Windows 8 : Managing authorization and access rights (part 1) - Assigning user rights

Getting started with user rights

After you have authenticated and signed in to a computer running Windows 8, what can you do? Typically, a desktop, Start screen, or some other piece of information starts you on the computer, but you need rights to perform certain actions. For example, suppose Oscar was hired at Contoso to work from the London office. The help desk helps provision computers for new employees and ensures that they are shipped to remote employees as soon as possible. When Oscar’s computer was sent out, the time zone was still set to the local time of the office where the computer was configured. Because most employees do not need access to change the time zone, this right is disabled by default. How can Oscar modify the time zone so that his computer displays the correct system time?

Because this user right has not been assigned, you must sign in with local administrator privileges to add Oscar to the needed user rights. To assign Oscar the right to change the time zone, complete the following steps:

1. From the desktop, tap or click the Settings charm.

2. Select Control Panel, System and Security, Administrative Tools, and then Local Security Policy.

3. From the navigation pane of the Local Security Policy console, expand Local Policies and tap or click User Rights Assignment.

4. In the results pane, double-tap or double-click the Change The Time Zone policy.

5. Make a note of the users or groups defined on the Local Security Setting tab of the Properties dialog box.

6. Add Oscar’s user account to the list of those allowed to modify the time zone or add the user account to one of the groups that is listed.

7. Log off the computer and have Oscar test his ability to modify the time zone.

Working in groups

Rights tend to be more effective when used in groups than when used on single user accounts. The reason for this is not technical; rather, it comes from an ease-of-administration concept. Consider the following example for why this tends to be more efficient.

If you assign rights to Oscar to perform a task, only Oscar can perform that task. If you assign rights to the help desk group to perform a task, any member of the help desk group can perform that task. In this way, as employees like Oscar come and go from the help desk group, the rights do not travel with that singular user account.

Understanding rights vs. permissions

Permissions specify which type of access to allow on an object. A folder called Operations is an object that lives on the NTFS file system. This object would have permissions assigned to it granting different types of access to different user accounts or groups.

Rights are similar to permissions, but they are applied to user accounts or groups and apply to the tasks that these user accounts (or group members) can perform on a computer. Rights define what someone is allowed to do, whereas permissions define what type of access is available for an object.

Note

PERMISSIONS VS. RIGHTS

When considering permissions and rights, remember that permissions are assigned to objects that can be secured, including files, folders, and registry keys. Rights determine which tasks on a computer the specified user account can perform.

Assigning user rights

Within Windows 8, local security policy items affect what can happen on a local computer. Computers joined to an Active Directory domain process security from Active Directory before evaluating items at the local policy level. Assigning user rights is performed at both the local and domain levels.

Note

SECURITY AND AUDITING SETTINGS

User rights assignment tasks are a set of policies under the Local Policies group within the Local Security Policy management console. In addition to these user rights, additional security and auditing options can be controlled within this console. To access auditing policies, select Audit Policy from the local policies container. To access Security settings, select Security Options from the local policies container.

To access user rights on a computer running Windows 8, complete the following steps:

1. Tap or click the Settings charm.

2. Select Control Panel.

3. Double-tap or double-click Administrative Tools.

4. Double-tap or double-click Local Security Policy.

5. In the left pane of the window, expand Local Policies.

6. Select User Rights Assignment.

The settings configured in User Rights Assignment allow defined tasks to be performed by the specified groups or user accounts. The available actions that can be assigned are defined in Table 1.

Note

SECURITY ALERT USER RIGHTS AND TRUSTED USER ACCOUNTS

Assigning the user rights marked with an asterisk (*) in the table should be done only for trusted user accounts. Modifying these privileges can provide more system access than necessary to a user account or a group, or it can render a computer unusable if the wrong elements are removed or denied access.

