|
Appendix C
List of Default Group Privileges and User Rights
This appendix lists the standard and advanced user rights that can be assigned
in Windows NT. User rights are used to determine what types of special actions a
user is permitted to perform. Most rights are assigned to a default group or gro
ups, but additional users can be granted the right, either explicitly or by grant
ing membership into a group that is granted the right.
Standard User Rights
Standard user rights are the rights that are usually of the most interest to N
T administrators. These rights typically have to do with administrative capabilit
ies on the server, such as backing up and restoring files or setting the time on
the server.
The first column in Table C.1 lists the common name for the user right. Beneat
h this, listed in parentheses, is the internal name for this right. This is the n
ame that shows up in the Event Viewer if you are auditing the use of user rights.
The second column gives a description of what the right entails, including any
comments and caveats. Additionally, some of the rights that can be assigned in W
indows NT have not yet been implemented. If this is the case, it is indicated in
the Description column.
The third column lists the groups that by default are granted the particular r
ight on an NT Server installed as a Primary Domain Controller (PDC) or a Backup D
omain Controller (BDC).
The fourth column lists the default groups that are granted the particular rig
ht on an NT Server installed as a member server (nondomain controller) and on an
NT Workstation.
Table C.1. Standard user rights.
NT Member User Right | DescriptionServer and NT Workstation | Default on Server and NT
Workstation | Domain Controller |
Access this computer from network | This righ
t enables specified users to log onto this computer over the network. Note that t
he abilities to log onto an NT system from the console and from the network are c
ontrolled independently by two different rights | Administrators
, everyone | Administrators, everyone, power users |
Backup files and directories (seBackup Privilege) | The holder of this right is permitted to circumvent NTFS file-and
directory-level access permissions to back up any files on the computer. Note th
at utilities such as SCOPY also take advantage of this capability and can be used
to circumvent security policy. Assign this right with caution. | Administrators, server operators, backup operators | Administr
ators, backup operators |
Change the system time (SESystemTime Privilege) | The specified users are permitted to set the computer's system clock | Adminstrators, server operators, backup operators |
Administrators, backup operators |
Force shutdown from a remote system (SeRemote Shutdown Privile
ge) | The intent of this right is to permit the specified users
to remotely initiate a system shutdown. However, this right is not yet implemente
d and has no effect in this version of Windows NT. | Administrat
ors, server operators | Administrators, power users |
Log on locally | This right enables the user
to log onto the NT system using the console keyboard and gain interactive desktop
access Note that the abilities to log onto an NT system from the console and
from the network are controlled independently by two different rights | Administrators, server operators, backup operators, account operators, pr
int operators | Administrators, backup operators, power users, u
sers, guests |
Manage auditing and security log (SeSecurity Privilege) |
This right permits the user to view and clear the security logs, as
well as specify which object accesses are audited by the system. This right does
not permit the users to enable or disable the system-wide auditing policy | Administrators | Administrators |
Restor files and directories (SeRestore Privilege) | The holder of this right is permitted to circumvent NTFS file-and directo
ry-level access permissions to restore any files on the computer. It also permits
the users to restore NTFS security attributes, including the file's owner inform
ation. Note that utilities such as SCOPY also take advantage of this capability
and can be used to circumvent security policy. Assign this right with caution | Administrators, server operators, backup operators | Administrators, backup operators |
Shut down the system (SeShutdown Privilege) | This right permits the user to initiate a system shutdown if the user is interac
tively logged onto the system's console | Administrators, server
operators, backup operators, account operators, print operators | Administrators, backup operators, power users, users, guests |
Take ownership of files or other objects (SeTake Ownership Pri
vilege) | Possessing this right permits a user to take ownership
of an NT object, including files, directories and processes, regardless of the u
ser's actual permissions on that resource | Administrators |
Administrators |
Advanced User Rights
Advanced user rights are the rights that are typically of lesser interest to N
T administrators. By this, I mean simply that they rarely need to be changed from
their default values. However, in an environment where you are writing and debug
ging programs on Windows NT, you will probably need to make some changes. However
, you should be sure to fully understand what you are doing, because most of thes
e rights provide the ability to circumvent different parts of NT's security syste
ms.
The first column in Table C.2 lists the common name for the user right. Beneat
h this, listed in parentheses, is the internal name for that right. This is the n
ame that shows up in the Event Viewer if you are auditing the use of user rights.
The second column gives a description of what the right entails, including any
comments and caveats. Additionally, some of the rights that can be assigned in W
indows NT have not yet been implemented. If this is the case, it is indicated in
the Description column.
The third column lists the groups that by default are granted the particular r
ight on an NT Server installed as a Primary Domain Controller (PDC) or a Backup D
omain Controller (BDC).
The fourth column lists the default groups that are granted the particular rig
ht on an NT Server installed as a member server (nondomain controller) and on an
NT Workstation.
