions in Windows networking environments. How do I manage the risks of over-privileged users? How do I grant access to resources in a multiple domain environment? Can I prevent domain admins from logging on as domain controllers? Our resident Windows networking security expert Wes Noonan provides answers to this questions in this FAQ.

Don't forget to visit our library of all of Wes's expert advice. You can also ask him a Windows networking question of your own!.

Handling the dangers of network users with too many rights

Q: Some of my employees are seeking privileges that I feel compromise the integrity of my network. Could you share some best practices for network security so that I can prove how dangerous these priveges are?

A: Politics is probably the second most difficult thing the balance against security (the first being money). This is what I use as a measuring stick. If someone can't provide a valid *business* justification for the escalated privileges, I fight strongly against providing them. If a business application requires escalated privileges, I escalate the issue with that vendor to make it clear to them that requiring escalated privileges is against the corporate security policy, and that if they can't provide a workaround, we won't be buying or using their product. In today's environment, many software vendors have more restrictive access requirements that they can run under, but that they do not always make publicly known (you need to ask for them). If all else fails though, I then work under the basic premise of the most restrictive rights possible. So before I make a user a local administrator, I will check and see if they can do what they need to do as a power user. Before I make a user a power user, I will check to see if I can grant specific rights to the user (or more practically to a group the user is a member of) or specific rights to the appropriate registry keys or files.

The bottom line here though is that you are 100% correct in how you are approaching this issue, and unfortunately this is one of the more unpleasant aspects of security administration. Your best weapon is the ability to demonstrate how the users can perform all of their required business responsibilities at the lower privilege level. Good luck!!

View questions and answers from all of our Windows security experts here.

Preventing domain admins from logging onto domain controllers

Q: How can I prevent certain users who are domain administrators from logging onto domain controllers?

A: That depends on the kind of user they are. If they are a member of a group that grants them rights on domain controllers (for example, Domain Admins) there really isn't a way to do that. If your domain is small enough, you could specify the list of computers they are allowed to login to, excluding the domain controllers, but I think this would rapidly become unmanageable (every time you add a computer, potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it).

Now, assuming that this is not a domain admin, the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting "Properties". Click on the "Group Policy" tab, select the policy and click "Edit". Navigate using the Group Policy Object Editor to the following branch:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

In the right hand window, look for either "Log on locally" or "Allow Logon Locally" (it differs depending on which version of Windows you are using). Double click on the policy and add/remove users from that list accordingly and check the box next to "Define these policy settings:" to define who will be allowed to logon locally. By default, the following accounts/groups can logon locally to domain controllers:

  1. Account Operators
  2. Administrators
  3. Backup Operators
  4. Print Operators
  5. Server Operators
  6. Corresponding Internet Users (IUSR_ )

As always, rather than directly editing the Default Domain Controllers Group Policy, you should create a new group policy object with the settings you want. Also, be advised that changing the default settings can cause unexpected and potentially damaging results to your systems.

View questions and answers from all of our Windows security experts here.

Granting access to resources in a multiple domain environment

Q: We have four servers with Windows Server 2003. In every server there is a domain with Exchange Server 2003. The main domain is in the CITY and every domain has the server address,,, When one user logs into other servers or finds any resources in other servers, a message appears that they have no privileges for this resource. We revised the DNS in every server and applied Microsoft patches, but the problem persists. What can we do to resolve this?

A: One thing I'm not clear on is whether you have multiple domains. It appears that you do and I'm going to work on that assumption as it fits with what I think is likely happening.

A common misconception with Windows domains is that if trusts exist between domains, users can access any resources, any where. This is commonly due to an expectation that comes from a single domain environment. In a single domain environment, all users are by default a member of the Domain Users group which is in turn automatically a member of the local Users group. This allows all users to access all resources (by default) with out much effort. This is not the case in a multiple domain environment however. No "automatic" group memberships occur between domains. Consequently, you have to explicitly grant access to resources for users in members of another domain.

So, let's say you have DOMAIN1 and DOMAIN2 and you want users in DOMAIN1 to access resources on SERVER1 in DOMAIN2.

  1. You need to create a Global Security Group in DOMAIN1 and add the users that should have access to the resources on SERVER1 to it.
  2. Next, on SERVER1 create a local group that has the appropriate rights to the resources in question.
  3. Finally, make the Global Security Group from step 1 a member of the local group from step 2. Have the users logoff and then log back on again and they should be able to access the resources.

View questions and answers from all of our Windows security experts here.

Read more on Network software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.