B 附錄特殊權限的帳號及 Active Directory 中的群組Appendix B: Privileged Accounts and Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

B 附錄特殊權限的帳號及 Active Directory 中的群組Appendix B: Privileged Accounts and Groups in Active Directory

「 特殊權限 」 帳號及群組 Active Directory 中的這些的強大權限,權限,以及權限授與,讓它們在 Active Directory 和加入網域的系統上執行幾乎任何動作。"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. 這個附錄開始討論權限,權限,而權限,緊接著 」 高權限來執行 「 帳號和群組 Active Directory 中的相關資訊也就是群組與最有效帳號。This appendix begins by discussing rights, privileges, and permissions, followed by information about the "highest privilege" accounts and groups in Active Directory,that is, the most powerful accounts and groups.

資訊也會提供有關建和預設帳號,並在 Active Directory,除了他們的權限的群組。Information is also provided about built-in and default accounts and groups in Active Directory, in addition to their rights. 以不同附錄提供保護的最高的權限帳號及群組特定的設定的建議,雖然這附錄提供可協助您找出使用者和群組,您應該重點放在安全的背景資訊。Although specific configuration recommendations for securing the highest privilege accounts and groups are provided as separate appendices, this appendix provides background information that helps you identify the users and groups you should focus on securing. 您應該做,因為它們可以利用攻擊者甚至破壞 Active Directory 安裝侵入您,並。You should do so because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.

權限、 權限和 Active Directory 中的權限Rights, Privileges, and Permissions in Active Directory

不同的權限,權限 」 及權限可以是令人混淆和及清楚,甚至在來自 Microsoft 的文件。The differences between rights, permissions, and privileges can be confusing and contradictory, even within documentation from Microsoft. 本節特性每個部分它們是使用本文件。This section describes some of the characteristics of each as they are used in this document. 這些描述不能視為授權的其他 Microsoft 文件,因為它可能會使用這些條款,以不同方式。These descriptions should not be considered authoritative for other Microsoft documentation, because it may use these terms differently.

權利和權限Rights and Privileges

權利和權限的有效授權給使用者、 服務、 電腦或群組例如的安全性原則相同全系統功能。Rights and privileges are effectively the same system-wide capabilities that are granted to security principals such as users, services, computers, or groups. 在通常會由 IT 專業人員的介面,這些通常稱為 [權限 」 或 「 使用者權限],通常指派給群組原則物件。In interfaces typically used by IT professionals, these are usually referred to as "rights" or "user rights," and they are often assigned by Group Policy Objects. 下圖顯示一些最常見的權利,可指派到安全性原則 (代表 Windows Server 2012 網域中預設的網域控制站 GPO)。The following screenshot shows some of the most common user rights that can be assigned to security principals (it represents the Default Domain Controllers GPO in a Windows Server 2012 domain). 這些權限部分適用於 Active Directory,例如讓電腦和使用者帳號受信任的委派使用者權限時其他權利套用到 Windows 作業系統,例如,變更系統時間Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time.

有特殊權限的帳號,並群組

在介面例如 「 群組原則物件編輯器] 中所有的這些指派功能稱為廣泛使用者權利。In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. 事實上不過,有些使用者權限以程式設計方式稱為權限,其他人以程式設計方式就是權限時。In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. 下表 B-1: 使用者權利和權限提供的一些最常見的指派使用者權利和他們程式設計常數。Table B-1: User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. 群組原則和其他介面參考這些為使用者權限,但部分的以程式設計方式視為權限時其他定義為權限。Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.

針對每個使用者的權限在下表中列出的相關詳細資訊,如下表所使用的連結,或查看威脅和措施指南: 使用者權利威脅和弱點防護指南 Windows Server 2008 R2 上的 Microsoft TechNet 網站。For more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server 2008 R2 on the Microsoft TechNet site. 適用於 Windows Server 2008 的詳細資訊,請查看使用者權利的威脅,弱點防護Microsoft TechNet 網站上的文件。For information applicable to Windows Server 2008, please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet site. 截至本文件撰寫、 Windows Server 2012 對應的文件不尚未發行。As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet published.

注意

針對這份文件,條款 」 權限 」 及 「 使用者權利 」 用來辨識權利和權限,除非另有指定。For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified.

