Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The table below identifies the default user rights assignments on Windows 2000 systems and provides a list of changes recommended earlier in this document.
The table identifies the default user rights assigned to users on stand-alone Windows 2000 Professional and Server systems and on a Windows 2000 Domain Controller. It also identifies the default user rights in a Domain Security Policy (all not-defined by default). Assignments in the Domain Security Policy will override Local Security Policy settings for domain members.
User right/privilege assignments can be found in the Local and Domain Security Policy GUI, as follows:
Windows 2000 Professional:
Administrative Tools --> Local Security Policy --> Security Settings\Local Policies\User Rights Assignment
Windows 2000 Server:
Administrative Tools --> Local Security Policy --> Security Settings\Local Policies\User Rights Assignment
Windows 2000 Domain Controller:
Administrative Tools --> Domain Controller Security Policy --> Windows Settings\Security Settings\Local Policies\User Rights Assignment
Administrative Tools --> Domain Security Policy --> Windows Settings\Security Settings\Local Policies\User Rights Assignment
User Rights/Privileges |
Description |
Groups Assigned this Right on Stand Alone Windows 2000 Professional |
Groups Assigned this Right on Stand Alone Windows 2000 Servers |
Groups Assigned this Right in Windows 2000 Domain Security Policy (Located on Domain Controller) |
Groups Assigned this Right on Windows 2000 Domain Controller with AD Services (Domain Controller Security Policy) |
|---|---|---|---|---|---|
Logon Rights |
|||||
Access this Computer from the Network (SeNetworkLogonRight) |
Determines which users are allowed to connect over the network to the computer. |
Default: Administrators Backup Operators Power Users Users Everyone Recommended Change: Administrators Backup Operators Power Users Users Authen. Users |
Default: Administrators Backup Operators Power Users Users Everyone Recommended Change: Administrators Backup Operators Power Users Users Authen. Users |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Authen. Users Everyone Recommended Change: Administrators Authen. Users |
Log on as a batch job (SeBatchLogonRight) |
Allows a user to log on by using a batch-queue facility. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Log on locally (SeInteractiveLogonRight) |
Allows a user to log on locally at the computers keyboard. |
Default: Administrators Backup Operators Power Users Users Machinename\Guest Recommended Change: Administrators Backup Operators Power Users Users |
Default: Administrators Backup Operators Power Users Users Machinename\Guest Machinename\TsInternetUser Recommended Change: Administrators Backup Operators Power Users Users |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Account Operators Backup Operators Print Operators Server Operators TsInternetUser Recommended Change: Administrators Account Operators Backup Operators Print Operators Server Operators |
Logon as a service (SeServiceLogonRight) |
Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Deny Access to this computer from the network (SeDenyNetworkLogonRight) |
Prohibits a user or group from connecting to the computer from the network. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Deny local logon (SeDenyInteractiveLogonRight) |
Prohibits a user or group from logging on locally at the keyboard. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Deny logon as a batch file (SeDenyBatchLogonRight) |
Prohibits a user or group from logging on through a batch-queue facility. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Deny logon as a service (SeDenyServiceLogonRight) |
Prohibits a user or group from logging on as a service. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Privileges |
|||||
Act as part of the operating system (SeTcbPrivilege) |
Allow a process to authenticate as a user and thus gain access to the same resources as a user. Only low-level authentication services should require this service. The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, the anonymous token does not provide a primary identity for tracking events in the audit log. The LocalSystem account uses this privilege by default. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Add workstations to the domain (SeMachineAccountPrivilege) |
Allows a user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain. In Windows 2000, the behavior of this privilege is duplicated by the Create Computer Objects permission for organizational units and the default Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Authen. Users Recommended Change: Domain Admins |
Backup files and directories (SeBackupPrivilege) |
Allows the user to circumvent file and directory permissions to backup the system. The privilege is selected only when the application attempts to access through the NTFS backup application interface. Otherwise normal file and directory permissions apply. |
Default: Administrators Backup Operators Recommendation: No Change |
Default: Administrators Backup Operators Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Backup Operators Server Operators Recommendation: No Change |
Bypass traverse checking (SeChangeNotifyPrivilege) |
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft Windows file system or in the Registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. |
Default: Administrators Backup Operators Power Users Users Everyone Recommendation: No Change |
Default: Administrators Backup Operators Power Users Users Everyone Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Authen. Users Everyone Recommendation: No Change |
