USER ACCOUNTS CHAPTER 3

PAGE 54 OF 118
User rights
User rights grant specific privileges and logon rights to users and groups in your computing
environment and are different to permissions. The best way to look at the two(2) is: -
User Rights Are applied to the users or group account
Permissions Are attached to objects (Permissions will be looked at in detail in chapter 10 of
this book)
Administrators are able to assign specific rights to group and or individual user accounts. Once
these rights have been assigned they will provide authorization rights to a user, allowing them to
perform specific actions depending on the rights assigned.
It is recommended that User rights be applied to group accounts more so than user accounts. The
reasoning for this is that: -
It ensures that when a user logs on as a group member they automatically inherit the rights
associated with that group.
An Administrators work load is simplified by assigning user rights to groups rather than to an
individual user. This occurs due to the Administrator only having to assign user rights the once
on the group account and not on each user account. This practice also prevents the
occurrences of errors, which occur during repetitive entry of information.
Should you have a case where a user is a member of several groups, their user rights would just
accumulate and give them multiple sets of rights still allowing to be able to complete the actions
they require and have right to complete. In the case where the Administrator needs to change the
user rights of a user, the Administrator only needs to remove the user from the original group and
add them to the group that contains their required rights. Should a group not exist with these rights
the Administrator is able to create one.
Privileges
Privileges are rights given to a user that allows them to perform a specific task. Normally these
tasks will effect the whole system so therefore you should always be very careful in issuing
these privileges. It is also strongly recommended that when these privileges are issued they
should become part of your documentation for future reference.
Privileges should be treated the same way as user rights and assigned to group accounts and
not to user accounts. On the next page is a table that describes the privileges that are able
to be granted to a user.
CHAPTER 3 USER ACCOUNTS
PAGE 55 OF 118
TABLE 3.4. Privileges and their descriptions
1
Privilege Description
Act as part of
the operating
system
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only
low-level authentication services should require this privilege. Note that potential access is not limited
to what is associated with the user by default; the calling process might request that arbitrary additional
privileges be added to the access token. The calling process might also build an access token that does
not provide a primary identity for tracking events in the audit log.
Processes that require this privilege should use the LocalSystem account, which already includes this
privilege, rather than using a separate user account with this privilege specially assigned.
Default setting: No one
Add
workstations to
a domain
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be
assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has
this privilege can add up to 10 workstations to the domain.
Users can also be allowed to join a computer to a domain by giving them Create Computer Objects
permission for an organizational unit or for the Computers container in Active Directory. Users who
have the Create Computer Objects permission can add an unlimited number of computers to the
domain, regardless of whether they have been assigned the Add workstations to a domain privilege.
Default setting: No one
Adjust memory
quotas for a
process
Determines which accounts can use a process with Write Property access to another process to increase
the processor quota assigned to the other process.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local
security policy of workstations and servers.
Default setting: Administrators
Back up files
and directories
Allows the user to circumvent file and directory permissions to back up the system. The privilege is
selected only when an application attempts access through the NTFS backup application programming
interface (API). Otherwise, normal file and directory permissions apply.
Default setting: Administrators and Backup Operators.
Bypass traverse
checking
Allows the user to pass through folders to which the user otherwise has no access while navigating an
object path in the NTFS file system or in the registry. This privilege does not allow the user to list the
contents of a folder; it allows the user only to traverse its directories.
Default setting: Administrators, Backup Operators, Power Users, Users, and Everyone on member
servers and workstations. On domain controllers, it is assigned to Administrators, Authenticated Users,
and Everyone.
Change the
system time
Allows the user to set the time for the internal clock of the computer.
Default setting: Administrators, Power Users, LocalService, and NetworkService on member servers
and workstations. On domain controllers, it is assigned to Administrators, Server Operators,
LocalService, and NetworkService.
Create a token
object
Allows a process to create a token which it can then use to get access to any local resources when the
process uses NtCreateToken() or other token-creation APIs.
It is recommended that processes requiring this privilege use the LocalSystem account, which already
includes this privilege, rather than using a separate user account with this privilege specially assigned
Default setting: No one
Create a pagefile Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size
for a particular drive under Performance Options on the Advanced tab of System Properties.
Default setting: Administrators
Create
permanent
shared objects
Allows a process to create a directory object in the Windows XP Professional object manager. This
privilege is useful to kernel-mode components that extend the object namespace. Components that are
running in kernel mode already have this privilege inherently; it is not necessary to assign them the
privilege.
