User Rights |
To ease the task of account administration, it is recommended that you assign privileges primarily to groups rather than to individual user accounts. When you assign privileges to a group, the privileges are assigned automatically to each user who is added to the group. This is easier than assigning privileges to individual user accounts as each account is created.
The privileges that can be assigned are listed and described in Table D.2. The strings that correspond to the constants in Winnt.h are shown in parentheses.
Table D.2 Privileges
Privilege | Description |
---|---|
Act as part of the operating system
(SeTcbPrivilege) |
Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level authentication services should require this privilege.
Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. Note that the calling process can also build an anonymous token that does not provide a primary identity for tracking events in the audit log. When a service requires this privilege, configure the service to use the LocalSystem account (which already includes the privilege), rather than create a separate account and assign the privilege to it. |
Add workstations to a domain
(SeMachineAccountPrivilege) |
Allows the user to add a computer to a specific domain. For the privilege to be effective, it must be assigned to the user as part of local security policy for domain controllers in the domain. A user who has this privilege can add up to 10 workstations to the domain.
In Windows 2000, the behavior of this privilege is duplicated by the Create Computer Objects permission for organizational units and the default Computers container in Active Directory™. Users who have the Create Computer Objects permission can add an unlimited number of computers to the domain. |
Back up files and directories
(SeBackupPrivilege) |
Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
By default, this privilege is assigned to Administrators and Backup Operators. (See also "Restore files and directories" in this table.) |
Bypass traverse checking
(SeChangeNotifyPrivilege) |
Allows the user to pass through folders to which the user otherwise has no access while navigating an object path in any Microsoft® Windows® file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
By default, this privilege is assigned to Administrators, Backup Operators, Power Users, Users, and Everyone. |
Change the system time
(SeSystemTimePrivilege) |
Allows the user to set the time for the internal clock of the computer.
By default, this privilege is assigned to Administrators and Power Users. |
Create a token object
(SeCreateTokenPrivilege) |
Allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
When a process requires this privilege, use the LocalSystem account (which already includes the privilege), rather than create a separate user account and assign this privilege to it. |
Create permanent shared objects
(SeCreatePermanentPrivilege) |
Allows a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that extend the Windows 2000 object namespace. Components that are running in kernel mode already have this privilege assigned to them; it is not necessary to assign them the privilege. |
Create a pagefile
(SeCreatePagefilePrivilege) |
Allows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of System Properties.
By default, this privilege is assigned to Administrators. |
Debug programs
(SeDebugPrivilege) |
Allows the user to attach a debugger to any process. This privilege provides access to sensitive and critical operating system components.
By default, this privilege is assigned to Administrators. |
Enable computer and user accounts to be trusted for delegation
(SeEnableDelegationPrivilege) |
Allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
Delegation of authentication is a capability that is used by multi-tier client/server applications. It allows a front-end service to use the credentials of a client in authenticating to a back-end service. For this to be possible, both client and server must be running under accounts that are trusted for delegation. Misuse of this privilege or the Trusted for Delegation settings can make the network vulnerable to sophisticated attacks on the system that use Trojan horse programs, which impersonate incoming clients and use their credentials to gain access to network resources. |
Force shutdown from a remote system
(SeRemoteShutdownPrivilege) |
Allows a user to shut down a computer from a remote location on the network. (See also "Shut down the system" in this table.)
By default, this privilege is assigned to Administrators. |
Generate security audits
(SeAuditPrivilege) |
Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. (See also "Manage auditing and security log" in this table.) |
Increase quotas
(SeIncreaseQuotaPrivilege) |
Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. This privilege is useful for system tuning, but it can be abused, as in a denial-of-service attack.
By default, this privilege is assigned to Administrators. |
Increase scheduling priority
(SeIncreaseBasePriorityPrivilege) |
Allows a process that has Write Property access to another process to increase the execution priority of the other process. A user with this privilege can change the scheduling priority of a process in the Task Manager dialog box.
By default, this privilege is assigned to Administrators. |
Load and unload device drivers
(SeLoadDriverPrivilege) |
Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that are not Plug and Play; these device drivers can be installed only by Administrators. Note that device drivers run as trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them destructive access to resources.
By default, this privilege is assigned to Administrators. |
Lock pages in memory
(SeLockMemoryPrivilege) |
Allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Assigning this privilege can result in significant degradation of system performance. This privilege is obsolete and is therefore never selected. |
Manage auditing and security log
(SeSecurityPrivilege) |
Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer.
By default, this privilege is assigned to Administrators. |
Modify firmware environment values
(SeSystemEnvironmentPrivilege) |
Allows modification of system environment variables either by a process through an API or by a user through System Properties.
By default, this privilege is assigned to Administrators. |
Profile a single process
(SeProfileSingleProcessPrivilege) |
Allows a user to run Microsoft® Windows NT® and Windows 2000 performance-monitoring tools to monitor the performance of nonsystem processes.
By default, this privilege is assigned to Administrators and Power Users. |
Profile system performance
(SeSystemProfilePrivilege) |
Allows a user to run Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes.
By default, this privilege is assigned to Administrators. |
Remove computer from docking station
(SeUndockPrivilege) |
Allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
By default, this privilege is assigned to Administrators, Power Users, and Users. |
Replace a process-level token
(SeAssignPrimaryTokenPrivilege) |
Allows a parent process to replace the access token that is associated with a child process. |
Restore files and directories
(SeRestorePrivilege) |
Allows a user to circumvent file and directory permissions when restoring By default, this privilege is assigned to Administrators and Backup Operators. |
Shut down the system
(SeShutdownPrivilege) |
Allows a user to shut down the local computer. (See also "Force shutdown from a remote system" in this table.)
In Microsoft® Windows® 2000 Professional, this privilege is assigned by default to Administrators, Backup Operators, Power Users, and Users. In Microsoft® Windows® 2000 Server, this privilege is by default not assigned to Users; it is assigned only to Administrators, Backup Operators, and Power Users. |
Synchronize directory service data
(SeSynchAgentPrivilege) |
Allows a process to provide directory synchronization services. This privilege is relevant only on domain controllers.
By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers. |
Take ownership of files or other objects
(SeTakeOwnershipPrivilege) |
Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
By default, this privilege is assigned to Administrators. |