下表 B-1: 使用者權利和權限Table B-1: User Rights and Privileges
立即在群組原則中的使用者User Right in Group Policy 常數名稱Name of Constant
存取認證管理員做受信任的本機號碼Access Credential Manager as a trusted caller SeTrustedCredManAccessPrivilegeSeTrustedCredManAccessPrivilege
從網路存取此電腦Access this computer from the network SeNetworkLogonRightSeNetworkLogonRight
做為作業系統的一部分Act as part of the operating system SeTcbPrivilegeSeTcbPrivilege
加入網域工作站Add workstations to domain SeMachineAccountPrivilegeSeMachineAccountPrivilege
調整記憶體配額處理程序Adjust memory quotas for a process SeIncreaseQuotaPrivilegeSeIncreaseQuotaPrivilege
在本機允許登入Allow log on locally SeInteractiveLogonRightSeInteractiveLogonRight
允許透過車票服務登入Allow log on through Terminal Services SeRemoteInteractiveLogonRightSeRemoteInteractiveLogonRight
備份的檔案和目錄Back up files and directories SeBackupPrivilegeSeBackupPrivilege
略過周遊檢查Bypass traverse checking SeChangeNotifyPrivilegeSeChangeNotifyPrivilege
變更系統時間Change the system time SeSystemtimePrivilegeSeSystemtimePrivilege
變更時區Change the time zone SeTimeZonePrivilegeSeTimeZonePrivilege
建立分頁檔Create a pagefile SeCreatePagefilePrivilegeSeCreatePagefilePrivilege
建立權杖物件Create a token object SeCreateTokenPrivilegeSeCreateTokenPrivilege
建立通用物件Create global objects SeCreateGlobalPrivilegeSeCreateGlobalPrivilege
建立永久共用的物件Create permanent shared objects SeCreatePermanentPrivilegeSeCreatePermanentPrivilege
建立符號的連結Create symbolic links SeCreateSymbolicLinkPrivilegeSeCreateSymbolicLinkPrivilege
程式進行偵錯Debug programs SeDebugPrivilegeSeDebugPrivilege
拒絕從網路存取此電腦Deny access to this computer from the network SeDenyNetworkLogonRightSeDenyNetworkLogonRight
拒絕以分批登入Deny log on as a batch job SeDenyBatchLogonRightSeDenyBatchLogonRight
拒絕登入即服務Deny log on as a service SeDenyServiceLogonRightSeDenyServiceLogonRight
在本機拒絕登入Deny log on locally SeDenyInteractiveLogonRightSeDenyInteractiveLogonRight
透過車票服務拒絕登入Deny log on through Terminal Services SeDenyRemoteInteractiveLogonRightSeDenyRemoteInteractiveLogonRight
讓電腦和使用者帳號受信任的委派Enable computer and user accounts to be trusted for delegation SeEnableDelegationPrivilegeSeEnableDelegationPrivilege
從遠端系統推動關機Force shutdown from a remote system SeRemoteShutdownPrivilegeSeRemoteShutdownPrivilege
產生安全性稽核Generate security audits SeAuditPrivilegeSeAuditPrivilege
驗證後模擬 clientImpersonate a client after authentication SeImpersonatePrivilegeSeImpersonatePrivilege
增加程序運作設定Increase a process working set SeIncreaseWorkingSetPrivilegeSeIncreaseWorkingSetPrivilege
增加排定優先順序Increase scheduling priority SeIncreaseBasePriorityPrivilegeSeIncreaseBasePriorityPrivilege
載入,而且釋放裝置驅動程式Load and unload device drivers SeLoadDriverPrivilegeSeLoadDriverPrivilege
在記憶體中的鎖定頁面Lock pages in memory SeLockMemoryPrivilegeSeLockMemoryPrivilege
分批身分登入Log on as a batch job SeBatchLogonRightSeBatchLogonRight
登入即服務Log on as a service SeServiceLogonRightSeServiceLogonRight
管理稽核及安全的登入Manage auditing and security log SeSecurityPrivilegeSeSecurityPrivilege
修改物件標籤Modify an object label SeRelabelPrivilegeSeRelabelPrivilege
修改 firmware 環境值Modify firmware environment values SeSystemEnvironmentPrivilegeSeSystemEnvironmentPrivilege
執行音量維護工作Perform volume maintenance tasks SeManageVolumePrivilegeSeManageVolumePrivilege
設定檔單一程序Profile single process SeProfileSingleProcessPrivilegeSeProfileSingleProcessPrivilege
設定檔的系統效能Profile system performance SeSystemProfilePrivilegeSeSystemProfilePrivilege
連接基座移除電腦Remove computer from docking station SeUndockPrivilegeSeUndockPrivilege
取代程序層級Replace a process level token SeAssignPrimaryTokenPrivilegeSeAssignPrimaryTokenPrivilege
還原的檔案和目錄Restore files and directories SeRestorePrivilegeSeRestorePrivilege
關機Shut down the system SeShutdownPrivilegeSeShutdownPrivilege
同步處理 directory 服務的資料Synchronize directory service data SeSyncAgentPrivilegeSeSyncAgentPrivilege
取得檔案或其他物件的擁有權Take ownership of files or other objects SeTakeOwnershipPrivilegeSeTakeOwnershipPrivilege

