User Rights

User rights fall into two general categories: logon rights and privileges. Logon rights control who is authorized to log on to a computer and how they can log on. Privileges control access to system-wide resources on a computer and can override the permissions that are set on particular objects.

For information on how to obtain the Windows XP Professional Resource Kit in its entirety, please see https://www.microsoft.com/mspress/books/6795.asp.

On This Page

Logon Rights
Privileges

Logon Rights

Logon rights control how security principals are allowed access to the computer—whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights—one to allow logging on to the computer and another to deny logging on to the computer. Use a deny logon right as you would use a deny permission—to exclude a subset of a group that has been assigned an allow logon right. For example, suppose that Alice wants all users except the members of the domain Marketing group to be able to log on locally at her computer’s keyboard. With this in mind, Alice creates a local group, which she names “LocalLogonDenied.” Then she configures her computer as follows:

1. She assigns the log on locally user right to the Users group.

2. She assigns the deny local logon user right to the LocalLogonDenied group.

3. She makes the Marketing group a member of the LocalLogonDenied group.

Deny rights take precedence over allow rights, so members of the Marketing group are denied the right to log on locally even though they are also members of the Users group, which is allowed to log on locally.

Warning The rule to keep in mind is: “Allow a set, and then deny a subset.” Reversing the order can be disastrous. For example, Alice might want to allow no one but herself to log on locally. If she allowed herself the right to log on locally and denied the Users group the right to log on locally, she would be unpleasantly surprised to find that she had locked herself out of the computer. Alice, after all, is a member of the Users group, so the deny right she assigned to the Users group would take precedence over the allow right she assigned to herself.

Logon rights are described in Table B-1. The display names for logon rights are followed by the string constant (in parentheses). Many command-line tools refer to rights by string constant rather than by display name. The default settings are taken from the Windows XP Professional Local Computer policy.

Table B-1 Logon Rights

Right	Description
Access this computer from the network (SeNetworkLogonRight)	Allows a user to connect to the computer from the network. Default setting: Administrators, Power Users, Users, Everyone, and Backup Operators.
Allow logon through Terminal Services (SeRemoteInteractiveLogonRight)	Allows a user to log on to the computer using a Remote Desktop connection. Default setting: Administrators and Remote Desktop Users.
Log on as a batch job (SeBatchLogonRight)	Allows a user to log on using a batch-queue facility such as the Task Scheduler service. Default setting: Administrator, System, and Support_xxxxxxxx. When an administrator uses the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the “Log on as a batch job” right. When the scheduled time arrives, the Task Scheduler service logs the user on as a batch job rather than as an interactive user, and the task runs in the user’s security context. The Support_xxxxxxxx account is the logon account for Remote Assistance.
Log on locally (SeInteractiveLogonRight)	Allows a user to start an interactive session on the computer. Default setting: Administrators, Power Users, Users, Guest, and Backup Operators. Users who do not have this right can start a remote interactive session on the computer if they have the “Allow logon through Terminal Services” right.
Log on as a service (SeServiceLogonRight)	Allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built-in right to log on as a service. Any service that runs under a separate user account must be assigned the right. Default setting: Network Service.
Deny access to this computer from the network (SeDenyNetworkLogonRight)	Prohibits a user from connecting to the computer from the network. Default setting: The Support_xxxxxxxx account used by Remote Assistance is denied this right.
Deny logon locally (SeDenyInteractiveLogonRight)	Prohibits a user from logging on directly at the keyboard. Default setting: Guest.
Deny logon as a batch job (SeDenyBatchLogonRight)	Prohibits a user from logging on using a batch-queue facility. Default setting: Not assigned.
Deny logon as a service (SeDenyServiceLogonRight)	Prohibits a user from logging on as a service. Default setting: Not assigned.
Deny logon through Terminal Services (SeDenyRemoteInteractiveLogonRight)	Prohibits a user from logging on to the computer using a Remote Desktop connection. Default setting: Not assigned.

Privileges

To ease the task of security administration, assign privileges primarily to groups rather than to individual user accounts. When you assign privileges to a group, the privileges are assigned automatically to each user who is added to the group. This is easier than assigning privileges to individual user accounts as each account is created.

The privileges that can be assigned are listed and described in Table B-2. The display name for each privilege is followed by the corresponding string constant (in parentheses). Many command-line tools refer to privileges by string constant rather than by display name. The default settings are taken from the Windows XP Professional Local Computer policy.

