User rights grant specific privileges and logon rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories.
To ease the task of user account administration, you should assign privileges primarily to group accounts, rather than to individual user accounts. When you assign privileges to a group account, users are automatically assigned those privileges when they become a member of that group. This method of administering privileges is far easier than assigning individual privileges to each user account when the account is created.
The following table lists and describes the privileges that can be granted to a user.
Privilege | Description | Default setting |
---|---|---|
Act as part of the operating system |
Allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the Local System account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. You do not need to assign this privilege to users unless your organization uses servers running Windows 2000 or Windows NT 4.0 and uses applications that exchange passwords in plaintext. |
Local System |
Add workstations to a domain |
Determines which groups or users can add workstations to a domain. This user right is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain. Adding a computer account to the domain allows the computer to recognize accounts and groups that exist in Active Directory Domain Services (AD DS). |
Domain controllers: Authenticated Users |
Adjust memory quotas for a process |
Determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. |
Administrators |
Back up files and directories |
Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. |
Administrators and Backup Operators |
Bypass traverse checking |
Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers. |
Workstations and servers: Administrators, Backup Operators, Power Users, Users, and Everyone Domain controllers: Administrators and Authenticated Users |
Change the system time |
Determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers. |
Workstations and servers: Administrators and Power Users Domain controllers: Administrators and Server Operators |
Create a pagefile |
Allows the user to create and change the size of a paging file. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System properties. |
Administrators |
Create a token object |
Allows a process to create a token that it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. Processes requiring this privilege should use the Local System account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. |
No one |
Create global objects |
Determines which accounts can create global objects in a Terminal Services or Remote Desktop Services session. |
Administrators and Local System |
Create permanent shared objects |
Allows a process to create a directory object in the operating system's object manager. This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
No one |
Debug programs |
Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components do need to be assigned this user right. This user right provides complete access to sensitive and critical operating system components. |
Administrators and Local System |
Enable computer and user accounts to be trusted for delegation |
Determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer by using the delegated credentials of a client, as long as the account of the client does not have the Account cannot be delegated account control flag set. This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers. |
Domain controllers: Administrators |
Force shutdown from a remote system |
Determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers. |
Workstations and servers: Administrators Domain controllers: Administrators and Server Operators |
Generate security audits |
Determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information, see Audit: Shut down system immediately if unable to log security audits (http://go.microsoft.com/fwlink/?LinkId=136299). |
Local System |
Impersonate a client after authentication |
Determines which accounts are allowed to impersonate other accounts. |
Administrators and Service |
Increase scheduling priority |
Determines which accounts can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
Administrators |
Load and unload device drivers |
Determines which users can dynamically load and unload device drivers or other code into kernel mode. This user right does not apply to Plug and Play device drivers. Because device drivers run as trusted (or highly privileged) programs,you should not assign this privilege to other users. Instead, use the StartService() API. |
Administrators |
Lock pages in memory |
Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
None; certain system processes have the privilege inherently |
Manage auditing and security log |
Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured. For more information, see Audit object access (http://go.microsoft.com/fwlink/?LinkId=136283). You can view audited events in the Security log of the Event Viewer. A user with this privilege can also view and clear the Security log. |
Administrators |
Modify firmware environment values |
Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.
|
Administrators and Local System |
Profile a single process |
Determines which users can use performance monitoring tools to monitor the performance of nonsystem processes. |
Administrators, Power Users, and Local System |
Profile system performance |
Determines which users can use performance monitoring tools to monitor the performance of system processes. |
Administrators and Local System |
Remove computer from docking station |
Determines whether a user can undock a portable computer from its docking station without logging on. If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on. |
Disabled |
Replace a process level token |
Determines which user accounts can initiate a process to replace the default token associated with a started subprocess. This user right is defined in the Default Domain Controller GPO and in the local security policy of workstations and servers. |
Local Service and Network Service |
Restore files and directories |
Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to a user or group on all files and folders on the system:
|
Workstations and servers: Administrators, and Backup Operators Domain controllers: Administrators, Backup Operators, and Server Operators |
Shut down the system |
Determines which users who are logged on locally to the computer can shut down the operating system by using the Shut Down command. Misuse of this user right can result in a denial of service. |
Workstations: Administrators, Backup Operators, Power Users, and Users Servers: Administrators, Backup Operators, and Power Users Domain controllers: Account Operators, Administrators, Backup Operators, Server Operators, and Print Operators |
Synchronize directory service data |
Determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization. |
None |
Take ownership of files or other objects |
Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
Administrators |
Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right—in this case, the right to perform a backup—takes precedence over all file and directory permissions. For more information, see Backup and Recovery (http://go.microsoft.com/fwlink/?LinkID=131606).
Note | |
At a command prompt, you can type whoami /priv to see your privileges. |