Free Tutorials
Internet
What is Internet
Internet Games
Learn TCP IP
HTML
Learn HTML
Learn CSS
Learn XML
Learn WML
Database
Learn Access
Learn Data-VB
Learn Oracle
Learn SQL
Programming
Learn ActiveX
Learn C++
Learn CGI_Perl
Learn Interdev
Learn Java
Learn JavaScript
Learn Vbscript
Learn VisualBasic
Learn VC++
Operating systems
Learn RedHat
Learn Unix
Learn Winnt


Previous Page Main Page



Appendix C

List of Default Group Privileges and User Rights

This appendix lists the standard and advanced user rights that can be assigned in Windows NT. User rights are used to determine what types of special actions a user is permitted to perform. Most rights are assigned to a default group or gro ups, but additional users can be granted the right, either explicitly or by grant ing membership into a group that is granted the right.

Standard User Rights

Standard user rights are the rights that are usually of the most interest to N T administrators. These rights typically have to do with administrative capabilit ies on the server, such as backing up and restoring files or setting the time on the server.

The first column in Table C.1 lists the common name for the user right. Beneat h this, listed in parentheses, is the internal name for this right. This is the n ame that shows up in the Event Viewer if you are auditing the use of user rights.

The second column gives a description of what the right entails, including any comments and caveats. Additionally, some of the rights that can be assigned in W indows NT have not yet been implemented. If this is the case, it is indicated in the Description column.

The third column lists the groups that by default are granted the particular r ight on an NT Server installed as a Primary Domain Controller (PDC) or a Backup D omain Controller (BDC).

The fourth column lists the default groups that are granted the particular rig ht on an NT Server installed as a member server (nondomain controller) and on an NT Workstation.

Table C.1. Standard user rights.

NT Member
User Right
DescriptionServer and NT WorkstationDefault on Server
and NT Workstation
Domain Controller
Access this computer from networkThis righ t enables specified users to log onto this computer over the network. Note that t he abilities to log onto an NT system from the console and from the network are c ontrolled independently by two different rightsAdministrators , everyoneAdministrators, everyone, power users
Backup files and directories (seBackup Privilege)The holder of this right is permitted to circumvent NTFS file-and directory-level access permissions to back up any files on the computer. Note th at utilities such as SCOPY also take advantage of this capability and can be used to circumvent security policy. Assign this right with caution.Administrators, server operators, backup operatorsAdministr ators, backup operators
Change the system time (SESystemTime Privilege)The specified users are permitted to set the computer's system clockAdminstrators, server operators, backup operators Administrators, backup operators
Force shutdown from a remote system (SeRemote Shutdown Privile ge)The intent of this right is to permit the specified users to remotely initiate a system shutdown. However, this right is not yet implemente d and has no effect in this version of Windows NT.Administrat ors, server operatorsAdministrators, power users
Log on locallyThis right enables the user to log onto the NT system using the console keyboard and gain interactive desktop access
Note that the abilities to log onto an NT system from the console and from the network are controlled independently by two different rights
Administrators, server operators, backup operators, account operators, pr int operatorsAdministrators, backup operators, power users, u sers, guests
Manage auditing and security log (SeSecurity Privilege) This right permits the user to view and clear the security logs, as well as specify which object accesses are audited by the system. This right does not permit the users to enable or disable the system-wide auditing policyAdministratorsAdministrators
Restor files and directories (SeRestore Privilege)The holder of this right is permitted to circumvent NTFS file-and directo ry-level access permissions to restore any files on the computer. It also permits the users to restore NTFS security attributes, including the file's owner inform ation. Note that utilities such as SCOPY also take advantage of this capability and can be used to circumvent security policy. Assign this right with cautionAdministrators, server operators, backup operatorsAdministrators, backup operators
Shut down the system (SeShutdown Privilege)This right permits the user to initiate a system shutdown if the user is interac tively logged onto the system's consoleAdministrators, server operators, backup operators, account operators, print operatorsAdministrators, backup operators, power users, users, guests
Take ownership of files or other objects (SeTake Ownership Pri vilege)Possessing this right permits a user to take ownership of an NT object, including files, directories and processes, regardless of the u ser's actual permissions on that resourceAdministrators Administrators

Advanced User Rights

Advanced user rights are the rights that are typically of lesser interest to N T administrators. By this, I mean simply that they rarely need to be changed from their default values. However, in an environment where you are writing and debug ging programs on Windows NT, you will probably need to make some changes. However , you should be sure to fully understand what you are doing, because most of thes e rights provide the ability to circumvent different parts of NT's security syste ms.

The first column in Table C.2 lists the common name for the user right. Beneat h this, listed in parentheses, is the internal name for that right. This is the n ame that shows up in the Event Viewer if you are auditing the use of user rights.

The second column gives a description of what the right entails, including any comments and caveats. Additionally, some of the rights that can be assigned in W indows NT have not yet been implemented. If this is the case, it is indicated in the Description column.

