User Rights: An Introduction
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. Additionally, they can override permissions that have been set on specific objects.
You can use Group Policy to manage security settings quite effectively on a Windows Server 2012 R2 network. An enhanced range of security options is available, with settings designed for both user and computer configuration. Microsoft continues to expand the available range of security policies, compared to those included with previous versions of Windows Server.
User rights are defined as a default set of capabilities assigned to built-in domain local groups that define what members of these groups can and cannot do on the network. They consist of privileges and logon rights.
You can manage these predefined user rights from the Computer Configuration\ Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment node in the Group Policy Management Editor. Use the following procedure.
- Open the Group Policy Management Editor focused on an appropriate Group Policy object.
- Navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment node and select this node. The details pane shows a series of predefined user rights. When focused on the Default Domain Controllers Policy GPO, you see a default set of user rights assignments.
- To modify the assignment of any right, right-click it and select Properties. As shown for the Back up files and directories user right, the Properties dialog box displays the built-in groups that are granted this right by default.
The Back up files and directories Properties dialog box displays the groups that are granted this right by default, and it enables you to modify this assignment if required. - To grant this right to another user or group, click Add User or Group. In the Add User or Group dialog box that appears, type or browse to the required user or group. Then click OK. To remove a user or group, select it and click Remove.
- When finished, click OK to close the Properties dialog box. You are returned to the Group Policy Management Editor, where you can continue to configure additional user rights as needed.
Note that each user rights Properties dialog box has an Explain tab, which provides additional information about what each user rights involves.
You can also create a new GPO and configure a series of settings in this node to be applied to a specific group, and then link the GPO to an appropriate OU and grant the required group the Read and Apply Group Policy permissions. This is an easy way to grant user rights over a subset of the domain to a junior group of employees, such as help desk technicians.