權限Permissions

權限的存取控制項,可套用至安全物件,例如檔案系統、 登錄、 服務及 Active Directory 物件。Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. 每個安全物件已相關的存取控制清單 (ACL),其中包含存取控制項目 (a) 的授權或拒絕 (使用者、 服務、 電腦或群組) 的安全性原則來執行各種運算物件的能力。Each securable object has an associated access control list (ACL), which contains access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the ability to perform various operations on the object. 例如的許多 Active Directory 物件的 Acl 包含 a 允許 Authenticated Users 朗讀一般資訊物件,但請勿授與這些讀取機密資訊,或變更物件的能力。For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects. 每個網域的建來賓,除了登入且通過網域控制站受信任的樹系的 Active Directory 森林中的每個安全性主體已驗證使用者安全性 (識別碼) 新增至其存取權杖預設。With the exception of each domain's built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its access token by default. 因此,使用者、 服務或電腦 account 嘗試朗讀一般使用者網域中的物件的屬性,是否已成功讀取的作業。Therefore, whether a user, service, or computer account attempts to read general properties on user objects in a domain, the read operation is successful.

安全性主體嘗試不存取的任何 a 物件定義和包含存在於主體的存取權杖 SID,如果主體無法存取物件。If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is present in the principal's access token, the principal cannot access the object. 此外,如果 a 物件的 ACL 中的使用者存取權杖 「 deny 「 A 符合 SID 包含拒絕項目將會通常衝突覆寫 」 可讓 「 A。Moreover, if an ACE in an object's ACL contains a deny entry for a SID that matches the user's access token, the "deny" ACE will generally override a conflicting "allow" ACE. 如需 Windows 中存取控制的詳細資訊,請查看存取控制MSDN 網站上。For more information about access control in Windows, see Access Control on the MSDN website.

本文件中的權限指的是功能的授權或拒絕上安全物件的安全性原則。Within this document, permissions refers to capabilities that are granted or denied to security principals on securable objects. 使用者和權限之間發生衝突時,使用者權利通常會優先。Whenever there is a conflict between a user right and a permission, the user right generally takes precedence. 例如,如果 acl 所有讀取和寫入存取物件拒絕系統管理員已在 Active Directory 物件,使用者網域中的系統管理員群組成員將無法檢視物件的相關資訊。For example, if an object in Active Directory has been configured with an ACL that denies Administrators all read and write access to an object, a user who is a member of the domain's Administrators group will be unable to view much information about the object. 不過,系統管理員群組授與使用者向 「 拍攝的擁有權檔案或其他物件 」,因為使用者可以只將物件的擁有權有問題,然後重新寫入物件的 ACL 授與系統管理員完全控制物件。However, because the Administrators group is granted the user right "Take ownership of files or other objects," the user can simply take ownership of the object in question, then rewrite the object's ACL to grant Administrators full control of the object.

它是針對這個原因,此文件鼓勵您避免日常的系統管理,使用強大帳號,並群組,而不是嘗試限制帳號及群組的功能。It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-day administration, rather than trying to restrict the capabilities of the accounts and groups. 不是有效可能停止有心的使用者可以使用這些認證存取的任何安全資源強大認證存取。It is not effectively possible to stop a determined user who has access to powerful credentials from using those credentials to gain access to any securable resource.

建帳號及群組特殊權限Built-in Privileged Accounts and Groups

Active Directory 是協助管理委派和的權限指派權利與權限的原則。Active Directory is intended to facilitate delegation of administration and the principle of least privilege in assigning rights and permissions. 有帳號 Active Directory domain 在 [一般] 使用者,根據預設,可以朗讀的多的項目儲存在 directory,但無法變更只非常有限的資料 directory。"Regular" users who have accounts in an Active Directory domain are, by default, able to read much of what is stored in the directory, but are able to change only a very limited set of data in the directory. 使用者需要額外的權限授與到 directory 建置,所以它們可能會執行他們的角色的相關特定的工作,但無法執行工作,不會與他們責任各種有特殊權限群組成員資格。Users who require additional privilege can be granted membership in various privileged groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties.

在 Active Directory 中有組成 directory 中的最高的權限群組建三個群組: 企業系統管理員 (EA) 群組、 群組網域系統管理員 (DA) 和建系統管理員 (BA) 群組。Within Active Directory, there are three built-in groups that comprise the highest privilege groups in the directory: the Enterprise Admins (EA) group, the Domain Admins (DA) group, and the built-in Administrators (BA) group.

第四個群組,架構系統管理員 (索) 群組,擁有權限的如果濫用,損壞或破壞整個 Active Directory 樹系,但此群組多限制該功能比 EA、 DA 及 BA 群組。A fourth group, the Schema Admins (SA) group, has privileges that, if abused, can damage or destroy an entire Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups.

