Windows NT User Rights and Auditing
User rights are different from access permissions which allow access to resources such as read, write or execute access. User rights allow system control which includes the ability to format a hard drive or shut the system down.
Local Users created at installation time
- Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
- Guests - Have minimal privileges. It can be renamed. but can't be deleted. On NT workstation, disable the guest account or give it a password, since it is enabled upon installation.
- Initial User - Member of administrators group.
Two levels of security
The User Manager tool is used to create user and group accounts along with managing functional user rights, security auditing, and account policies. Functional user rights determine what programs the user can run or what system capabilities they have. Passwords are case sensitive, but user names are not. Both can contain spaces.
Two methods of adding user accounts:
- Make a copy of an existing account.
User names may be up to 20 characters long using upper and lowercase letters although it is not case sensitive. Does not use " / \ [ ] : ; | = , + * ? <, > characters in a user name. When an account is copied from a template the following fields are left blank:
- Full Name
- Password and confirm password
- User cannot change password
- Account disabled
User accounts should not be made local on various workstations when using domain user accounts. If a user account is deleted, when it is recreated, even though it may have the same name, it will have a different user ID number and resource access for that account must be set up again.
Password setting options the administrator can set for the user are:
- User must change password at the next login
- The user cannot change the password.
- The password never expires
Passwords are case sensitive and can be up to 14 characters. User names are not case sensitive and can be up to 20 characters. The user's home directory can be specified when the user is created or set later. The home directory is where data from an application is saved by default and where the command prompt will be when a command line session is begun.
|Right||Groups with the Rights|
|Access this computer from the network||Administrators, Power Users, Everyone|
|Back up files directories||Administrators, Backup Operators|
|Change the system time||Administrators, Power Users|
|Force shutdown from a remote system||Administrators, Power Users|
|Load and unload device drivers||Administrators|
|Log on locally||All built-in groups, including Everyone, except Replicator|
|Manage auditing and security log||Administrators|
|Restore files and directories||Administrators, Backup Operators|
|Shut down the system||All built-in groups except Guests and Replicator|
|Take Ownership of files or objects||Administrators|
Domain controllers do not have a power users group. On the Domain Controllers, Server Operators are similar to the Administrator group on the Workstation with all rights.
- Bypass traverse checking - Lets the user or group move through directory trees even if the group does not have permission to access the directories. Normally this right is given to Power Users.
- Log on as a service - This right is used by background applications. The rights are required for the service to function.
The following user events may be audited:
- File and Object Access - Logs user access to directories, files, or printers.
- Logon/Logoff - Local and remote logon and logoff connections may be audited.
- Process Tracking - Logs events about the running of programs.
- Restart, Shutdown, System - Logs when the system is shutdown or started.
- Security Policy Changes - Logs changes to User Rights and Account Policies.
- Use of User Rights - Logs when a user exercised a user right.
- User and Group Management - Logs user and group management events.