Privileges

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Privileges

To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.

The following table lists and describes the privileges that can be granted to a user.

Privilege Description

Act as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

Default: Local System.

Add workstations to a domain

This security setting determines which groups or users can add workstations to a domain.

This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

Default: Authenticated Users on domain controllers.

Adjust memory quotas for a process

This privilege determines who can change the maximum memory that can be consumed by a process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default: Administrators.

Back up files and directories

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

Default: Administrators and Backup Operators.

Bypass traverse checking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

  • On workstations and servers:

    • Administrators

    • Backup Operators

    • Power Users

    • Users

    • Everyone

  • On domain controllers:

    • Administrators

    • Authenticated Users

Change the system time

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

  • On workstations and servers:

    • Administrators

    • Power Users

  • On domain controllers:

    • Administrators

    • Server Operators

Create a pagefile

Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System properties.

Default setting: Administrators

Create a token object

Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned

Default setting: No one

Create global objects

This security setting determines which accounts are allowed to create global objects in a terminal services session.

Default: Administrators and Local System.

Create permanent shared objects

Allows a process to create a directory object in the Windows Server 2003 family and Windows XP Professional object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.

Default setting: No one

Debug programs

This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications to not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

Default setting:

  • Administrators

  • Local System

Enable computer and user accounts to be trusted for delegation

This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the Account cannot be delegated account control flag set.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default setting: On domain controllers:

  • Administrators

Force shutdown from a remote system

This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

  • On workstations and servers: Administrators.

  • On domain controllers: Administrators, Server Operators.

Generate security audits

This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information, see Audit: Shut down system immediately if unable to log security audits.

Default: Local System.

Impersonate a client after authentication

This security setting determines which accounts are allowed to impersonate other accounts.

Default: Administrators and Service.

Increase scheduling priority

This security setting determines which accounts can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

Default: Administrators.

Load and unload device drivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Instead, use the StartService() API.

Default setting: Administrators. It is recommended that you not assign this privilege to any other user. Device drivers run as trusted (or highly privileged) programs.

Lock pages in memory

This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

Default: None. Certain system processes have the privilege inherently.

Manage auditing and security log

This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured.

You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

Default: Administrators.

Modify firmware environment values

This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.

  • On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.

  • On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System properties.

  • On all computers, this user right is required to install or upgrade Windows.

Default setting:

  • Administrators

  • Local System

profile a single process

This security setting determines which users can use performance monitoring tools to monitor the performance of nonsystem processes.

Default: Administrators, Power users, Local System.

profile system performance

This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

Default: Administrators, Local System.

Remove computer from docking station

This security setting determines whether a user can undock a portable computer from its docking station without logging on.

If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.

Default: Disabled.

Replace a process level token

Determines which user accounts can initiate a process to replace the default token associated with a started subprocess.

This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.

Default setting: Local Service and Network Service.

Restore files and directories

This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

  • Traverse Folder/Execute File

  • Write

Default:

  • Workstations and servers: Administrators, Backup Operators.

  • Domain controllers: Administrators, Backup Operators, Server Operators.

Shut down the system

This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

Default:

  • Workstations: Administrators, Backup Operators, Power Users, Users.

  • Servers: Administrators, Backup Operators, Power Users.

  • Domain controllers: Account Operators, Administrators, Backup Operators, Server Operators, Print Operators.

Synchronize directory service data

This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.

Defaults: None.

Take ownership of files or other objects

This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Default setting: Administrators

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right--in this case, the right to perform a backup--takes precedence over all file and directory permissions.

For more information, see Logon rights, User rights and Security Configuration Manager tools.

Note

  • At a command prompt, you can type whoami /priv to see your privileges. For more information about the whoami command, see Whoami.