除了這些四個群組,有一些其他建及預設帳號,每一個都授與權限,允許執行特定管理工作 Active Directory 中的群組。In addition to these four groups, there are a number of additional built-in and default accounts and groups in Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be performed. 雖然這個附錄不提供完整的 Active Directory 中的每個建或預設群組討論,它提供的群組和帳號,您應該會看到在您安裝的。Although this appendix does not provide a thorough discussion of every built-in or default group in Active Directory, it does provide a table of the groups and accounts that you're most likely to see in your installations.

例如如果您安裝 Microsoft Exchange Server Active Directory 樹系到時,其他帳號和群組可能會建立建和使用者容器在您的網域中。For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and groups may be created in the Built-in and Users containers in your domains. 這個附錄描述僅限群組和帳號所建立的建和使用者容器在 Active Directory,根據原生角色及功能。This appendix describes only the groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native roles and features. 不包含帳號,並安裝企業版軟體所建立的群組的。Accounts and groups that are created by the installation of enterprise software are not included.

企業系統管理員Enterprise Admins

企業系統管理員 (EA) 群組位於森林根網域中,而且預設建森林中的每個網域中的系統管理員群組成員。The Enterprise Admins (EA) group is located in the forest root domain, and by default, it is a member of the built-in Administrators group in every domain in the forest. 森林根網域中的建管理員是的唯一預設 EA 群組成員。The Built-in Administrator account in the forest root domain is the only default member of the EA group. EAs 會授與權限,讓他們樹系的變更會影響。EAs are granted rights and permissions that allow them to affect forest-wide changes. 以下是變更會影響所有網域中的樹系,例如新增或移除網域、 建立信任的樹系,或引發森林功能層級。These are changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. 在適當地設計和實作委派模式下,僅第一次建構樹系時才或特定例如建立輸出森林信任的樹系變更,就需要 EA 成員資格。In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust.

EA 群組位於森林根網域中的使用者容器中的預設且萬用安全性群組,除非森林根網域執行 Windows 2000 Server 混合模式,案例群組是安全性的全域群組中。The EA group is located by default in the Users container in the forest root domain, and it is a universal security group, unless the forest root domain is running in Windows 2000 Server mixed mode, in which case the group is a global security group. 某些權限授與直接 EA 群組,但繼承很多此群組的權限的實際 EA 群組,因為它是森林中的每個網域中的系統管理員群組成員。Although some rights are granted directly to the EA group, many of this group's rights are actually inherited by the EA group because it is a member of the Administrators group in each domain in the forest. 企業系統管理員具備工作站或成員伺服器無預設權限。Enterprise Admins have no default rights on workstations or member servers.

網域系統管理員 」Domain Admins

每個網域中的有它自己的網域系統管理員 (DA) 群組,也就是在每個已經加入網域的電腦上系統管理員本機群組成員除了網域的建系統管理員 (BA) 群組成員。Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's built-in Administrators (BA) group in addition to a member of the local Administrators group on every computer that is joined to the domain. 僅限預設群組成員的 DA 網域是該網域建系統管理員負責。The only default member of the DA group for a domain is the Built-in Administrator account for that domain.

EAs 有樹系權限時,會在他們網域,雖然 DAs。DAs are all-powerful within their domains, while EAs have forest-wide privilege. 在正常運作設計和實作委派模式下,DA 成員資格應該需要只能在 「 中斷玻璃 「 案例中,這情形需要網域中的每一部電腦上的權限等級高帳號,或在特定網域寬需要進行變更。In a properly designed and implemented delegation model, DA membership should be required only in "break glass" scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made. 可能只在緊急案例中使用 DA 帳號,原生 Active Directory 委派機制並允許委派,雖然建構生效委派型號可能會花時間,以及許多組織促進此程序使用第三方應用程式。Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process.

DA 群組是位於網域中的使用者容器安全性的全域群組。The DA group is a global security group located in the Users container for the domain. 有一個 DA 群組的每個網域中的樹系,而且只預設 DA 群組成員建系統管理員核對的。There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account. 因為您的網域 DA 群組位 BA 群組的所有加入網域的系統本機系統管理員群組中,DAs 不只需要明確授與網域系統管理員權限,但它們也繼承所有權限和權限授與的網域中的系統管理員群組和本機系統管理員群組所有加入網域的系統上。Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

系統管理員Administrators

系統管理員 (BA) 建群組是網域本機群組建網域的容器至的 DAs 和 EAs 巢方式,且會授與的許多直接存取權限和權限 directory 和網域控制站在這個群組中。The built-in Administrators (BA) group is a domain local group in a domain's Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers. 不過,系統管理員群組網域不會有任何權限,或工作站成員伺服器上。However, the Administrators group for a domain does not have any privileges on member servers or on workstations. 加入網域的電腦本機系統管理員群組成員資格是本機的權限授與位置。而且群組討論,只有 DAs 預設,所有加入網域的電腦本機系統管理員群組成員。Membership in domain-joined computers' local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers' local Administrators groups by default.

