Setting user and group security
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Setting user and group security
In order to secure a computer and its resources, you must decide what tasks and actions users or groups of users can perform. The tasks and actions that a user or group of users can perform are determined by the user rights that you assign to them. For example, if a trusted member of the Users group needed to monitor the security log, you could grant the user the "Manage auditing and security log" user right instead of adding the user to a more privileged group, such as the Administrators group. Similarly, you can secure an object, such as a file or folder, by assigning permissions.
Some of the most common tasks are assigning user rights on your local computer, assigning user rights throughout your organization, and setting file and folder permissions. For more information about other tasks for setting user and group security, see Access Control How To....
To assign user rights on your local computer
Open Local Security Settings.
In the console tree, click User Rights Assignment.
Where?
- Security Settings/Local Policies/User Rights Assignment
In the details pane, double-click the user right that you want to modify.
Do one of the following, and then click OK.
To add a user or group, click Add a User or Group. In Select Users or Groups, type the user name or group name that you want to add, and then click OK.
To remove a user or group, select the user or group in the list, and then click Remove.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
To assign user rights throughout your organization
Open Active Directory Users and Computers.
In the console tree, right-click the Group Policy object for which you want to edit security settings.
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object you want to edit. Or, click New to create a new Group Policy object, and then click Edit.
In the console tree, click User Rights Assignment.
Where?
- GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment
In the details pane, double-click the user right that you want to modify.
If this security setting has not yet been defined, select the Define these policy settings check box.
Do one of the following, and then click OK.
To add a user or group, click Add a User or Group. In Select Users or Groups, type the user name or group name that you want to add, and then click OK.
To remove a user or group, select the user or group in the list, and then click Remove.
Notes
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
If you are on a server or workstation joined to the domain, you can open Active Directory Users and Computers if you click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, click Add, double-click Active Directory Users and Computers, click Close, and then click OK.
Always test a newly created policy on a test organizational unit before applying it to your network.
When you change a security setting and click OK, that setting will take effect in the next refresh of settings.
The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
To set, view, change, or remove permissions on files and folders
Open Windows Explorer.
Right-click the file or folder for which you want to set permissions, click Properties, and then click the Security tab.
Do one of the following:
To set permissions for a group or user that does not appear in the Group or user names box, click Add. Type the name of the group or user for which you want to set permissions, and then click OK.
To change or remove permissions from an existing group or user, click the name of the group or user.
Do one of the following:
To allow or deny a permission, in the Permissions for User or Group box, select the Allow or Deny check box.
To remove the group or user from the Group or user names box, click Remove.
Notes
To open Windows Explorer, click Start, point to All programs, point to Accessories, and then click Windows Explorer.
In the Windows Server 2003 family, the Everyone group no longer includes Anonymous Logon.
You can set file and folder permissions only on drives formatted to use NTFS.
If the check boxes under Permissions for User or Group are shaded or if the Remove button is unavailable, then the file or folder has inherited permissions from the parent folder. For more information, see How inheritance affects file and folder permissions.
When adding a new user or group, by default, this user or group will have Read & Execute, List Folder Contents, and Read permissions.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.