Default setting: No one
Debug programs Allows the user to attach a debugger to any process. This privilege provides powerful access to
sensitive and critical operating system components.
Default setting: Administrators
Enable
computer and
Allows the user to change the Trusted for Delegation setting on a user or computer object in Active
Directory. The user or computer that is granted this privilege must also have write access to the account
1
Table taken from Windows XP professional help files
USER ACCOUNTS CHAPTER 3
PAGE 56 OF 118
user accounts to
be trusted for
delegation
control flags on the object. Delegation of authentication is a capability that is used by multi-tier
client/server applications. It allows a front-end service to use the credentials of a client in authenticating
to a back-end service. For this to be possible, both client and server must be running under accounts
that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make
the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which
impersonate incoming clients and use their credentials to gain access to network resources.
Default setting: This privilege is not assigned to anyone on member servers and workstations, as it has
no meaning in those contexts. On domain controllers, it is assigned by default to Administrators.
Force shutdown
from a remote
system
Allows a user to shut down a computer from a remote location on the network. See also the Shut Down
the System privilege.
Default setting: Administrators on member servers and workstations. On domain controllers, it is
assigned to Adminstrators and Server Operators.
Generate
security audits
Allows a process to generate entries in the security log. The security log is used to trace unauthorized
system access. See also the privilege Manage auditing and security log.
Default setting: LocalService and NetworkService.
Increase
scheduling
priority
Allows a process that has Write Property access to another process to increase the execution priority of
the other process. A user with this privilege can change the scheduling priority of a process in Task
Manager.
Default setting: Administrators
Load and unload
device drivers
Allows a user to install and uninstall Plug and Play device drivers. This privilege does not affect the
ability to install drivers for devices that are not Plug and Play. Drivers for non-Plug and Play devices
can be installed only by Administrators.
Default setting: Administrators. It is recommended that you not assign this privilege to any other user.
Device drivers run as trusted (or highly privileged) programs. A user who has the Load and Unload
Device Drivers privilege could unintentionally misuse it by installing malicious code masquerading as
a device driver. It is assumed that administrators will exercise greater care and install only drivers with
verified digital signatures
Lock pages in
memory
Allows a process to keep data in physical memory, which prevents the system from paging the data to
virtual memory on disk. Assigning this privilege can result in significant degradation of system
performance.
Default setting: Not assigned to anyone. Certain system processes have the privilege inherently.
Manage auditing
and security log
Allows a user to specify object access auditing options for individual resources such as files, Active
Directory objects, and registry keys. Object access auditing is not actually performed unless you have
enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also
can view and clear the security log from Event Viewer.
A user with this privilege can also view and clear the security log from the Event Viewer.
Default setting: Administrators
Modify
firmware
environment
values
Allows modification of system environment variables either by a process through an API or by a user
through System Properties.
Default setting: Administrators
Profile a single
process
Allows a user to run Windows XP Professional performance-monitoring tools to monitor the
performance of nonsystem processes.
Default setting: Administrators and Power Users on member servers and workstations. On domain
controllers, it is assigned only to Administrators
Profile system
performance
Allows a user to run performance-monitoring tools to monitor the performance of system processes.
Default setting: Administrators
Remove
computer from
docking station
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
Default setting: Administrators, Power Users, and Users.
Relace a process
level token
Determines which user accounts can initiate a process to replace the default token associated with a
started subprocess.
This user right is defined in the Default Domain Controller Group Policy object and in the local
security policy of workstations and servers.
Default setting: Local Service and Network Service.
Restore files and
directories
Allows a user to circumvent file and directory permissions when restoring backed-up files and
directories and to set any valid security principal as the owner of an object. See also the Back up files
and directories privilege.
CHAPTER 3 USER ACCOUNTS
PAGE 57 OF 118
Default setting: Administrators and Backup Operators.
Shut down the
system
Allows a user to shut down the local computer.
Default setting: Administrators, Backup Operators, Power Users, and Users on workstations. On
member servers, it is assigned to Administrators, Power Users, and Backup Operators. On domain
controllers, it is assigned to Administrators, Account Operators, Backup Operators, Print Operators,
and Server Operators.
Synchronize
directory service
data
Allows a process to provide directory synchronization services. This privilege is relevant only on
domain controllers.