The third column lists the groups that by default are granted the particular r ight on an NT Server installed as a Primary Domain Controller (PDC) or a Backup D omain Controller (BDC).

The fourth column lists the default groups that are granted the particular rig ht on an NT Server installed as a member server (nondomain controller) and on an NT Workstation.

Table C.2. Advanced user rights.

NT Member
User Right
Description
Server and NT
Workstation
Default on Server
and NT
Workstation
Domain
Controller
Act as part of the operating system (SeTcbPrivilege) This right enables the designated user to bypass certain operating system constraints and act as a trusted entity. The SYSTEM account can always do this . Additionally, some subsystems are given this capability. Come Win32API calls, such as LogonUser() and CreateProcessAsUser(), require that they be run with this right.NoneNone
Add workstations to domainThis right enabl es the user to create NT Workstation or NT Server commuter accounts in the NT domain. It is a built-in right for administrators and account operators, which canno t be removed. Note that the NT 3.5 and 3.51 documentation incorrectly lists the server operators as holding this right instead of the account operators. Additiona lly, many resources that are derived from this documentation also contain this error. See Microsoft's TechNote Q129116 for more information.NoneNot applicable
Bypass traverse checking(SeChangeNotify Privilege)Permits a user to access a resource to which he or she is granted permiss ions even if the user does not have permission to access all the parent resources . For more information about this right, see Chapter 25, Advanced Security Guidelines.EveryoneEveryone
Create a page file (SeCreatePagefile Privilege)This right enables the user to create a pagefile. However, it has no effect in the current version of Windows NT.AdministratorsAdministrators
Create a token object (SeCreateToken Privilege)This right enables the possessor to create security access tokens, which are normally built by the Local Security Authority whenever a user logs onto a Windo ws NT system. Normally only the Local Security Authority can create access tokens. You cannot audit the use of this right. Some Win32API calls, such as LogonUse () and CreateProcessAsUser() , require that they be run with this permission. NoneNone
Create permanent shared objects (SeCreate PremanentPrivilege)Possession of this right enables the use to create permanent shared objects. Note: Do not confuse this right with the ability to create network shares!NoneNone
Debug programs (SeDebugPrivilege)This right enables the user to gain full access to any system-level process, including the ability to view the process's memory space, terminate the process, and spawn add itional processes and threads using the system's security context. It is intended for debugging only and should be handled with care. Use of this right is not aud itable.AdministratorsAdministrators
Generate security audits (SeAuditPrivilege)Enabling this right for a user enables the user to run a process that creates entries in the system's security log, which can be viewed with the Event Viewer. You cannot audit the use of this right.None None
Increase quotas (SeIncreaseQuota Privilege)This right is provided to enable the user to increase object quotas. However, it is not implemented in the current version of Windows NT.Administrators (beginning in NT 3.51)Administrators (beginning in NT 3.51)
Increase scheduling priority (SeIncreaseBase PriorityPrivilege)Having this right enables a user to change the priority of a Win32 application. Note: Increasing the priority of a process can starve other processes, including the system.AdministratorsAdministrators
Load and unload device drivers (SeLoadDriver Privilege) This right enables the user to install and remove NT device drivers.AdministratorsAdministrators
Lock pages in memory (SeLockMemory Privilege)This enables a process owned by the user to lock pages in memory so they cannot be paged out. Note that locking a page in memory effectively reduces the amount of physical memory that can be allocated to other processes. Usually only the system processes should be allowed to be locked.NoneNone
Log on as a batch job (SeBatchSid)This right enables the user to log on using a batch queue facility that is not implemented in this version of Windows NT. Assigning this right currently has no effect.NoneNone
Log on as a service (SeServiceSid)This right enables a user to log onto NT as a service. By default, most services in NT run in the SYSTEM account user context. However, if you want to run a service, such as the scheduler service, in a different user context, you would need to assign this right to that user account.NoneNone
Modify firmware environment variables (SeSystem Environment Privilege)This right enables a user to change environment settings stored in nonvolatile RAM (NVRAM). This is applicable only on systems that have such a feature. Note that this right has nothing to do with the system's environmental variables or user variable, which can be set from the Control Panel's System icon.AdministratorsAdministrators
Profile single process (SeProgileSingleProcessPrivilege)This right enables the user to use NT's performance monitoring tools to profile the performance of a single process. However, this right is not implemented in the current release of Windows NT. Assigning it does nothing.AdministratorsAdministrators, power users
Profile system performance (SeSystemProfile Performance) This right enables the user to use NT's performance monitoring tools to profile the system's performance.Administrators Administrators
Replace a process-level token (SeAssignPrimary TokenPrivilege) This right enables the user to modify a process's access toke n. Some Win32API calls, such as LogonUser() and CreateProcessAsUser(), require that they be run with this right.NoneNone

Previous Page Main Page



|  About us | Categories | New Releases | Most Popular | Web Tutorial | Free Download | Drivers |



2013 Soft Lookup Corp. Privacy Statement