Skip to content

Group Policy User Rights Assignment Policies

Security Settings - User Rights

Local Policies - User Rights Assignments

The first thing that you notice is just how many User Rights that Windows Server 2003 provides.  Consequently, there is something for every aspect of security in this folder.

A classic 'vanilla' installation of Active Directory will function adequately without you having to change any of these settings.  The reason why you may never have to configure this section, is because many of these user rights are bestowed on people through membership of the appropriate group.  For instance, place people who need to backup files in the backup operator's group.  One company foolishly created a TechAdmin group and spent ages adding important rights, not realizing that there was already a built-in Administrators group which did the same job!

Group Policy Topics

User Configuration

    Windows Settings

      Local Policies

           Audit Policy

     User Rights Assignments

What then is the benefit of these settings?  I would divide User Rights into three categories:

1) Rights for special accounts, example, the SQL Agent needs to Log on as a service.

2) Prevention of users getting into mischief, for example, 'Deny shutdown system' for a Terminal Server.

3) Specialist rights for one off situations, example allow roll-out team Add Workstations to domain.  (But not make them full administrators)

* Guy's Top Three User Rights Policies


Rights for special accounts

When you create service accounts you may wish to fine tune their capabilities.  Such accounts are used by SQL and older versions of Exchange.  The danger is that because service accounts are not allowed to change their password, they are a magnet for hackers to attack.  More often than not, these service accounts have traditional names like SQLAdmin, so hackers guess their names, crack their password and breach the system.  Your last line of defence is to give these accounts only specific rights, not full administrative control.

Rights that fall into this special category are: Logon as a batch job, Logon as a service, Enable Computer Accounts to be trusted, Increase Scheduling Priority and possibly, Lock pages in memory.

Guy Recommends: Permissions Analyzer - Free Active Directory Tool

I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try - it's free!

Download Permissions Analyser - Free Active Directory Tool

Prevent users getting into mischief

  • Deny logon through terminal services.
  • Disable, Shut Down System, so that ordinary users cannot power off the very Terminal Server that provides desktops for them and their colleagues.
  • Disable Restore Files and Folders, so backup operators cannot sneakily restore the HR database.  My point is that if you had to restore files, most likely you would call upon a top administrator, not a humble backup operator.

Specialist Rights for one off situations.

  • Add Workstations to the Domain.  Better to give the roll-out engineers limited rights rather than making them full administrators.  By default users have the right to add 10 workstations to the domain without any extra rights.
  • Allow right to logon locally.  When you only have a DC available to try out newly created user, you need to give those accounts this rights.  However you could make the test accounts backup operators who do have the right to logon locally.
  • Modify firmware.  Possible scenario, you have an outsource team who need to upgrade the hardware.

See more security Group Policies

• Group Policies   • Troubleshooting Group Policies   • Group Policy Tactics

   • Group Policy Security   • Audit Logon Events   • Security Event Log   • Security Options

• Security System Services   • Security System  • Security User Rights   • Security Software

If you like this page then please share it with your friends



User Rights Assignment

  • 2 minutes to read
  • Contributors

Applies to

Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see Configure security policy settings.

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Related topics