Default setting: No one
Take ownership
of files or other
objects
Allows a user to take ownership of any securable object in the system, including Active Directory
objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
Default setting: Administrators
Some privileges will override some permissions which have been set on an object. One of the
most common instances of this happening is when you have a user that is a member of the
backup operators and a user that has denied access to all users and groups to their
documents. The privileges take precedence over the users assigned permissions.
Logon rights
TABLE 3.5. Logon Rights and their descriptions (These Logon Rights refer to Windows XP and Windows
2003 Server Family)
2
Logon Right Description
Access this
computer from
a network
Allows a user to connect to the computer over the network and determines which users and groups are
allowed to connect to the computer over the network. Terminal Services are not affected by this user
right.
Default: On workstations and servers:
Administrators
Backup Operators
Power Users
Users
Everyone
On domain controllers:
Administrators
Authenticated Users
Everyone
Allow log on
locally
This determines which users can interactively log on to this computer. Logons initiated by pressing
CTRL+ALT+DEL on the attached keyboard requires the user to have this logon right. Additionally this
logon right may be required by some service or administrative applications that can log on users. If you
define this policy for a user or group, you must also give the Administrators group this right.
Default: On workstations and servers:
Administrators,
Backup Operators,
Power Users,
Users, and
Guest.
On domain controllers:
Account Operators,
Administrators,
2
Table taken from Windows 2003 Server help files
USER ACCOUNTS CHAPTER 3
PAGE 58 OF 118
Backup Operators,
Print Operators, and
Server Operators.
Allow logon
through
terminal
services
This security setting determines which users or groups have permission to log on as a Terminal
Services Client.
Default: On workstation and servers:
Administrators,
Remote Desktop Users.
On domain controllers:
Administrators.
Deny access to
this computer
from network
This security setting determines which users are prevented from accessing a computer over the
network. This policy setting supersedes the Access this computer from the network policy setting if a
user account is subject to both policies.
Default: No one.
Deny log on as
a batch job
This security setting determines which accounts are prevented from being able to log on as a batch job.
This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to
both policies.
Default: None.
Deny logon as a
service
This security setting determines which service accounts are prevented from registering a process as a
service. This policy setting supersedes the Log on as a service policy setting if an account is subject to
both policies.
**Note
This security setting does not apply to the System, Local Service, or Network
Service accounts.
Default: None.
Deny log on
locally
This security setting determines which users are prevented from logging on at the computer. This
policy setting supersedes the Allow log on locally policy setting if an account is subject to both
policies.
**Important
If you apply this security policy to the Everyone group, no one will be able to log
on locally.
Default: None.
Deny log on
through
Terminal
Services
This security setting determines which users and groups are prohibited from logging on as a Terminal
Services client.
Default: None
Log on as a
batch job
This security setting allows a user to be logged on by means of a batch-queue facility.
For example, when a user submits a job by means of the task scheduler, the task scheduler logs that
user on as a batch user rather than as an interactive user.
**Note
In Windows 2000 Server, Windows 2000 Professional, Windows Server 2003 and
Windows XP Professional, the Task Scheduler automatically grants this right as
necessary.
Default: Local System.
Log on as a
service.
This security setting determines which service accounts can register a process as a service.
Default: None
CHAPTER 3 USER ACCOUNTS
PAGE 59 OF 118
User Access Notification
Once a Users account has been created or modified the user should be notified. This can be
done by several means.
In a small business
User could be notified verbally by the phone or in person
Better still the user could be notified in writing showing their login ID and password only
if it is to be change at next use. It should be mentioned that the letter should be
shredded for added security
In a medium to large business
The user should be notified in writing showing their login ID and password only if it is to
be change at next use. It should be mentioned that the letter should be shredded for
added security. This can be delivered by several means yet it is safest to use a
confidential envelop in all cases.
Internal Mail
Hand delivery to user
Hand delivery via Manager.
User Accounts and Security Access Documentation For The Client
On completion of an implementation or major security change, the client should be supplied with
a report containing the relevant information regarding, the User accounts list and their security
access levels for sign off. The information that should be included in this report is as follows: -
A copy of the flowchart created at the beginning of this chapter (See Figure 2.3)
Departments and their Security Access permissions
Users and their Security Access permissions
User Accounts and Security Access Documentation For Auditing Purposes
On completion of an implementation or security changes, the system administrator should
document all user information and security access permissions. This documentation can be
recorded in a spreadsheet, database or third party software application.
