The Windows XP Professional operating system allows for Rights to be configured to both individual users as well as to groups of users. Right are best described as permitted actions that are allowed to those users or groups on a specific system or allowed actions within the domain.
On a stand alone Windows XP Professional system you can view the Rights Assignments for users by using the Local Security Policy MMC.
You could also do this for a domain member as well, but in most cases in a managed environment you may find that many settings are affecting the local system via Group Policies enabled through links at the domain level and possibly at the OU levels.
[NOTES FROM THE FIELD] – For more information on Group Policy and how it works you can check out my Active Directory Group Policy article here.
You can see in the image below that both “Deny logon as a service” and “Force Shutdown from a remote system” have a different image than the rest of the Rights in the User Rights Assignment section of the Local Security Policy.
This is because those two settings are being forced onto the local system via a Group Policy Object that is linked to the domain. This Windows XP Professional system is a member of that domain and thus affected by that GPO.
The following is a list of all of the default User Privileges on a Windows XP Professional system.
- Act as part of the operating system
- Add workstations to domain
- Adjust memory quotas for a process
- Back up files and directories
- Bypass traverse checking
- Change the system time
- Create a pagefile
- Create a token object
- Create permanent shared objects
- Debug programs
- Enable computer and user accounts to be trusted for delegation
- Force shutdown from a remote system
- Generate security audits
- Increase scheduling priority
- Load and unload device drivers
- Lock pages in memory
- Manage auditing and security log
- Modify firmware environment values
- Perform volume maintenance tasks
- Profile single process
- Profile system performance
- Remove computer from docking station
- Replace a process level token
- Restore files and directories
- Shut down the system
- Synchronize directory service data
- Take ownership of files or other objects
Of all of these listed above, the following below have no users or groups listed by default as having the explicit right to perform the given action:
- Act as part of the operating system
- Add workstations to domain
- Create a token object
- Create permanent shared objects
- Enable computer and user accounts to be trusted for delegation
- Lock pages in memory
- Synchronize directory service data
Members of the built in Administrators group on the local Windows XP Professional system have full control of the computer and can assign user rights and access control permissions to users for any of the resources. The built in Administrator account is a default member of the Administrators local group.
If this system is joined to a domain, the Domain Admins group is automatically added to the Administrators local group, giving them full control of the local system as well. Members of the built in Administrators group are granted the following User Privileges by default:
- Adjust memory quotas for a process
- Back up files and directories
- Bypass traverse checking
- Change the system time
- Create a pagefile
- Debug programs
- Force shutdown from a remote system
- Increase scheduling priority
- Load and unload device drivers
- Manage auditing and security log
- Modify firmware environment variables
- Perform volume maintenance tasks
- Profile single process
- Profile system performance
- Remove computer from docking station
- Restore files and directories
- Shut down the system
- Take ownership of files or other objects.
Members of the built in Backup Operators group can back up and restore files on the local system. Members of this group need no additional access to the data other than membership to this group in order to back up the data on the local system. The right to perform a backup takes precedence over all file and folder level security permissions.
There are no user accounts in this group by default.
Members of the built in Backup Operators group are granted the following User Privileges by default:
- Back up files and directories
- Bypass traverse checking
- Restore files and directories
- Shut down the system.
Members of the built in Guests group on Windows XP Professional systems will have limited access to the computer. The local Guest account is disabled by default and is a default member of the Guests local group. Members of the built in Guest group have no explicit User Privileges by default.
Members of the built in HelpServicesGroup allow an administrator to set rights that will be used across all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance, and regular users should not be added to this group. The HelpServicesGroup has no explicit User Privileges by default.
Members of the built in Power Users group can create user accounts and local groups. They can also modify and delete just those accounts and groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups as well as create shared resources and administer the shared resources they have created. The limitations to the Power Users group have been set so that they cannot perform data back ups or restorations, they cannot take ownership of files, nor can they manage audit or security logs. They are also prevented from loading or unloading device drivers.
There are no user accounts in this group by default.
Members of the built in Power Users group are granted the following User Privileges by default:
- Bypass traverse checking
- Change the system time
- Profile single process
- Remove computer from docking station
- Shut down the system.
[NOTES FROM THE FIELD] – It is important to note that with a little effort and the correct level of knowledge a user with Power User rights on a local system can elevate their privileges on that system to the point where they can operate with a level of administrative access.
Great care should be taken as to who is a member of this group and if that level of access is really necessary.
Members of the built in Remote Desktop Users group can remotely log on to another system via Remote Desktop Connection and Terminal Services. While this group actually has no User Privileges on the local system by default they are able to log on remotely.
There are no user accounts in this group by default.
Members of the built in Users group can perform common tasks on the local Windows XP system and are allowed to use the local resources to which they have the proper permission rights to use. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group when the system is joined to the domain.
This makes any domain user account created a member of this group automatically at the time of the account creation.
Members of the built in Users group are granted the following User Privilege by default:
- Bypass traverse checking.
Users that are added to the Network Configuration Operators built in group have no default User Privileges from their membership to this group but they are able to make changes to TCP/IP settings and renew and release TCP/IP addresses.
There are no user accounts in this group by default.
The built in Replicator group is available to support replication functions on the local system. The only member of the Replicator group should be the specific domain user account used to log on the Replicator services of a domain controller. User accounts of actual users should not be added to this group.
There are no user accounts in this group by default and the group has no User Privileges on the local system.
Article originally appeared at 2000trainers.com
Jason Zandri has worked as a consultant, systems engineer and technical trainer for a variety of corporate clients in Connecticut over the past five years and currently holds the position of Technical Account Manager for Microsoft Corporation.
He has also written a number of COMPTIA and MICROSOFT prep tests for Boson Software and holds a number of certifications from both companies. Currently, he writes part time for a number of freelance projects, including numerous “HOW TO” and best practices articles for 2000Trainers.com and MCMCSE.com.