Change the system time (SeSystemTimePrivilege) |
Allows the user to set the time for the internal clock of the computer. |
Default: Administrators Power Users Recommendation: No Change |
Default: Administrators Power Users Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Server Operators Recommendation: No Change |
Create a token object (SeCreateTokenPrivilege) |
Allows a process to create an access token by calling NtCreateToken() or other token token-creating APIs. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Create permanent shared objects (SeCreatePermanentPrivilege) |
Allow a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege; it is not necessary to assign it to them. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Create a pagefile (SeCreatePagefilePrivilege) |
Allows the user to create and change the size of a pagefile. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Debug programs (SeDebugPrivilege) |
Allows the user to attach a debugger to any process. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) |
Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flag on the object. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Force shutdown from a remote system (SeRemoteShutdownPrivilege) |
Allows a user to shut down a computer from a remote location on the network. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Server Operators Recommendation: No Change |
Generate security audits (SeAuditPrivilege) |
Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access and other security relevant activities. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Increase quotas (SeIncreaseQuotaPrivilege) |
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial of service attack. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Increase scheduling priority (SeIncreaseBasePriorityPrivilege) |
Allows a process that has Write Property access to another process to increase the execution priority of the other process. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Load and unload device drivers (SeLoadDriverPrivilege) |
Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; only Administrators can install these device drivers. Note that device drivers run as Trusted (highly privileged) processes; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Lock pages in memory (SeLockMemoryPrivilege) |
Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Manage auditing and security log (SeSecurityPrivilege) |
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys. Object access auditing is not actually performed unless it has been enabled it in Audit Policy. A user who has this privilege also can view and clear the security log from event viewer. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Modify firmware environment values (SeSystemEnvironmentPrivilege) |
Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Profile a single process (SeProfileSingleProcessPrivilege) |
Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes. |
Default: Administrators Power Users Recommendation: No Change |
Default: Administrators Power Users Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Profile system performance (SeSystemProfilePrivilege) |
Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Remove computer from docking station (SeUndockPrivilege) |
Allows a user of a portable computer to unlock the computer by clicking Eject PC on the Start menu. |
Default: Administrators Power Users Users Recommendation: No Change |
Default: Administrators Power Users Users Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Replace a process-level token (SeAssignPrimaryTokenPrivilege) |
Allows a parent process to replace the access token that is associated with a child process. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: None Recommendation: No Change |
Restore files and directories (SeRestorePrivilege) |
Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. |
Default: Administrators Backup Operators Recommendation: No Change |
Default: Administrators Backup Operators Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Backup Operators Server Operators Recommendation: No Change |
Shut down the system (SeShutdownPrivilege) |
Allows a user to shut down the local computer. |
Default: Administrators BACKUP OPERATORS Power Users Users Recommended Change: Administrators Backup Operators Power Users Authenticated Users |
Default: Administrators Backup Operators Power Users Recommended Change: Administrators Backup Operators Power Users Authenticated Users |
Default: (Not Defined) Recommendation: No Change |
Default: Administrators Account Operators Backup Operators Server Operators Print Operators Recommendation: No Change |
Synchronize directory service data (SeSyncAgentPrivilege) |
Allows a service to provide directory synchronization services. This privilege is relevant only on Domain Controllers. Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: (Not Defined) Recommendation: No Change |
Default: Administrator Recommendation: No Change |
Take ownership of files or other objects (SeTakeOwnershipPrivilege) |
Allows the user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, Registry keys, processes, and threads. |
Default: Administrators Recommendation: No Change |
Default: Administrators Recommendation: No Change |
Default: (Not Defined) Recommended Change: Administrators |
Default: Administrators Recommendation: No Change |
Read unsolicited data from a terminal device (SeUnsolicitedInputPrivilege) |
Required to read unsolicited input from a terminal device. It is obsolete and unused. it has no effect on the system. |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |
Default: None Recommendation: No Change |