Table 1. User Rights elements that can be assigned to users or groups

Policy	Description	Groups with this privilege by default	Valid on
Access Credential Manager as trusted caller	Used by Credential Manager during backup and recovery operations. No user accounts should be assigned this privilege.	None; used by Winlogon	Workstations
Access this computer from the network	Determines which users and groups can connect to this computer over the network.	Administrators, Authenticated Users, Backup Operators, Users, Everyone	Workstations, Servers, and Domain Controllers
Act as part of the operating system	Allows a process to impersonate any user account on the system with no additional authentication.	None*	Workstations, Servers, and Domain Controllers
Add workstations to domain	Determines which user accounts or groups can add workstations to the domain.	Authenticated Users	Domain Controllers
Adjust memory quotas for a process	Determines which user accounts can change the maximum memory consumption allowed for a process.	Administrators, Local Service, Network Service	Workstations, Servers, and Domain Controllers
Allow logon locally	Determines which user accounts can sign in to the computer.	On workstations/servers: Administrators, Backup Operators, Power Users, Users, Guest On domain controllers: Account Operators, Administrators, Backup Operators, Print Operators	Workstations, Servers, and Domain Controllers
Allow logon through Remote Desktop Services	Determines which user accounts can access the computer by using Remote Desktop Connections.	On workstations/servers: Administrators, Remote Desktop Users On domain controllers: Administrators	Workstations, Servers, and Domain Controllers
Back up files and directories	Determines which user accounts or groups can bypass persistent object permissions for the purposes of backing up a computer.	On workstations and servers: Administrators, Backup Operators On domain controllers: Administrators, Backup Operators, Server Operators*	Workstations, Servers, and Domain Controllers
Bypass traverse checking	Determines which user accounts can traverse directories even though the user account might not have permissions to do so on the object.	On workstations and servers: Administrators, Backup Operators, Users, Everyone, Local Service, Network Service On domain controllers: Administrators, Authenticated Users, Everyone, Local Service, Network Service, Pre–Windows 2000 Compatible Access	Workstations, Servers, and Domain Controllers
Change the system time	Determines which user accounts and groups can change the time on a computer.	On workstations and servers: Administrators, Local Service On domain controllers: Administrators, Server Operators, Local Service	Workstations, Servers, and Domain Controllers
Change the time zone	Determines which user accounts and groups can change the time zone.	Administrators, Users	Workstations, Servers, and Domain Controllers
Create a page file	Determines which user accounts or groups can call an application programming interface (API) to create a page file.	Administrators	Workstations, Servers, and Domain Controllers
Create a token object	Determines which accounts can be used by processes to create tokens used for accessing local resources.	None*	Workstations, Servers, and Domain Controllers
Create global objects	Determines which user accounts can create global objects available to all sessions.	Administrators, Local Service, Network Service, Service*	Workstations, Servers, and Domain Controllers
Create permanent shared objects	Determines which accounts can be used by processes to create directory objects by using Object Manager.	None
Create symbolic links	Determines whether a user account can create a symbolic link from the computer where the user is signed in.	Administrators	Workstations, Servers, and Domain Controllers
Debug programs	Determines which accounts can attach a debugger to any process or to the Windows kernel.	Administrators*	Workstations, Servers, and Domain Controllers
Deny access to this computer from the network	Determines which accounts are prevented from accessing the computer over the network.	Guest	Workstations, Servers, and Domain Controllers
Deny logon as a batch job	Determines which accounts are prevented from signing in as a batch job.	None	Workstations, Servers, and Domain Controllers
Deny logon as a service	Determines which service accounts are prevented from registering a process as a service.	None	Workstations, Servers, and Domain Controllers
Deny logon locally	Determines which user accounts are denied the ability to sign in locally to a computer.	Guest	Workstations, Servers, and Domain Controllers
Deny logon through Remote Desktop Services	Determines which user accounts are denied access to a computer by using Remote Desktop Services.	None	Workstations, Servers, and Domain Controllers
Enable computer and user accounts to be trusted for delegation	Determines which user accounts can set the Trusted For Delegation property on a user or a computer object.	Administrators*	Domain Controllers
