Lesson 2: Configuring User Rights

Lesson 2:?Configuring User Rights

Under the Local Policies node, there are three nodes: Audit Policy, User Rights Assignment, and Security Options. Audit Policy was explained in Chapter 12, "Auditing Resources and Events." In this lesson you learn how use the Group Policy snap-in to assign user rights. Security options are covered in Lesson 3.


After this lesson, you will be able to

  • Configure user rights

Estimated lesson time: 30 minutes


User Rights

You can assign specific rights to groups or individual user accounts. To simplify administration of user rights, Microsoft recommends that you assign user rights only to groups and not individual user accounts. Each user right allows the members of the group or the individual users assigned the right to perform a specific action, such as backing up files or changing the system time. If a user is a member of more than one group, the user rights applied to that user are cumulative, so the user has all the user rights assigned to all the groups of which he or she is a member.

You can configure user rights on a computer running Windows XP Professional by using the Group Policy snap-in as follows:

  1. Click Start and click Run. Type mmc in the Open text box, and click OK to open an empty custom MMC console.
  2. On the File menu, click Add/Remove Snap-In, and then click Add.
  3. In the Add Standalone Snap-In dialog box, click Group Policy and then click Add.

    The Select Group Policy Object dialog box appears, allowing you to point the MMC console containing Group Policy at the local computer or at a remote computer. The Allow The Focus Of The Group Policy Snap-In To Be Changed When Launching From The Command Line check box allows you to configure the MMC so that you can decide which computer to use Group Policy on when you start the MMC.

  4. Click Finish to leave Group Policy with its focus on the Local Computer, the default setting, and save the console with Local Group Policy.
  5. Expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and Local Policies, and then click User Right Assignments.
  6. In the details pane, select the user right you want to configure, and then on the Action menu, click Properties.

    The console displays the current groups and user accounts that have this user right assigned, as shown in Figure 13.4. To add groups or user accounts, click Add. To remove a group or user, select the group or user and click Remove.

Figure 13.4??The Group Policy snap-in displaying User Rights Assignment

There are two types of user rights: privileges and logon rights.

Privileges

A privilege is a user right that allows the members of the group to which it is assigned to perform a specific task, usually one that affects an entire computer system rather than one object. Table 13.3 explains the privileges you can assign in Windows XP Professional.

Table 13.3??Privileges Available in Windows XP Professional

Logon Rights

A logon right is a user right assigned to a group or an individual user account. Logon rights control the way users can log on to a system. Table 13.4 explains the logon rights you can assign in Windows XP Professional.

Table 13.4??Logon Rights Available in Windows XP Professional

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."

  1. Which of the following statements about user rights are correct? (Choose all that apply.)
    1. Microsoft recommends that you assign user rights to individual user accounts.
    2. Microsoft recommends that you assign user rights to groups rather than individual user accounts.
    3. User rights allow users assigned the right to perform a specific action, such as backing up files and directories.
    4. There are two types of user rights: privileges and logon rights.
  2. If your computer running Windows XP Professional is part of a Windows 2000 domain environment and you configure the Local Security Policies on your computer so that you assign yourself the Add Workstation To A Domain user right, can you add additional workstations to the domain? Why or why not?
  3. What benefit does the Back Up Files And Directories user right provide?
  4. What are logon rights and what do they do?

Lesson Summary

  • User Rights Assignment is one of the three nodes located under the Local Policies node and it can be configured using the Group Policy snap-in.
  • A privilege is a user right that allows users to perform a specific task, usually one that affects an entire computer system rather than one object.
  • Bypass Traverse Tracking is a privilege that allows users to move through folders that they have no permission to access.
  • Logon rights are user rights assigned to a group or an individual user account to control the way users can log on to a system.
  • Logon rights control whether or not a user can connect to a computer over the network or sitting at the computer's keyboard.