Table C.2. Advanced user rights.
NT Member User Right | Description
Server and NT Workstation | Default on Server and
NT Workstation | Domain Controller |
Act as part of the operating system (SeTcbPrivilege) |
This right enables the designated user to bypass certain operating system constraints and act as a trusted entity. The SYSTEM account can always do this
. Additionally, some subsystems are given this capability. Come Win32API calls, such as LogonUser() and CreateProcessAsUser(), require that they
be run with this right. | None | None |
Add workstations to domain | This right enabl
es the user to create NT Workstation or NT Server commuter accounts in the NT domain. It is a built-in right for administrators and account operators, which canno
t be removed. Note that the NT 3.5 and 3.51 documentation incorrectly lists the server operators as holding this right instead of the account operators. Additiona
lly, many resources that are derived from this documentation also contain this error. See Microsoft's TechNote Q129116 for more information. | None | Not applicable |
Bypass traverse checking(SeChangeNotify Privilege) | Permits a user to access a resource to which he or she is granted permiss
ions even if the user does not have permission to access all the parent resources
. For more information about this right, see Chapter 25, Advanced Security Guidelines. | Everyone | Everyone |
Create a page file (SeCreatePagefile Privilege) | This right enables the user to create a pagefile. However, it has no effect
in the current version of Windows NT. | Administrators | Administrators |
Create a token object (SeCreateToken Privilege) | This right enables the possessor to create security access tokens, which are
normally built by the Local Security Authority whenever a user logs onto a Windo
ws NT system. Normally only the Local Security Authority can create access tokens. You cannot audit the use of this right. Some Win32API calls, such as LogonUse () and CreateProcessAsUser() , require that they be run with this permission. |
None | None |
Create permanent shared objects (SeCreate PremanentPrivilege) | Possession of this right enables the use to create permanent shared objects. Note: Do not confuse this right with the ability to create network shares! | None | None |
Debug programs (SeDebugPrivilege) | This right enables the user to gain full access to any system-level process, including the
ability to view the process's memory space, terminate the process, and spawn add
itional processes and threads using the system's security context. It is intended
for debugging only and should be handled with care. Use of this right is not aud
itable. | Administrators | Administrators |
Generate security audits (SeAuditPrivilege) | Enabling this right for a user enables the user to run a process that creates entries in the system's security log, which can be viewed with the Event Viewer. You cannot audit the use of this right. | None |
None |
Increase quotas (SeIncreaseQuota Privilege) | This right is provided to enable the user to increase object quotas. However, it
is not implemented in the current version of Windows NT. | Administrators (beginning in NT 3.51) | Administrators (beginning in NT 3.51) |
Increase scheduling priority (SeIncreaseBase PriorityPrivilege) | Having this right enables a user to change the priority of a Win32 application. Note: Increasing the priority of a process can starve other processes, including the system. | Administrators | Administrators |
Load and unload device drivers (SeLoadDriver Privilege) | This right enables the user to install and remove NT device drivers. | Administrators | Administrators |
Lock pages in memory (SeLockMemory Privilege) | This enables a process owned by the user to lock pages in memory so they cannot be paged out. Note that locking a page in memory effectively reduces the amount of physical memory that can be allocated to other processes. Usually only the system processes should be allowed to be locked. | None | None |
Log on as a batch job (SeBatchSid) | This right enables the user to log on using a batch queue facility that is not implemented in this version of Windows NT. Assigning this right currently has no effect. | None | None |
Log on as a service (SeServiceSid) | This right enables a user to log onto NT as a service. By default, most services in NT run in the SYSTEM account user context. However, if you want to run a service, such
as the scheduler service, in a different user context, you would need to assign
this right to that user account. | None | None |
Modify firmware environment variables (SeSystem Environment Privilege) | This right enables a user to change environment settings stored in nonvolatile RAM (NVRAM). This is applicable only on systems that have such a feature. Note that this right has nothing to do with the system's environmental variables or user variable, which can be set from the Control Panel's System icon. | Administrators | Administrators |
Profile single process (SeProgileSingleProcessPrivilege) | This right enables the user to use NT's performance monitoring tools to profile the performance of a single process. However, this right is not implemented in the current release of Windows NT. Assigning it does nothing. | Administrators | Administrators, power users |
Profile system performance (SeSystemProfile Performance) |
This right enables the user to use NT's performance monitoring tools to profile the system's performance. | Administrators |
Administrators |
Replace a process-level token (SeAssignPrimary TokenPrivilege)
| This right enables the user to modify a process's access toke
n. Some Win32API calls, such as LogonUser() and CreateProcessAsUser(), require that they be run with this right. | None | None |
| About us | Categories | New Releases | Most Popular | Web Tutorial | Free Download | Drivers |
|
|
|