Skip to main content

Group Policy Settings - Local Policies - User Rights Assignment

  • Access this computer from the network

    This user right determines which users and groups are allowed to connect to the computer over the network. Terminal Services are not affected by this user right.

    Default on workstations and servers:
    Administrators
    Backup Operators
    Users
    Everyone

    Default on domain controllers:
    Administrators
    Authenticated Users
    Enterprise Domain Controllers
    Everyone
    Pre-Windows 2000 Compatible Access

  • Access Credential Manager as a trusted caller

    This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.

  • Act as part of the operating system

    This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

    Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

    Caution

    Assigning this user right can be a security risk. Only assign this user right to trusted users.

    Default: None.

  • Add workstations to domain

    This security setting determines which groups or users can add workstations to a domain.

    This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

    Adding a computer account to the domain allows the computer to participate in Active Directoryûbased networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

    Default: Authenticated Users on domain controllers.

    Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

  • Adjust memory quotas for a process

    This privilege determines who can change the maximum memory that can be consumed by a process.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Note: This privilege is useful for system tuning, but it can be misused, for example, in a denial-of-service attack.

    Default: Administrators
    Local Service
    Network Service.

  • Allow log on locally

    This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+DEL sequence on the attached keyboard requires the user to have this logon right. Additionally this logon right may be required by some service or administrative applications that can log on users. If you define this policy for a user or group, you must also give the Administrators group this right.

    Default on workstations and servers: Administrators
    Backup Operators
    Users.

    Default on domain controllers: Account Operators
    Administrators
    Backup Operators
    Print Operators
    Server Operators.

  • Allow log on through Terminal Services

    This security setting determines which users or groups have permission to log on as a Terminal Services client.

    Default:

    On workstation and servers: Administrators, Remote Desktop Users.
    On domain controllers: Administrators.

    Important

    This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.

  • Back up files and directories

    This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

    Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

    Traverse Folder/Execute File
    List Folder/Read Data
    Read Attributes
    Read Extended Attributes
    Read Permissions

    Caution

    Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.

    Default on workstations and servers: Administrators
    Backup Operators.

    Default on domain controllers:Administrators
    Backup Operators
    Server Operators

  • Bypass traverse checking

    This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Default on workstations and servers:
    Administrators
    Backup Operators
    Users
    Everyone
    Local Service
    Network Service

    Default on domain controllers:
    Administrators
    Authenticated Users
    Everyone
    Local Service
    Network Service
    Pre-Windows 2000 Compatible Access

  • Change the system time

    This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Default on workstations and servers:
    Administrators
    Local Service

    Default on domain controllers:
    Administrators
    Server Operators
    Local Service

  • Change the Time Zone

    This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of the workstations and servers.

    Default: Administrators, Users

  • Create a pagefile

    This user right determines which users and groups can call an internal application programming interface (API) to create a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users.

    For information about how to specify a paging file size for a given drive, see To change the size of the virtual memory paging file.

    Default: Administrators.

  • Create a token object

    This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.

    This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.

    Caution

    Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
    Default: None

  • Create global objects

    This user right is required for a user account to create global objects during Terminal Services sessions. Users can still create session-specific objects without being assigned this user right.

    Caution

    Assigning this user right can be a security risk. Assign this user right only to trusted users.

    Default:

    Administrators
    Local Service
    Network Service
    Service

  • Create permanent shared objects

    This user right determines which accounts can be used by processes to create a directory object using the object manager.

    This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.

    Default: None.

  • Create Symbolic Links

    This privilege determines if the user can create a symbolic link from the computer he is logged on to.

    Default: Administrator

    WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

    Note
    This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type ôfsutil behavior set symlinkevalution /?ö at the command line to get more information about fsutil and symbolic links.

  • Debug programs

    This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications to not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

    Caution

    Assigning this user right can be a security risk. Only assign this user right to trusted users.

    Default: Administrators

  • Deny access to this computer from the network

    This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

    Default: None.
    Deny log on as a batch job

    This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

    Default: None.

  • Deny log on as a service

    This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

    Note: This security setting does not apply to the System, Local Service, or Network Service accounts.

    Default: None.

  • Deny log on locally

    This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

    Important

    If you apply this security policy to the Everyone group, no one will be able to log on locally.

    Default: None.

  • Deny log on through Terminal Services

    This security setting determines which users and groups are prohibited from logging on as a Terminal Services client.

    Default: None.

    Important

    This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.

  • Enable computer and user accounts to be trusted for delegation

    This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

    The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Caution

    Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

    Default: Administrators on domain controllers.

  • Force shutdown from a remote system

    This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Default:

    On workstations and servers: Administrators.
    On domain controllers: Administrators, Server Operators.

  • Generate security audits

    This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information see Audit: Shut down system immediately if unable to log security audits

    Default: Local Service
    Network Service.

  • Impersonate a client after authentication

    Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

    Caution

    Assigning this user right can be a security risk. Only assign this user right to trusted users.

    Default:

    Administrators
    Local Service
    Network Service
    Service

    Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.

    In addition, a user can also impersonate an access token if any of the following conditions exist.

    The access token that is being impersonated is for this user.
    The user, in this logon session, created the access token by logging on to the network with explicit credentials.
    The requested level is less than Impersonate, such as Anonymous or Identify.
    Because of these factors, users do not usually need this user right.

    For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK.

    Warning

    If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.

  • Increase a process working set

    This privilege determines which user accounts can increase or decrease the size of a process’s working set.
    Increase a process working set

    This privilege determines which user accounts can increase or decrease the size of a process’s working set.

    Default: Users

    The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

    Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.

  • Increase scheduling priority

    This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

    Default: Administrators.

  • Load and unload device drivers

    This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.

    Caution

    Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

    Default on workstations and servers: Administrators.

    Default on domain controllers:
    Administrators
    Print Operators

  • Lock pages in memory

    This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

    Default: None.

  • Log on as a batch job

    This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.

    For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

    Default: Administrators
    Backup Operators.

  • Log on as a service

    This security setting determines which service accounts can register a process as a service.

    Default: Network Service.

  • Log on locally

    Determines which users can log on to the computer.

    Important

    Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.

    Default:

    On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
    On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.

  • Manage auditing and security log

    This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

    This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\\Audit Policies must be configured.

    You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

    Default: Administrators.

  • Modify an object label

    This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

    Default: None

  • Modify firmware environment values

    This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.

    On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.
    On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties.
    On all computers, this user right is required to install or upgrade Windows.

    Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. For information about how to modify these variables, see To add or change the values of environment variables.

    Default: Administrators.

  • Perform volume maintenance tasks

    Description

    This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.

    Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

    Default: Administrators

  • Profile single process

    This security setting determines which users can use performance monitoring tools to monitor the performance of nonsystem processes.

    Default: Administrators.

  • Profile system performance

    This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

    Default: Administrators.

  • Remove computer from docking station

    This security setting determines whether a user can undock a portable computer from its docking station without logging on.

    If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.

    Default: Administrators.

  • Replace a process level token

    This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.

    Default: Network Service, Local Service.

  • Restore files and directories

    This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object.

    Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

    Traverse Folder/Execute File
    Write

    Caution

    Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.

    Default:

    Workstations and servers: Administrators, Backup Operators.
    Domain controllers: Administrators, Backup Operators, Server Operators.

  • Shut down the system

    This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

    Default on Workstations: Administrators, Backup Operators, Users.

    Default on Servers: Administrators, Backup Operators.

    Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.

  • Synchronize directory service data

    This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.

    Defaults: None.
    Take ownership of files or other objects

    This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

    Caution

    Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.

    Default: Administrators.