Privileges

To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.

The following table lists and describes the privileges that can be granted to a user.

PrivilegeDescription

Act as part of the operating system

Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

Default setting: No one

Add workstations to a domain

Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of the Default Domain Controllers Policy for the domain. A user who has this privilege can add up to 10 workstations to the domain.

Users can also be allowed to join a computer to a domain by giving them Create Computer Objects permission for an organizational unit or for the Computers container in Active Directory. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain, regardless of whether they have been assigned the Add workstations to a domain privilege.

Default setting: No one

Adjust memory quotas for a process

Determines which accounts can use a process with Write Property access to another process to increase the processor quota assigned to the other process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default setting: Administrators

Back up files and directories

Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.

Default setting: Administrators and Backup Operators.

Bypass traverse checking

Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.

Default setting: Administrators, Backup Operators, Power Users, Users, and Everyone on member servers and workstations. On domain controllers, it is assigned to Administrators, Authenticated Users, and Everyone.

Change the system time

Allows the user to set the time for the internal clock of the computer.

Default setting: Administrators, Power Users, LocalService, and NetworkService on member servers and workstations. On domain controllers, it is assigned to Administrators, Server Operators, LocalService, and NetworkService.

Create a token object

Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned

Default setting: No one

Create a pagefile

Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties.

Default setting: Administrators

Create permanent shared objects

Allows a process to create a directory object in the Windows XP Professional object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.

Default setting: No one

Debug programs

Allows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical operating system components.

Default setting: Administrators

Enable computer and user accounts to be trusted for delegation

Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object. Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources.

Default setting: This privilege is not assigned to anyone on member servers and workstations, as it has no meaning in those contexts. On domain controllers, it is assigned by default to Administrators.

Force shutdown from a remote system

Allows a user to shut down a computer from a remote location on the network. See also the Shut Down the System privilege.

Default setting: Administrators on member servers and workstations. On domain controllers, it is assigned to Adminstrators and Server Operators.

Generate security audits

Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. See also the privilege Manage auditing and security log.

Default setting: LocalService and NetworkService.

Increase scheduling priority

Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in Task Manager.

Default setting: Administrators

Load and unload device drivers

Allows a user to install and uninstall Plug and Play device drivers. This privilege does not affect the ability to install drivers for devices that are not Plug and Play. Drivers for non-Plug and Play devices can be installed only by Administrators.

Default setting: Administrators. It is recommended that you not assign this privilege to any other user. Device drivers run as trusted (or highly privileged) programs. A user who has the Load and Unload Device Drivers privilege could unintentionally misuse it by installing malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures

Lock pages in memory

Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance.

Default setting: Not assigned to anyone. Certain system processes have the privilege inherently.

Manage auditing and security log

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer.

A user with this privilege can also view and clear the security log from the Event Viewer.

Default setting: Administrators

Modify firmware environment values

Allows modification of system environment variables either by a process through an API or by a user through System Properties.

Default setting: Administrators

Profile a single process

Allows a user to run Windows XP Professional performance-monitoring tools to monitor the performance of nonsystem processes.

Default setting: Administrators and Power Users on member servers and workstations. On domain controllers, it is assigned only to Administrators

Profile system performance

Allows a user to run performance-monitoring tools to monitor the performance of system processes.

Default setting: Administrators

Remove computer from docking station

Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.

Default setting: Administrators, Power Users, and Users.

Relace a process level token

Determines which user accounts can initiate a process to replace the default token associated with a started subprocess.

This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.

Default setting: Local Service and Network Service.

Restore files and directories

Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. See also the Back up files and directories privilege.

Default setting: Administrators and Backup Operators.

Shut down the system

Allows a user to shut down the local computer.

Default setting: Administrators, Backup Operators, Power Users, and Users on workstations. On member servers, it is assigned to Administrators, Power Users, and Backup Operators. On domain controllers, it is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.

Synchronize directory service data

Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers.

Default setting: No one

Take ownership of files or other objects

Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

Default setting: Administrators

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.

Logon rights

User Rights Assignment



© 2014 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement