Arnaud Loos

Categories

  • security

This is a list of all the User Rights Assignments available on a Windows network along with a brief description and default values. The definitions are taken from the Microsoft documentation.

Access Credential Manager as a trusted caller
The Access Credential Manager as a trusted caller policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service.
Do not modify this policy setting from the default.

Access this computer from the network
The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).
On desktop devices or member servers, grant this right only to users and administrators.
On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators.
This setting includes the Everyone group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the Everyone group and use the Authenticated Users group instead.

Act as part of the operating system
The Act as part of the operating system policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right.
Do not assign this right to any user accounts. Only assign this user right to trusted users.
If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it.

Add workstations to domain
This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.
Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain.
By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.

Adjust memory quotas for a process
This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
Restrict the Adjust memory quotas for a process user right to only users who require the ability to adjust memory quotas to perform their jobs.
If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account.
By default, members of the Administrators, Local Service, and Network Service groups have this right.

Allow log on locally
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
By default, the members of the following groups have this right on domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, Server Operators.

Allow log on through Terminal Services
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection.

Back up files and directories
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API)
Default on domain controllers: Administrators, Backup Operators, Server Operators
Default on Workstations and Server: Administrators, Backup Operators

Bypass traverse checking
This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders.

Change the system time
This policy setting determines which users can adjust the time on the device’s internal clock.

Change the time zone
This policy setting determines which users can adjust the time zone that is used by the device for displaying the local time, which includes the device’s system time plus the time zone offset.

Create a pagefile
This policy setting determines which users can create and change the size of a page file.
By default, members of the Administrators group have this right.

Create a token object
This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources.
This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.

Create global objects
This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.
A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access.
By default, members of the Administrators group have this right, as do Local Service and Network Service accounts on the supported versions of Windows. Service is included for backwards compatibility with earlier versions of Windows.

Create permanent shared objects
This user right determines which accounts can be used by processes to create a directory object by using the object manager. Directory objects include Active Directory objects, files and folders, printers, registry keys, processes, and threads. Users who have this capability can create permanent shared objects, including devices, semaphores, and mutexes.
By default, LocalSystem is the only account that has this right. Do not assign this right to any users.

Create symbolic links
This user right determines if users can create a symbolic link from the device they are logged on to.
A symbolic link is a file-system object that points to another file-system object.
By default, members of the Administrators group have this right.

Debug programs
This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components.
By default, members of the Administrators group have this right.

Deny access to this computer from the network
This security setting determines which users are prevented from accessing a device over the network.
By default, this setting is Guest on domain controllers and on stand-alone servers.

Deny log on as a batch job
This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task Scheduler.
Deny log on as a batch job prevents administrators or operators from using their personal accounts to schedule tasks.

Deny log on as a service
This policy setting determines which users are prevented from logging on to the service applications on a device.
A service is an application type that runs in the system background without a user interface. It provides core operating system features, such as web serving, event logging, file serving, printing, cryptography, and error reporting.

Deny log on locally
This policy setting determines which users are prevented from logging on directly at the device’s console.

Deny log on through Remote Desktop Services
This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services.

Enable computer and user accounts to be trusted for delegation
This policy setting determines which users can set the Trusted for Delegation setting on a user or computer object. Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation.
There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices.

Force shutdown from a remote system
This security setting determines which users are allowed to shut down a device from a remote location on the network.

Generate security audits
This policy setting determines which accounts can be used by a process to generate audit records in the security event log. The Local Security Authority Subsystem Service (LSASS) writes events to the log. You can use the information in the security event log to trace unauthorized device access.
By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers.

Impersonate a client after authentication
This policy setting determines which programs are allowed to impersonate a user or another specified account and act on behalf of the user. Impersonation is the ability of a thread to run in a security context that is different from the context of the process that owns the thread. By default, this setting is Administrators, Local Service, Network Service, and Service on domain controllers and stand-alone servers.

Increase a process working set
This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM.
By default, standard users have this right.

Increase scheduling priority
This policy setting determines which user accounts can increase the base priority class of a process. This user right is not required by administrative tools that are supplied with the operating system, but it might be required by software development tools.

Load and unload device drivers
This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted.
By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers.

Lock pages in memory
This policy setting determines which accounts can use a process to keep data in physical memory, which prevents the computer from paging the data to virtual memory on a disk.
Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation.

Log on as a batch job
This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the Log on as a batch job user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user’s security context.
By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers.

Log on as a service
This policy setting determines which service accounts can register a process as a service.
By default this setting is Network Service on domain controllers and Network Service on stand-alone servers.

Manage auditing and security log
This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer.
By default this setting is Administrators on domain controllers and on stand-alone servers.

Modify an object label
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users.
By default this setting is Not defined on domain controllers and on stand-alone servers. Do not give any group this user right.

Modify firmware environment values
This security setting determines who can modify firmware environment values. Firmware environment values are settings that are stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.
On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.
By default this setting is Administrators on domain controllers and on stand-alone servers.

Perform volume maintenance tasks
This policy setting determines which users can perform volume or disk management tasks, such as defragmenting an existing volume, creating or removing volumes, and running the Disk Cleanup tool.
By default this setting is Administrators on domain controllers and on stand-alone servers.

Profile single process
This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI).
This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs.

Profile system performance
This security setting determines which users can use Windows performance monitoring tools to monitor the performance of system processes. By default this setting is Administrators on domain controllers and on stand-alone servers.

Remove computer from docking station
This security setting determines whether a user can undock a portable device from its docking station without logging on.

Replace a process level token This policy setting determines which parent processes can replace the access token that is associated with a child process. Specifically, the Replace a process level token setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another.
By default this setting is Network Service and Local Service on domain controllers and on stand-alone servers.

Restore files and directories
This security setting determines which users can bypass file, directory, registry, and other persistent object permissions when they restore backed up files and directories, and it determines which users can set valid security principals as the owner of an object.
Users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, so only assign this user right to trusted users.
By default, this right is granted to the Administrators, Backup Operators, and Server Operators groups on domain controllers, and to the Administrators and Backup Operators groups on stand-alone servers.

Shut down the system
This security setting determines if a user who is logged on locally to a device can shut down Windows.
By default this setting is Administrators, Backup Operators, Server Operators, and Print Operators on domain controllers, and Administrators and Backup Operators on stand-alone servers.

Synchronize directory service data
This policy setting determines which users and groups have authority to synchronize all directory service data, regardless of the protection for objects and properties. This privilege is required to use LDAP directory synchronization (dirsync) services. Domain controllers have this user right inherently because the synchronization process runs in the context of the System account on domain controllers.
Ensure that no accounts are assigned the Synchronize directory service data user right. Only domain controllers need this privilege, which they inherently have.

Take ownership of files or other objects
This policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object.