| Platform SDK: Network Management |
Calling some of the network management functions does not require special group membership. Other functions require that users have a specific privilege level to execute successfully. When applicable, the Security Requirements section on a function's reference page indicates the privilege level a user must have to execute the particular function.
The security requirements that apply when you make calls to certain network management functions on Windows 2000 are different than the requirements that apply when you call the functions on Windows NT. The functions include, among others, all those that begin with NetGroup, NetLocalGroup, and NetUser. For a complete list of affected functions, see the end of this topic. For requirements that apply to an individual network management function, please see the function's reference page.
Windows 2000 Active Directory domain controllers: If you call one of the affected functions on a Windows 2000 domain controller running Active Directory™, access to a securable object is allowed or denied based on the access-control list (ACL) for the object. (ACLs are specified in the directory.)
For queries, the default ACL permits all authenticated users and members of the "Pre-Windows 2000 compatible access" group to view information. For updates, the default ACL permits only Administrators and account operators to write information.
Note By default, the "Pre-Windows 2000 compatible access" group includes Everyone as a member. This enables anonymous access (Anonymous Logon) to information if the system allows anonymous access. Administrators can remove Everyone from the "Pre-Windows 2000 Compatible Access" group when installing a domain controller. Removing Everyone from the group restricts information access to authenticated users only.
Anonymous access to securable objects can also be restricted by setting the following key in the registry to the value 1. (This is also referred to as the RestrictAnonymous policy setting.)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Windows 2000 servers and workstations: If you call one of the affected functions on a Windows 2000 member server or workstation to perform a query, all authenticated users can view the information. Anonymous access is also possible if the RestrictAnonymous policy setting allows anonymous access. For updates, only Administrators and account operators can write information.
The preceding security requirements apply to the following network management query functions when you call them on Windows 2000:
NetGroupEnum
NetGroupGetInfo
NetGroupGetUsers
NetLocalGroupEnum
NetLocalGroupGetInfo
NetLocalGroupGetMembers
NetSessionGetInfo (levels 1 and 2 only)
NetShareEnum (level 2 only)
NetUserEnum
NetUserGetGroups
NetUserGetInfo
NetUserGetLocalGroups
NetUserModalsGet
NetWkstaGetInfo
NetWkstaUserEnum
The security requirements also apply to the following network management update functions on Windows 2000:
NetGroupAdd
NetGroupAddUser
NetGroupDel
NetGroupDelUser
NetGroupSetInfo
NetGroupSetUsers
NetLocalGroupAdd
NetLocalGroupAddMembers
NetLocalGroupDel
NetLocalGroupDelMembers
NetLocalGroupSetInfo
NetLocalGroupSetMembers
NetUserAdd
NetUserChangePassword
NetUserDel
NetUserModalsSet
NetUserSetGroups
NetUserSetInfo
For more information about the Windows NT/Windows 2000 security model for controlling access to securable objects, see Access Control.