系統管理員群組是網域本機群組中的網域建容器。The Administrators group is a domain-local group in the domain's Built-in container. 根據預設,每個網域的 BA 群組包含本機網域建管理員、 本機網域 DA 群組中和森林根網域 EA 群組。By default, every domain's BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest root domain's EA group. 專為系統管理員群組,不適用於 EAs 或 DAs 授與和網域控制站在 Active Directory 中的許多使用者權利。Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs. 完全控制大部分的 directory 物件的權限授與的網域 BA 群組,並可以取得 directory 物件的擁有權。A domain's BA group is granted full control permissions on most directory objects, and can take ownership of directory objects. EA 和 DA 群組某些特定物件的權限的樹系和網域中,雖然大部分的群組的功能確實 」 繼承 」 從他們的 BA 群組成員資格。Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from their membership in BA groups.

注意

雖然這些都是個特殊權限群組預設設定的其中一種三個群組成員可以管理 directory 取得任何其他群組成員資格。Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups. 有時很一般達成,而在其他很難,但潛在的權限的角度,從三個群組被視為相等有效地。In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent.

架構系統管理員Schema Admins

架構系統管理員 (索) 群組通用群組森林根網域中的,該網域的建系統管理員 account 做為預設成員類似 EA 群組。The Schema Admins (SA) group is a universal group in the forest root domain and has only that domain's Built-in Administrator account as a default member, similar to the EA group. 雖然索群組成員資格可以允許危害,framework 整個 Active Directory 樹系的 Active Directory 區結構描述 SAs 有幾個預設權限和架構以外的權限。Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema.

您應該會仔細管理及監視成員資格索群組中,但在某些方面,此群組 」 較低權限 」 比最高的三個特殊權限群組前述因為其權限的範圍是非常縮小問題。也就是 SAs 有架構以外的任何位置點一下不系統管理員權限。You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less privileged" than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.

其他建和 Active Directory 中的預設群組Additional Built-in and Default Groups in Active Directory

若要加速 directory 中的管理委派,Active Directory 隨附各種建和預設群組授與的特定權限與權限。To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. 下表描述短暫這些群組。These groups are described briefly in the following table.

下表列出 Active Directory 中建和預設的群組。The following table lists the built-in and default groups in Active Directory. 這兩個組群組存在預設;不過,建群組位於 (預設) 建容器 Active Directory 中時預設群組位於 (預設) 中的使用者容器 Active Directory 中。Both sets of groups exist by default; however, built-in groups are located (by default) in the Built-in container in Active Directory, while default groups are located (by default) in the Users container in Active Directory. 建容器中的群組是所有網域本機群組,而使用者容器中的群組混合網域區域、 通用,與通用群組除了三個登入電腦 (系統管理員,來賓,以及 Krbtgt)。Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts (Administrator, Guest, and Krbtgt).

除了此附錄之前所述的最高有特殊權限群組,某些建和預設帳號群組會授與和提高權限和應也保護並只有在安全的系統管理主機上使用。In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. 找到這些群組及帳號灰色列表 B-1: 建及帳號 Active Directory 中的預設的群組。These groups and accounts can be found in the shaded rows in Table B-1: Built-in and Default Groups and Accounts in Active Directory. 一些群組及帳號會授與權限可以危害 Active Directory 或網域控制站濫用,因為它們也可以用額外的保護中所述附錄 c: 保護帳號,並 Active Directory 中的群組Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.

下表 B-1: 建預設帳號及 Active Directory 中的群組Table B-1: Built-in and Default Accounts and Groups in Active Directory
Account 或群組Account or Group 預設容器、 群組領域並輸入Default Container, Group Scope and Type 描述與預設使用者權限Description and Default User Rights
存取控制協助者 (在 Windows Server 2012 中 Active Directory)Access Control Assistance Operators (Active Directory in Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
授權屬性與權限此電腦上的資源,可以從遠端查詢此群組成員。Members of this group can remotely query authorization attributes and permissions for resources on this computer.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
Account 電信業者Account Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
成員可以管理網域使用者和群組帳號。Members can administer domain user and group accounts.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
管理員Administrator account 使用者容器Users container

不是群組Not a group
建負責管理網域。Built-in account for administering the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