Force shutdown from a remote system	Determines which accounts can shut down a computer from a remote location.	On workstations and servers: Administrators On domain controllers: Administrators, Server Operators	Workstations, Servers, and Domain Controllers
Generate security audits	Determines which accounts can be used by a process to trigger a security audit.	Local Service, Network Service	Workstations, Servers, and Domain Controllers
Impersonate a client after authentication	Allows programs running on behalf of the designated account to impersonate a client.	Administrators, Local Service, Network Service, Service	Workstations, Servers, and Domain Controllers
Increase a process working set	Determines which accounts can increase or decrease the size of a working set. (A working set defines the memory needed by a process within a given time interval.)	Users	Workstations, Servers, and Domain Controllers
Increase scheduling priority	Determines which accounts can use a process with write-property access to a different process to increase the execution priority assigned to that process.	Administrators	Workstations, Servers, and Domain Controllers
Load and unload device drivers	Determines which accounts can dynamically load and unload device drivers into kernel mode. (When an application or driver runs in kernel mode, it is operating at the highest protection ring within the operating system.)	On workstations and servers: Administrators On domain controllers: Administrators, Print Operators*	Workstations, Servers, and Domain Controllers
Lock pages in memory	Determines which users can use a process to keep data in physical memory.	None	Workstations, Servers, and Domain Controllers
Log on as a batch job	Allows a user account to be signed in through a batch-queue facility. Provided for compatibility with earlier versions of Windows.	Administrators, Backup Operators	Workstations, Servers, and Domain Controllers
Log on as a service	Allows a security principal to sign in as a service.	None	Workstations, Servers, and Domain Controllers
Manage auditing and security log	Determines which accounts can specify object access auditing options for resources.	Administrators	Workstations, Servers, and Domain Controllers
Modify an object label	Determines which accounts can modify the integrity label of objects, including files, registry keys, or processes owned by other users.	None	Workstations, Servers, and Domain Controllers
Modify firmware environment values	Determines which accounts can modify the firmware environment variables stored in nonvolatile RAM. For x86 computers, the last-known good configuration is modifiable. For Itanium-based systems, boot information is stored and can be modified.	Administrators	Workstations, Servers, and Domain Controllers
Perform volume maintenance tasks	Determines which accounts can perform maintenance on a volume.	Administrators*	Workstations, Servers, and Domain Controllers
Profile single process	Determines which accounts can use performance-monitoring tools to monitor nonsystem processes.	Administrators, Power Users	Workstations, Servers, and Domain Controllers
Profile system performance	Determines which users can monitor performance of system processes.	Administrators	Workstations, Servers, and Domain Controllers
Remove computer from docking station	Determines whether an account can undock a portable computer.	Administrators, Power Users, Users	Workstations, Servers, and Domain Controllers
Replace a process-level token	Determines which user accounts can call the Create Process As User() API so one service can start another service.	Network Service, Local Service	Workstations, Servers, and Domain Controllers
Restore files and directories	Determines which accounts can bypass file, directory, registry, and other persistent permissions when restoring backed-up objects.	On workstations and servers: Administrators, Backup Operators. On domain controllers: Administrators, Backup Operators, Server Operators*	Workstations, Servers, and Domain Controllers
Shut down the system	Determines which accounts, when signed in locally, can shut down the operating system.	On workstations: Administrators, Backup Operators, Users. On domain controllers: Administrators, Backup Operators, Server Operators, Print Operators	Workstations, Servers, and Domain Controllers
Synchronize directory service data	Determines which accounts can synchronize data with a directory service such as Active Directory.	None	Domain Controllers
Take ownership of files or other objects	Determines which accounts can take ownership of any securable object in the system, including Active Directory objects, files, folders, printers, and registry keys.	Administrators*	Workstations, Servers, and Domain Controllers

Although several rights can be customized, some of them have default assignments. In many cases, these default assignments will be sufficient for general computer use. Consider the needs of your organization when modifying user rights to ensure that proper access remains available.