USER ACCOUNTS CHAPTER 3
PAGE 60 OF 118
Groups
It is easier in the long run to create your departments/section groups first. This allows the users
to be added to their correct group at the time of user creation.
Before creating groups we need to understand what groups are and how they operate.
Groups are used to like containers; they hold a group of users together and allow the
administrator to manage their access permissions as a group instead of individuals. This is a
great tool for the administrator saving them time in accounts management.
For example: a user is transferred from one area to another due to a promotion. The
users new area has very different access permissions and restrictions. Instead of have to
spend considerable time converting all the access permissions and restrictions, you can
transfer them for one group to another and as the group has the access permissions
and restrictions attached to it the user will inherit the groups access permissions and
restrictions.
Group Types
When Windows 2003 is install it automatically creates several built-in groups. These
groups are divided into two types
Security Groups
Security groups deal with the operational side of the operating system and the
network, such as user management etc.
Distribution Groups
Distribution groups are used by system applications that are not security
orientated.
Group Scopes
The two groups that the groups are sorted into are divided into three scopes.
Global Groups
Global groups normally contain users from a related area either geographically of
work related.
Contains users from the same domain that the global group was created
in.
Provides access permissions and restriction to resources in any domain on
the domain, tree or forest.
Once Active Directory is installed, several built-in global groups: -
Cert Publishers: Members of this group have the right to publish certificates
for users and computers.
DnsUpdateProxy: Members of this group have the right to perform dynamic
updates on behalf of other clients.
Domain Admins: Members of this group have full control throughout the
domain.
CHAPTER 3 USER ACCOUNTS
PAGE 61 OF 118
Domain Computers: All computers and servers added to the domain
become a member of this group.
Domain Controllers: All domain controllers within the domain are members
of this group.
Domain Guests: All domain guests are members of this group.
Domain Users: All user accounts created become a member of the
Domain Users group.
Enterprise Admin: Members of this group have full control to all domains
within the forest.
Group Policy Creator Owner: Members of this group have the right to
modify group policies within the domain.
Schema Admins: Members of this group have the right to modify the
Schema.
Domain Local Groups
Domain local groups are used by system applications that are not security
orientated.
Contains users from any domain
Provides access permissions and restriction to resources in the same
domain that the domain local group was created on.
The default domain local groups within the Built-in container are described below.
Account Operators: Members of the account operators group can create,
modify, and delete user, group and computer accounts with the
exception of those accounts located within the Built-in folder and the
Domain Controllers OU.
Administrators: Members of this group have full control within the domain.
Backup Operators: Members of this group can backup and restore data
on all domain controllers within the domain.
Guests: Members of this group have limited access to the network.
Incoming Forest Trust Builders: Members of this group have the right to
create one-way incoming trusts to the domain.
Network Configuration Operators: Members of this group can make
changes to TCP/IP settings on all domain controllers within the domain.
Performance Log Users: Members of this group have access to schedule
logging of performance counters on all domain controllers within the
domain.
Performance Monitor Users: Members of this group have the right to
monitor domain controllers.
Pre-Windows Compatible Access: This group if for backwards compatibility
with Windows NT 4.0. Members of this group have read access on all user
and group accounts within the domain.
USER ACCOUNTS CHAPTER 3
PAGE 62 OF 118
Print Operators: Members are permitted to administer all domain printers.
Remote Desktop Users: Members have the right to remotely logon to
domain controllers.
Replicator: This group is used by the file replication service to support
directory replication.
Server Operators: Members of this group have the right to administer
servers within the domain. They can perform tasks such as backup and
restore data, log on locally, stop and start network services, format hard
drives, and shut down the system.
Users: Members of this group have limited ability within a domain.

Universal Groups
Universal groups are used to assign permissions and restrictions to resources in all
domains on the network.
Contains users from any domain
Provides access permissions and restriction to resources in any domain.
Creating Groups
Creating new groups is very similar to the process you have learnt to create a new user
account. To do this you need to select and click on the create group icon or name this
can be done in two different procedures the choice is yours.
Procedure 1
1. Select Action in the menu bar
2. Select New from the Action drop down list
3. Finally click Group from the New dropdown list
FIGURE 3.22. CREATE A NEW GROUP PROCEDURE 1