調整記憶體配額處理程序Adjust memory quotas for a process

在本機允許登入Allow log on locally

允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

備份的檔案和目錄Back up files and directories

略過周遊檢查Bypass traverse checking

變更系統時間Change the system time

變更時區Change the time zone

建立分頁檔Create a pagefile

建立通用物件Create global objects

建立符號的連結Create symbolic links

程式進行偵錯Debug programs

讓電腦和使用者帳號受信任的委派Enable computer and user accounts to be trusted for delegation

從遠端系統推動關機Force shutdown from a remote system

驗證後模擬 clientImpersonate a client after authentication

增加程序運作設定Increase a process working set

增加排定優先順序Increase scheduling priority

載入,而且釋放裝置驅動程式Load and unload device drivers

分批身分登入Log on as a batch job

管理稽核及安全的登入Manage auditing and security log

修改 firmware 環境值Modify firmware environment values

執行音量維護工作Perform volume maintenance tasks

設定檔單一程序Profile single process

設定檔的系統效能Profile system performance

連接基座移除電腦Remove computer from docking station

還原的檔案和目錄Restore files and directories

關機Shut down the system

取得檔案或其他物件的擁有權Take ownership of files or other objects
系統管理員群組Administrators group 建容器Built-in container

網域本機安全性群組Domain-local security group
系統管理員可以網域完整,且不受限制的存取。Administrators have complete and unrestricted access to the domain.

直接使用者權限:Direct user rights:

從網路存取此電腦Access this computer from the network

調整記憶體配額處理程序Adjust memory quotas for a process

在本機允許登入Allow log on locally

允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

備份的檔案和目錄Back up files and directories

略過周遊檢查Bypass traverse checking

變更系統時間Change the system time

變更時區Change the time zone

建立分頁檔Create a pagefile

建立通用物件Create global objects

建立符號的連結Create symbolic links

程式進行偵錯Debug programs

讓電腦和使用者帳號受信任的委派Enable computer and user accounts to be trusted for delegation

從遠端系統推動關機Force shutdown from a remote system

驗證後模擬 clientImpersonate a client after authentication

增加排定優先順序Increase scheduling priority

載入,而且釋放裝置驅動程式Load and unload device drivers

分批身分登入Log on as a batch job

管理稽核及安全的登入Manage auditing and security log

修改 firmware 環境值Modify firmware environment values

執行音量維護工作Perform volume maintenance tasks

設定檔單一程序Profile single process

設定檔的系統效能Profile system performance

連接基座移除電腦Remove computer from docking station

還原的檔案和目錄Restore files and directories

關機Shut down the system

取得檔案或其他物件的擁有權Take ownership of files or other objects

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
允許的 RODC 密碼複寫群組Allowed RODC Password Replication Group 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員可以讓它們複製到網域中的所有唯讀網域控制站的密碼。Members in this group can have their passwords replicated to all read-only domain controllers in the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
備份電信業者Backup Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
備份電信業者可以備份或還原檔案的專為覆寫安全性限制。Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.

直接使用者權限:Direct user rights:

在本機允許登入Allow log on locally

備份的檔案和目錄Back up files and directories

分批身分登入Log on as a batch job

還原的檔案和目錄Restore files and directories

關機Shut down the system

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
憑證的發行者Cert Publishers 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員允許發行至 「 directory 的憑證。Members of this group are permitted to publish certificates to the directory.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
憑證服務 DCOM 存取Certificate Service DCOM Access 建容器Built-in container

網域本機安全性群組Domain-local security group
如果憑證服務 (不建議使用) 的網域控制站安裝,此群組授與 DCOM 註冊存取網域使用者與網域的電腦。If Certificate Services is installed on a domain controller (not recommended), this group grants DCOM enrollment access to Domain Users and Domain Computers.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
複製網域控制站 (在 Windows Server 2012AD DS AD DS)Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS) 使用者容器Users container

安全性的全域群組Global security group
此群組成員可以複製網域控制站的。Members of this group that are domain controllers may be cloned.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
密碼編譯電信業者Cryptographic Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
獲准執行密碼編譯作業。Members are authorized to perform cryptographic operations.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
使用者偵錯工具Debugger Users 這是預設都建群組,但時在於 AD DS,以深入調查的原因。This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. 偵錯工具使用者群組的指示,偵錯工具上已安裝的系統有些時候,是否透過 Visual Studio、 SQL,Office 或其他應用程式所需要支援的偵錯環境。The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. 此群組,可讓遠端偵錯的存取權的電腦。This group allows remote debugging access to computers. 此群組網域層級時,表示您的偵錯工具或包含偵錯工具的應用程式上已安裝的網域控制站。When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller.
拒絕的 RODC 密碼複寫群組Denied RODC Password Replication Group 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員能它們複製到網域中的任何唯讀網域控制站的密碼。Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
DHCP 系統管理員DHCP Administrators 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員存取管理 DHCP 伺服器服務。Members of this group have administrative access to the DHCP Server service.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
DHCP 使用者DHCP Users 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員擁有僅檢視存取 DHCP 伺服器服務。Members of this group have view-only access to the DHCP Server service.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
COM 使用者Distributed COM Users 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以上市、 啟動及這台電腦上使用分散式的 COM 物件。Members of this group are allowed to launch, activate, and use distributed COM objects on this computer.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
DnsAdminsDnsAdmins 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員存取管理 DNS 伺服器服務。Members of this group have administrative access to the DNS Server service.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
DnsUpdateProxyDnsUpdateProxy 使用者容器Users container

