Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 User Rights and Auditing

User rights are different from access permissions which allow access to resources such as read, write or execute access. User rights allow system control which includes the ability to format a hard drive or shut the system down.

Local Users created at installation time

  1. Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
  2. Guests - Have minimal privileges. It can be renamed. but can't be deleted. On NT workstation, disable the guest account or give it a password, since it is enabled upon installation.
  3. Initial User - Member of administrators group.

Two levels of security

  • Logon
  • User Rights

Adding Accounts

The Use the "Local Users and Groups" tool is used to create user and group accounts locally and the "Active Directory Users and Computers" tool is used to create users remotely. They are also used to with managd functional user rights, security auditing, and account policies. Functional user rights determine what programs the user can run or what system capabilities they have. Passwords are case sensitive, but user names are not. Both can contain spaces.

Two methods of adding user accounts:

  • Creation
  • Make a copy of an existing account.

User names may be up to 20 characters long using upper and lowercase letters although it is not case sensitive. Does not use " / \ [ ] : ; | = , + * ? <, > characters in a user name. When an account is copied from a template the following fields are left blank:

  • Username
  • Full Name
  • Password and confirm password
  • User cannot change password
  • Account disabled

User accounts should not be made local on various workstations when using domain user accounts. If a user account is deleted, when it is recreated, even though it may have the same name, it will have a different user ID number and resource access for that account must be set up again.


Password setting options the administrator can set for the user are:

  • User must change password at the next login
  • The user cannot change the password.
  • The password never expires

Passwords are case sensitive and can be up to 14 characters. User names are not case sensitive and can be up to 20 characters. The user's home directory can be specified when the user is created or set later. The home directory is where data from an application is saved by default and where the command prompt will be when a command line session is begun.

User Rights

User rights are divided into:

  • Logon rights
  • User privileges

Logon Rights

RightDescriptionGroups with the Rights
Access this computer from the network *The user can connect to the computer remotely.Administrators, Power Users, Everyone
Deny access to this computer from the networkThe user cannot connect to the computer remotely.?
Deny logon as a batch job?
Deny logon as a service?
Logon as a batch job?
Logon as a service *This right is used by background applications. The rights are required for the service to function?
Log on locally *All built-in groups, including Everyone, except Replicator

User Privileges

Act as part of the operating system?
Add workstations to domain?
Back up files directories *The user can back up files or directories to storage media.Administrators, Backup Operators
Bypass traverse checking *Lets the user or group move through directory trees even if the group does not have permission to access the directories. Normally this right is given to Power Users.Everyone
Change the system time *Can change the current time.Administrators, Power Users
Create a page fileThe system memory pagefile size and location can be changed.Administrators
Create a token object?
Create permanent shared objects?
Debug programsCan debug threadsAdministrators
Enable computer and user accounts to be trusted for delegation?
Force shutdown from a remote system *A system can be shutdown across the network.Administrators, Power Users
Generate security audits?
Increase quotas?
Increase scheduling priorityIncrease a processes execution priority.Administrators, Power Users
Load and unload device drivers *Device drivers may be added or removed from the system.Administrators
Lock pages in memory?
Manage auditing and security log *View auditing log files and control what the system audits.Administrators
Modify firmware environment valuesBIOS firmware may be changed.Administrators
Profile single processView a specific system performance counter.Administrators, Power Users
Profile system performanceCheck the system performance with Performance Monitor.Administrators
Remove computer from docking station?
Replace a process level token?
Restore files and directories *The user can restore files or directories from storage media.Administrators, Backup Operators
Shut down the system *Shut the system off.Administrators, Backup Operators
Synchronize directory service data?
Take Ownership of files or objects *Make any objects owned by the user that is taking ownership. Ownership cannot be assigned to other users.Administrators

Setting User Rights

  • Organizational Units - In Administrative Tools, select "Active Directory Users and Computers".
  • Domain - In Administrative Tools, select "Domain Security Policy". The ADMINPAK must be installed on the computer.
  • Domain controllers - In Administrative Tools, select "Domain Controler Security Policy". The ADMINPAK must be installed on the computer.
  • Local computers - From the Control Panel, "Administrative Tools" applet, double click "Local Security Policy".

Domain controllers do not have a power users group. On the Domain Controllers, Server Operators are similar to the Administrator group on the Workstation with all rights.


The following user events may be audited:

  • File and Object Access - Logs user access to directories, files, or printers.
  • Logon/Logoff - Local and remote logon and logoff connections may be audited.
  • Process Tracking - Logs events about the running of programs.
  • Restart, Shutdown, System - Logs when the system is shutdown or started.
  • Security Policy Changes - Logs changes to User Rights and Account Policies.
  • Use of User Rights - Logs when a user exercised a user right.
  • User and Group Management - Logs user and group management events.