Table B-2 Privileges

Privilege	Description
Act as part of the operating system (SeTcbPrivilege)	Allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege. Default setting: Not assigned. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to log on using the Local System account, which has the privilege inherently. Do not create a separate account and assign the privilege to it.
Add workstations to domain (SeMachineAccountPrivilege)	Allows the user to add a computer to a specific domain. For the privilege to take effect, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain. Default setting: Not assigned. Users can also join a computer to a domain if they have Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have this permission can add an unlimited number of computers to the domain regardless of whether they have been assigned the “Add workstations to a domain” privilege.
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)	Allows a process that has access to a second process to increase the processor quota assigned to the second process. This privilege is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial-of-service attack. Default setting: Administrators, Local Service, and Network Service.
Back up files and directories (SeBackupPrivilege)	Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Default setting: Administrators and Backup Operators. See also “Restore files and directories” in this table.
Bypass traverse checking (SeChangeNotifyPrivilege)	Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories. Default setting: Administrators, Backup Operators, Power Users, Users, and Everyone.
Change the system time (SeSystemTimePrivilege)	Allows the user to adjust the time on the computer’s internal clock. This privilege is not required to change the time zone or other display characteristics of the system time. Default setting: Administrators and Power Users.
Create a token object (SeCreateTokenPrivilege)	Allows a process to create an access token by calling NtCreateToken () or other token-creating APIs. Default setting: Not assigned. When a process requires this privilege, use the Local System (or System) account, which has the privilege inherently. Do not create a separate user account and assign the privilege to it.
Create a pagefile (SeCreatePagefilePrivilege)	Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive in the Performance Options box on the Advanced tab of System Properties. Default setting: Administrators.
Create global objects (SeCreateGlobalPrivilege)	Allows the user to create global objects during Terminal Services sessions. Users can still create session-specific objects without being assigned this user right. Default setting: Administrators, Interactive, Service
Debug programs (SeDebugPrivilege)	Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components. Default setting: Administrators.
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)	Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Default setting: Not assigned to anyone on member servers and workstations because it has no meaning in those contexts. Delegation of authentication is a capability that is used by multitier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources.
Force shutdown from a remote system (SeRemoteShutdownPrivilege)	Allows a user to shut down a computer from a remote location on the network. Default setting: Administrators. See also “Shut down the system” in this table.
Generate security audits (SeAuditPrivilege)	Allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access. Default setting: Local Service and Network Service. Local System (or System) has the privilege inherently. See also “Manage auditing and security log” in this table.
Impersonate a client after authentication (SeImpersonatePrivilege)	Allows programs running on behalf of a user to impersonate a client. Requiring this privilege prevents an unauthorized user from convincing a client to connect to a service they have created and impersonating that client, which can elevate the unauthorized user’s permissions to administrative or system levels. Note that assigning this privilege can be a security risk, so only assign it to trusted users. Default setting: Administrators, Service
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)	Allows a user to increase the base priority class of a process. (Increasing relative priority within a priority class is not a privileged operation.) This privilege is not required by administrative tools supplied with the operating system but might be required by software development tools. Default setting: Administrators.
Load and unload device drivers (SeLoadDriverPrivilege)	Allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Default setting: Administrators. Do not assign this privilege to any user or group other than Administrators. Device drivers run as trusted (highly privileged) code. A user who has “Load and unload device drivers” privilege could unintentionally install malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures. You must have this privilege and also be a member of either Administrators or Power Users to install a new driver for a local printer or manage a local printer by setting defaults for options such as duplex printing. The requirement to have both the privilege and membership in Administrators or Power Users is new to Windows XP Professional.
Lock pages in memory (SeLockMemoryPrivilege)	Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. Default setting: Not assigned. Local System (or System) has the privilege inherently.
Manage auditing and security log (SeSecurityPrivilege)	Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not performed unless you enable it using Audit Policy (under Security Settings, Local Policies). A user who has this privilege can also view and clear the security log from Event Viewer. Default setting: Administrators.
Modify firmware environment values (SeSystemEnvironmentPrivilege)	Allows modification of system environment variables either by a process through an API or by a user through System Properties. Default setting: Administrators.
Perform volume maintenance tasks (SeManageVolumePrivilege)	Allows a non-administrative or remote user to manage volumes or disks. The operating system checks for the privilege in a user’s access token when a process running in the user’s security context calls SetFileValidData(). Default setting: Administrators.
Profile single process (SeProfileSingleProcessPrivilege)	Allows a user to sample the performance of an application process. Default setting: Administrators and Power Users. Ordinarily, you do not need this privilege to use the Performance snap-in. However, you do need the privilege if System Monitor is configured to collect data by using Windows Management Instrumentation (WMI).
Profile system performance (SeSystemProfilePrivilege)	Allows a user to sample the performance of system processes. This privilege is required by the Performance snap-in only if it is configured to collect data by using Windows Management Instrumentation (WMI). Default setting: Administrators. Ordinarily, you do not need this privilege to use the Performance snap-in. However, you do need the privilege if System Monitor is configured to collect data by using Windows Management Instrumentation (WMI).
Remove computer from docking station (SeUndockPrivilege)	Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu. Default setting: Administrators, Power Users, and Users.
Replace a process-level token (SeAssignPrimaryTokenPrivilege)	Allows a parent process to replace the access token that is associated with a child process. Default setting: Local Service and Network Service. Local System has the privilege inherently.
Restore files and directories (SeRestorePrivilege)	Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. Default setting: Administrators and Backup Operators. See also “Back up files and directories” in this table.
Shut down the system (SeShutdownPrivilege)	Allows a user to shut down the local computer. Default setting: Administrators, Backup Operators, Power Users, and Users. See also “Force shutdown from a remote system” in this table.
Synchronize directory service data (SeSynchAgentPrivilege)	Allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. This privilege is required to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services. Default setting: Not assigned. The privilege is relevant only on domain controllers.
Take ownership of files or other objects (SeTakeOwnershipPrivilege)	Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads. Default setting: Administrators.