Revisit this often-overlooked method of granting advanced functionality to users, groups, and processes.
Windows NT user rights determine the tasks that a user can and can't perform on systems. NT gives you two groups of user rights—11 standard and 16 advanced. Generally, only programmers use advanced rights, and you should grant them to users or groups only when absolutely necessary. When you set user rights on a domain controller (DC), those settings apply to all the domain's DCs. When you set rights on a workstation or member server, those settings apply only to that computer. However, before you start assigning rights, you must understand thoroughly what each right does and how you can use these rights to your advantage.
Setting User Rights
In User Manager for Domains, choose Policies, User Rights. A list of user rights appears, as Figure 1, page 64, shows. In the Grant To window, you can see the accounts and groups that already have a specified user right. To add a user or group to this window (i.e., to grant a right), click Add, then specify the user or group. To remove a user or group from this window (i.e., to take away a right), highlight the name and click Remove. If you need to administer an advanced right, you must select the Show Advanced User Rights check box so that the advanced rights appear in the list of user rights.
If you prefer to use the command line or a batch file to grant rights, you can use the Microsoft Windows NT Server 4.0 Resource Kit Supplement 3's ntrights.exe utility. You can also use ntrights.exe in an unattended NT installation in which you need to change default NT rights. Rights are easier to manage if you grant them to groups rather than to individual accounts. After you grant or remove a right, affected users must log off the network, then log on again so that their access tokens reflect the change. Keep in mind that you can also assign rights to processes (typically while programming code). Many rights are specifically intended for processes rather than users.
11 Standard User Rights
The following standard user rights are the rights that administrators most commonly use. These rights apply to the most common NT tasks that require user rights.
Access this computer from network. The Access this computer from network right lets users connect to a computer over the network. Users who need to connect to a resource (e.g., shared directories, shared printers) that a certain network computer offers must have this right. If you're performing maintenance on a computer and need to prevent users from connecting to its resources—while still letting the computer access resources that it needs—you can temporarily remove the Everyone group from this right. If you keep sensitive shares on a particular member server, you can create one user group that contains all contract workers and another group that contains all noncontract workers. Then, to ensure that contract workers don't accidentally stumble on your sensitive data shares, grant only noncontract workers the Access this computer from network right.
Add workstations to domain. The Add workstations to domain right lets users who aren't members of the Administrators or Account Operators group add workstations to the domain. For example, if a contractor is helping you roll out a new batch of NT computers, you can assign the contractor a user account that has this right, rather than grant the higher security levels inherent in the Administrator and Account Operators groups. According to the Microsoft article "Capabilities of the 'Add Workstations to Domain' Right" (http://support.microsoft
.com/support/kb/articles/q139/3/65.asp), this right also lets users access Server Manager (from Server Tools) to add and remove computer accounts. After thorough testing, I determined that the right doesn't grant this reported capability. Using Server Manager remotely to try to add a workstation to a domain, I received an Access Denied error message. However, on a clean NT installation, a user who has only this right can create the computer account during installation.
Back up files and directories. The Back up files and directories right lets users back up all files and directories, including those they otherwise can't access. I recommend that you grant this right only to the Backup Operators group and use User Manager for Domains to add users to the group as necessary. Be aware that some utilities (e.g., the resource kit's Scopy utility) can also bypass an object's file and directory permissions.
Change the system time. The Change the system time right lets users set the time on their computer. Most administrators use a time-synchronization utility (e.g., Net Time, the resource kit's timeserv.exe) to keep all desktops synchronized. Because time is important to many job functions, correct computer-function timestamping is probably crucial in your organization. To ensure that users don't change their system time from that of the official company time server, you can restrict this right.
Previous
