User Rights

A user right is authorization to perform an operation that affects an entire computer rather than a specific object on the computer. User rights are divided into two categories: logon rights and privileges . Logon rights control how human users and other security principals are authorized to access a computer—at the keyboard, through a network connection, as a service, or as a batch job. Privileges control which users are authorized to manipulate system resources—by setting the computer's internal clock, for example, by loading and unloading device drivers, by backing up or restoring files and folders, or by doing anything else that affects the system as a whole. For a complete list of user rights and a description of their default settings, see the appendix "User Rights" in this book.

Unlike permissions, which are granted by an object's owner, user rights are assigned as part of the security policy for the computer. To view the user rights assignment for a computer, log on using an account that has administrative authority, open the Administrative Tools folder in Control Panel, and then start Local Security Policy. Figure 12.6 shows the user rights assignment in the security policy for a computer joined to a domain.


Figure 12.6 User Rights Assignment

For more information about using Group Policy to configure local security policy, see "Group Policy" in this book.