Privileges
To ease the task of account administration, it is recommended that you assign privileges primarily to groups rather than to individual user accounts. When you assign privileges to a group, the privileges are assigned automatically to each user who is added to the group. This is easier than assigning privileges to individual user accounts as each account is created.
The privileges that can be assigned are listed and described in Table D.2. The strings that correspond to the constants in Winnt.h are shown in parentheses.
Table D.2 Privileges
Privilege |
Description |
---|---|
Act as part of the operating system |
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. |
Add workstations to a domain |
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain. |
Back up files and directories |
Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. |
Bypass traverse checking |
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft® Windows® file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. |
Change the system time |
Allows the user to set the time for the internal clock of the computer. |
Create a token object |
Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs. |
Create permanent shared objects |
Allows a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege assigned to them; it is not necessary to assign them the privilege. |
Create a pagefile |
Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties . |
Debug programs |
Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. |
Enable computer and user accounts to be trusted for delegation |
Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. |
Force shutdown from a remote system |
Allows a user to shut down a computer from a remote location on the network. (See also "Shut down the system" in this table.) |
Generate security audits |
Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. (See also "Manage auditing and security log" in this table.) |
Increase quotas |
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial-of-service attack. |
Increase scheduling priority |
Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box. |
Load and unload device drivers |
Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; these device drivers can be installed only by Administrators. Note that device drivers run as trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources. |
Lock pages in memory |
Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. This privilege is obsolete and is therefore never selected. |
Manage auditing and security log |
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings , Local Policies ). A user who has this privilege also can view and clear the security log from Event Viewer. |
Modify firmware environment values |
Allows modification of system environment variables either by a process through an API or by a user through System Properties . |
Profile a single process |
Allows a user to run Microsoft® Windows NT® and Windows 2000 performance-monitoring tools to monitor the performance of nonsystem processes. |
Profile system performance |
Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes. |
Remove computer from docking station |
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. |
Replace a process-level token |
Allows a parent process to replace the access token that is associated with a child process. |
Restore files and directories |
Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. (See also "Back up files and directories" in this table.) |
Shut down the system |
Allows a user to shut down the local computer. (See also "Force shutdown from a remote system" in this table.) |
Synchronize directory service data |
Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers. |
Take ownership of files or other objects |
Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |