Previous Page | Next Page

  1. Introduction
  2. Capabilities
  3. Structure
  4. The Registry
  5. System and Configuration Files
  6. Security
  7. Application Support
  8. Requirements
  9. Installation
  10. Unattended Installation
  11. Booting
  12. Filesystems
  13. Programs
  14. Control Panel
  15. Tool
  16. Commands
  17. Customization
  18. Environment Variables
  19. Printing
  20. Performance
  21. System Services
  22. Permissions
  23. Groups
  24. User Rights and Auditing
  25. User Profiles
  26. Policies
  27. Network Model
  28. Resource Access
  29. Network Browsing
  30. Protocol Support
  31. RAS
  32. Networking
  33. Backups
  34. Events
  35. Error Handling
  36. Diagnostic Tools
  37. Items to Memorize
  38. Terms
  39. Credits

Windows NT User Rights and Auditing

User rights are different from access permissions which allow access to resources such as read, write or execute access. User rights allow system control which includes the ability to format a hard drive or shut the system down.

Local Users created at installation time

  1. Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
  2. Guests - Have minimal privileges. It can be renamed. but can't be deleted. On NT workstation, disable the guest account or give it a password, since it is enabled upon installation.
  3. Initial User - Member of administrators group.

Two levels of security

  • Logon
  • User Rights

Adding Accounts

The User Manager tool is used to create user and group accounts along with managing functional user rights, security auditing, and account policies. Functional user rights determine what programs the user can run or what system capabilities they have. Passwords are case sensitive, but user names are not. Both can contain spaces.

Two methods of adding user accounts:

  • Creation
  • Make a copy of an existing account.

User names may be up to 20 characters long using upper and lowercase letters although it is not case sensitive. Does not use " / \ [ ] : ; | = , + * ? <, > characters in a user name. When an account is copied from a template the following fields are left blank:

  • Username
  • Full Name
  • Password and confirm password
  • User cannot change password
  • Account disabled

User accounts should not be made local on various workstations when using domain user accounts. If a user account is deleted, when it is recreated, even though it may have the same name, it will have a different user ID number and resource access for that account must be set up again.


Password setting options the administrator can set for the user are:

  • User must change password at the next login
  • The user cannot change the password.
  • The password never expires

Passwords are case sensitive and can be up to 14 characters. User names are not case sensitive and can be up to 20 characters. The user's home directory can be specified when the user is created or set later. The home directory is where data from an application is saved by default and where the command prompt will be when a command line session is begun.

User Rights

RightGroups with the Rights
Access this computer from the networkAdministrators, Power Users, Everyone
Back up files directoriesAdministrators, Backup Operators
Change the system timeAdministrators, Power Users
Force shutdown from a remote systemAdministrators, Power Users
Load and unload device driversAdministrators
Log on locallyAll built-in groups, including Everyone, except Replicator
Manage auditing and security logAdministrators
Restore files and directoriesAdministrators, Backup Operators
Shut down the systemAll built-in groups except Guests and Replicator
Take Ownership of files or objectsAdministrators

Domain controllers do not have a power users group. On the Domain Controllers, Server Operators are similar to the Administrator group on the Workstation with all rights.

Advanced rights:

  • Bypass traverse checking - Lets the user or group move through directory trees even if the group does not have permission to access the directories. Normally this right is given to Power Users.
  • Log on as a service - This right is used by background applications. The rights are required for the service to function.


The following user events may be audited:

  • File and Object Access - Logs user access to directories, files, or printers.
  • Logon/Logoff - Local and remote logon and logoff connections may be audited.
  • Process Tracking - Logs events about the running of programs.
  • Restart, Shutdown, System - Logs when the system is shutdown or started.
  • Security Policy Changes - Logs changes to User Rights and Account Policies.
  • Use of User Rights - Logs when a user exercised a user right.
  • User and Group Management - Logs user and group management events.