Logon Rights
Logon rights control how security principals are allowed access to the computer — whether from the keyboard or through a network connection, or whether as a service or as a batch job. For each logon method, there exists a pair of logon rights — one to allow logging on to the computer and another to deny logging on to the computer. Use a deny logon right as you would use a deny permission — to exclude a subset of a group that has been assigned an allow logon right. For example, suppose that Alice wants all users except the members of the domains Marketing group to be able to log on locally at her computer's keyboard. With this in mind, Alice creates a local group, which she names "LocalLogonDenied." Then she configures her computer as follows:
She assigns the log on locally user right to the Users group.
She assigns the deny local logon user right to the LocalLogonDenied group.
She makes the Marketing group a member of the LocalLogonDenied group.
Deny rights take precedence over allow rights, so members of the Marketing group are denied the right to log on locally even though they are also members of the Users group, which is allowed to log on locally.
The rule to keep in mind is: "Allow a set, and then deny a subset." Reversing the order can be disastrous. For example, Alice might want to allow no one but herself to log on locally. If she allowed herself the right to log on locally and denied the Users group the right to log on locally, she would be unpleasantly surprised to find she had locked herself out of the computer. Alice, after all, is a member of the Users group, so the deny right she assigned to the Users group would take precedence over the allow right she assigned to herself.
Logon rights are described in Table D.1. For developers, who are more familiar with the constants in Winnt.h than with the logon right display names in the Security Settings user interface, the Winnt.h string that corresponds to each user logon right is shown in parentheses after the display name.
Table D.1 Logon Rights
Right |
Description |
|---|---|
Access this computer from network |
Allows a user to connect to the computer from the network. By default, this right is assigned to Administrators, Everyone, and Power Users. |
Log on as a batch job |
Allows a user to log on by using a batch-queue facility. By default, this right is assigned to Administrators. |
Log on locally |
Allows a user to log on locally at the computer's keyboard. By default, this right is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators. |
Log on as a service |
Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the right. By default, this right is not assigned to anyone. |
Deny access to this computer from network |
Prohibits a user or group from connecting to the computer from the network. By default, no one is denied this right. |
Deny local logon |
Prohibits a user or group from logging on locally at the keyboard. By default, no one is denied this right. |
Deny logon as a batch job |
Prohibits a user or group from logging on through a batch-queue facility. By default, no one is denied the right to log on as a batch job. |
Deny logon as a service |
Prohibits a user or group from logging on as a service. By default, no one is denied the right to log on as a service. |