安全性的全域群組Global security group
此群組成員的 DNS 用允許執行的無法自動執行動態更新戶端代表動態更新。Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates. 此群組成員通常 DHCP 伺服器。Members of this group are typically DHCP servers.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
網域系統管理員 」Domain Admins 使用者容器Users container

安全性的全域群組Global security group
指定的系統管理員的網域。網域系統管理員是每個加入網域的電腦的本機群組成員的系統管理員,及接收權利和權限授與本機系統管理員群組,除了網域中的系統管理員 」 群組。Designated administrators of the domain; Domain Admins is a member of every domain-joined computer's local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain's Administrators group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

調整記憶體配額處理程序Adjust memory quotas for a process

在本機允許登入Allow log on locally

允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

備份的檔案和目錄Back up files and directories

略過周遊檢查Bypass traverse checking

變更系統時間Change the system time

變更時區Change the time zone

建立分頁檔Create a pagefile

建立通用物件Create global objects

建立符號的連結Create symbolic links

程式進行偵錯Debug programs

讓電腦和使用者帳號受信任的委派Enable computer and user accounts to be trusted for delegation

從遠端系統推動關機Force shutdown from a remote system

驗證後模擬 clientImpersonate a client after authentication

增加程序運作設定Increase a process working set

增加排定優先順序Increase scheduling priority

載入,而且釋放裝置驅動程式Load and unload device drivers

分批身分登入Log on as a batch job

管理稽核及安全的登入Manage auditing and security log

修改 firmware 環境值Modify firmware environment values

執行音量維護工作Perform volume maintenance tasks

設定檔單一程序Profile single process

設定檔的系統效能Profile system performance

連接基座移除電腦Remove computer from docking station

還原的檔案和目錄Restore files and directories

關機Shut down the system

取得檔案或其他物件的擁有權Take ownership of files or other objects
網域的電腦Domain Computers 使用者容器Users container

安全性的全域群組Global security group
所有工作站和加入網域的伺服器都都預設此群組成員。All workstations and servers that are joined to the domain are by default members of this group.

預設直接使用者權限:Default direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
網域控制站Domain Controllers 使用者容器Users container

安全性的全域群組Global security group
網域中的所有網域控制站。All domain controllers in the domain. 注意: 網域控制站並非的網域電腦群組成員。Note: Domain controllers are not a member of the Domain Computers group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
網域來賓Domain Guests 使用者容器Users container

安全性的全域群組Global security group
網域中的所有來賓All guests in the domain

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
使用者網域Domain Users 使用者容器Users container

安全性的全域群組Global security group
所有使用者網域中All users in the domain

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
企業的系統管理員 (存在只能在森林根網域中)Enterprise Admins (exists only in forest root domain) 使用者容器Users container

萬用安全性群組Universal security group
企業系統管理員權能變更樹系設定。企業系統管理員是每個網域中的系統管理員群組成員,並接收權利與權限授與該群組。Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators group and receives rights and permissions granted to that group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

調整記憶體配額處理程序Adjust memory quotas for a process

在本機允許登入Allow log on locally

允許登入透過遠端桌面服務Allow log on through Remote Desktop Services

備份的檔案和目錄Back up files and directories

略過周遊檢查Bypass traverse checking

變更系統時間Change the system time

變更時區Change the time zone

建立分頁檔Create a pagefile

建立通用物件Create global objects

建立符號的連結Create symbolic links

程式進行偵錯Debug programs

讓電腦和使用者帳號受信任的委派Enable computer and user accounts to be trusted for delegation

從遠端系統推動關機Force shutdown from a remote system

驗證後模擬 clientImpersonate a client after authentication

增加程序運作設定Increase a process working set

增加排定優先順序Increase scheduling priority

載入,而且釋放裝置驅動程式Load and unload device drivers

分批身分登入Log on as a batch job

管理稽核及安全的登入Manage auditing and security log

修改 firmware 環境值Modify firmware environment values

執行音量維護工作Perform volume maintenance tasks

設定檔單一程序Profile single process

設定檔的系統效能Profile system performance

連接基座移除電腦Remove computer from docking station

還原的檔案和目錄Restore files and directories

關機Shut down the system

取得檔案或其他物件的擁有權Take ownership of files or other objects
企業唯讀網域控制站Enterprise Read-only Domain Controllers 使用者容器Users container

