Security Settings – User Rights

Local Policies – User Rights Assignments

The first thing that you notice is just how many User Rights that Windows Server 2003 provides.  Consequently, there is something for every aspect of security in this folder.

A classic ‘vanilla’ installation of Active Directory will function adequately without you having to change any of these settings.  The reason why you may never have to configure this section, is because many of these user rights are bestowed on people through membership of the appropriate group.  For instance, place people who need to backup files in the backup operator’s group.  One company foolishly created a TechAdmin group and spent ages adding important rights, not realizing that there was already a built-in Administrators group which did the same job!

Group Policy Topics

User Configuration

    Windows Settings

      Local PoliciesGroup Policy - User Rights assignments

           Audit Policy

     User Rights Assignments

What then is the benefit of these settings?  I would divide User Rights into three categories:

1) Rights for special accounts, example, the SQL Agent needs to Log on as a service.

2) Prevention of users getting into mischief, for example, ‘Deny shutdown system’ for a Terminal Server.

3) Specialist rights for one off situations, example allow roll-out team Add Workstations to domain.  (But not make them full administrators)

* Guy’s Top Three User Rights Policies


Rights for special accounts

When you create service accounts you may wish to fine tune their capabilities.  Such accounts are used by SQL and older versions of Exchange.  The danger is that because service accounts are not allowed to change their password, they are a magnet for hackers to attack.  More often than not, these service accounts have traditional names like SQLAdmin, so hackers guess their names, crack their password and breach the system.  Your last line of defence is to give these accounts only specific rights, not full administrative control.

Rights that fall into this special category are: Logon as a batch job, Logon as a service, Enable Computer Accounts to be trusted, Increase Scheduling Priority and possibly, Lock pages in memory.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Prevent users getting into mischief

  • Deny logon through terminal services.
  • Disable, Shut Down System, so that ordinary users cannot power off the very Terminal Server that provides desktops for them and their colleagues.
  • Disable Restore Files and Folders, so backup operators cannot sneakily restore the HR database.  My point is that if you had to restore files, most likely you would call upon a top administrator, not a humble backup operator.

Specialist Rights for one off situations.

  • Add Workstations to the Domain.  Better to give the roll-out engineers limited rights rather than making them full administrators.  By default users have the right to add 10 workstations to the domain without any extra rights.
  • Allow right to logon locally.  When you only have a DC available to try out newly created user, you need to give those accounts this rights.  However you could make the test accounts backup operators who do have the right to logon locally.
  • Modify firmware.  Possible scenario, you have an outsource team who need to upgrade the hardware.

Group Policy ebook Windows 2003Download my ‘Master Group Policies’ ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.

See more security Group Policies

Group Policies   •Troubleshooting Group Policies   • Group Policy Tactics

   •Group Policy Security   • Audit Logon Events   •Security Event Log   •Security Options

Security System Services   • Security System  •Security User Rights   •Security Software

If you like this page then please share it with your friends