Previous articles in Windows NT Magazine have discussed user rights from the point of view of securing your system and protecting it from hackers and external attacks. (For a selection of such articles, see "Related Articles in Windows NT Magazine," page 207. For more about protection from hackers, see Andrey Kruchkov, "The Accidental Hacker," page 177.) This article looks at how you can assign or remove user rights to gain flexibility in delegating tasks while you maintain control of your NT network.
Permissions and Rights
A systems administrator assigns a permission to let a user access a resource such as a file, a directory, or a printer. The administrator assigns a right to let a user perform a task such as changing the system clock time. A permission is always associated with an object, and a right is always associated with the system.
Setting User Rights
You configure rights with the User Manager utility. On a domain controller, you configure rights from the User Manager for Domains, which lets you set rights that apply to the domain. From the Policies menu, select User Rights to open the dialog box and configure rights for your users. When you first open the User Rights dialog box, you'll see only basic, or standard, user rights. To view a larger and more advanced group of user rights in the drop-down list, select the Show Advanced User Rights check box, as you see in Screen 1, page 206.
You can assign each right to individual users or to groups of users. NT automatically assigns many rights to specific groups. For example, on a domain controller, NT assigns the log on locally right to the Administrators, Account Operators, Server Operators, and Backup Operators groups. NT does not assign this right to Domain Users or to the Everyone group because users in these groups will usually access the server across the network and will not log on at the server.
NT assigns certain rights by default to the Everyone group. This assignment might be too liberal on NT's part, and some administrators like to substitute Domain Users for the Everyone group to maintain more control over these rights.
To assign a right, select the right and click Add to bring up a list of users and groups, from which you select the appropriate items, as Screen 2, page 206, shows. I recommend adding a user account to an established NT group that already has the right you're assigning. You can assign rights to global groups, local groups, and users from current and trusted domains.
Standard User Rights
Let's look at some standard user rights. Screen 3 shows part of the standard-rights list.
Access this computer from the network. NT usually assigns this right to all users. This assignment makes sense. You want everyone to be able to connect to a server (especially a domain controller) through the network.
Add workstations to domain. This right applies only to domain controllers. NT does not assign it by default.
Back up files and directories. NT assigns this right to the NT Administrators, Backup Operators, and Server Operators groups. This right is necessary so that members of these groups can read files for backup even if they don't have rights to read the same files in applications. You do not have to give these groups specific permission to read filesdoing so would let them open the files and examine the contents. The back up files and directories right overrides permissions to read files only for the purpose of file backup.
Change the system time. This right is reserved for the Administrators and Server Operators groups. Although this restriction might seem excessive, many network functions depend on time that is synchronized across the network.
Force shutdown from a remote system. This right is not currently available in NT, although NT developers might have plans for it. Why is it here if you can't implement it? Third-party utilities are available that let you perform a remote reboot (or you can use the Shutdown Workstation utility in the Microsoft Windows NT Server Resource Kit), if you have the authority to run these utilities on your company's system. Perhaps that authority is what this right will control in future versions of NT.
Load and unload device drivers. This right might seem like something only administrators should have, which is indeed the case. If you load the wrong device drivers, you risk not being able to restart the computer. Even though this right restricts users from changing video drivers, it doesn't prevent users from adjusting video resolution.
Log on locally. This right lets users log on at the keyboard of a computer rather than over the network. Sometimes you have to set this right in response to the message, The policy of this system does not allow you to log on interactively. (Why this message uses interactively instead of locally is one of those NT mysteries that suggests NT programmers need to communicate with one another more.)
Managing auditing and security log. A user with this right can specify what type of resource access, such as file or directory access, NT can audit. With this right, a user can also look at and clear out the Security log in the NT Event Viewer. However, no one but a member of the Administrators group can set the auditing policy within the User Manager for Domains.
Restore files and directories. This right is similar to the back up files and directories right in that it overrides standard file and directory permissions and lets members of the Administrators, Backup Operators, and Server Operators groups (for whom it is a default right) write files to disk for the purpose of restoring them. Consider limiting this right, because making backups has little impact on users. However, ill-advised or wrongly executed restores can overwrite data. You might avoid problems with security if you let only the administrator restore files.
Shut down the system. On NT servers, this right, like log on locally, is limited to the Administrator and Operators groups. Even if you let other users log on to a server, make them disconnect by logging off, not by shutting down the server.
Take ownership of files or other objects. For obvious reasons, NT limits this right to the Administrator. A user can set permissions that restrict other users from accessing the user's files, or an administrator can set such permissions. For example, a company's network administrator would typically not have permissions to read personnel files. But if a Human Resources employee quits without notice, the administrator might have to take ownership of that employee's files to transfer the files to another HR staff member. (In NT you can't give ownership of files to anyone, you can only take ownership.) In this situation, the administrator can temporarily assign the right to take ownership of the files to the second HR employee.
Advanced User Rights
Now let's look at some advanced user rights that are of interest to systems administrators. As Screen 4 shows, advanced rights appear in the drop-down box with the standard user rights.
Act as part of the operating system. An administrator can assign this right to certain subsystems. NT does not assign this right by default.
Bypass traverse checking. This right lets a user change directories and move through a directory tree even if the user has no permissions to access the directories. The permission is checked on only the last component of a path, which lets the user access the entry directory, but not higher directories in the path. NT assigns this right to everyone by default; turn it off only if you need POSIX compliance.
Create a page file. Usually only systems administrators create page files. Assign this right only if you intend to let a user build page files on disks to tune the user's system for more efficient performance.
Create a token object, create permanent shared objects, debug programs, lock pages in memory. Usually programmers, not end users, hold these rights. The administrator must assign these rights.
Increase quotas. This option is an interesting right, considering that NT has been criticized for not granting administrators the ability to assign quotas for disk usage and other systems resources. The TechNet CD-ROM confirms that this right is not available in current versions of NT, which suggests that Microsoft may implement this right in a future release.
Increase scheduling priority. This right lets users increase the priority of a process. According to TechNet, by default, only the administrator and power users can increase the priority of a process. But a user in the Domain Users group can change the priority using Task Manager, so perhaps Task Manager has this right and can invoke it on behalf of a user.
Log on as a service. This right lets a service use a username to initialize itself in the background in NT. (For an explanation of NT services, see "Windows NT Services," January 1998.) Some examples of NT services are the Replication service, SQL Server Executive, and the Systems Management Server (SMS) Executive account.
Yours by Right
NT gives you a fair amount of leeway to assign rights to your users while keeping control of your network. If you know what rights exist in NT and which users and groups acquire rights by default, you can customize all rights to make your network function just the way you want it to.