萬用安全性群組Universal security group
此群組包含森林中的所有唯讀網域控制站帳號。This group contains the accounts for all read-only domain controllers in the forest.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
事件登入助讀程式Event Log Readers 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以讀取網域控制站事件登。Members of this group in can read the event logs on domain controllers.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
群組原則 Creator 擁有者Group Policy Creator Owners 使用者容器Users container

安全性的全域群組Global security group
此群組成員可以建立和修改網域中的群組原則物件。Members of this group can create and modify Group Policy Objects in the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
客體Guest 使用者容器Users container

不是群組Not a group
這是 account 僅 AD DS 網域中,不需要新增到其存取權杖驗證使用者 SID。This is the only account in an AD DS domain that does not have the Authenticated Users SID added to its access token. 因此,任何設定為權限授與 Authenticated Users 群組的資源將不會存取此 account。Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. 此行為不正確的網域來賓與來賓群組成員,不過-那些群組成員擁有加入他們的存取權杖驗證使用者 SID。This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
來賓Guests 建容器Built-in container

網域本機安全性群組Domain-local security group
來賓有相同的存取權的使用者群組成員預設,除了來賓,然後再限制之前所述。Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
HYPER-V 系統管理員 (Windows Server 2012)Hyper-V Administrators (Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員存取完整,且不受限制 HYPER-V 中的所有功能。Members of this group have complete and unrestricted access to all features of Hyper-V.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
IIS_IUSRSIIS_IUSRS 建容器Built-in container

網域本機安全性群組Domain-local security group
使用網際網路資訊服務建群組。Built-in group used by Internet Information Services.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
連入森林信任建造商 (存在只能在森林根網域中)Incoming Forest Trust Builders (exists only in forest root domain) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以建立這個樹系傳入、 單向信任。Members of this group can create incoming, one-way trusts to this forest. (建立輸出樹系信任保留適用於企業系統管理員 」)。(Creation of outbound forest trusts is reserved for Enterprise Admins.)

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
KrbtgtKrbtgt 使用者容器Users container

不是群組Not a group
Krbtgt account 是網域中 Kerberos 金鑰 Distribution 中心服務負責。The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain. 這個 account 可以存取所有帳號認證儲存在 Active Directory 中。This account has access to all accounts' credentials stored in Active Directory. 這個 account 預設停用,以及應該不支援This account is disabled by default and should never be enabled

使用者權限:不適用User rights: N/A
網路設定電信業者Network Configuration Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員權限,讓他們管理設定的網路功能。Members of this group are granted privileges that allow them to manage configuration of networking features.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
效能登入的使用者Performance Log Users 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以排程效能計數器登入,讓追蹤提供者,並在電腦本機或透過遠端存取收集事件追蹤。Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer.

直接使用者權限:Direct user rights:

分批身分登入Log on as a batch job

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
效能監視器使用者Performance Monitor Users 建容器Built-in container

網域本機安全性群組Domain-local security group
在本機或遠端此群組成員可以存取計數器效能的資料。Members of this group can access performance counter data locally and remotely.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
Windows 2000 相容存取Pre-Windows 2000 Compatible Access 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組存在回溯相容性 Windows 2000 Server、 之前的作業系統,並提供成員朗讀使用者和群組資訊網域中的功能。This group exists for backward compatibility with operating systems prior to Windows 2000 Server, and it provides the ability for members to read user and group information in the domain.

直接使用者權限:Direct user rights:

從網路存取此電腦Access this computer from the network

略過周遊檢查Bypass traverse checking

繼承的使用者權限:Inherited user rights:

加入網域工作站Add workstations to domain

增加程序運作設定Increase a process working set
列印電信業者Print Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以管理網域印表機。Members of this group can administer domain printers.

直接使用者權限:Direct user rights:

在本機允許登入Allow log on locally

載入,而且釋放裝置驅動程式Load and unload device drivers

關機Shut down the system

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
RAS 及 IAS 伺服器RAS and IAS Servers 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組中的伺服器可讀取使用者網域中的帳號遠端存取屬性。Servers in this group can read remote access properties on user accounts in the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
RDS 端點伺服器 (Windows Server 2012)RDS Endpoint Servers (Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組中的伺服器執行虛擬電腦及主機活動執行使用者 RemoteApp 程式和個人 virtual 桌面。Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. 此群組需要會填入執行 RD 連接代理人伺服器上。This group needs to be populated on servers running RD Connection Broker. RD 工作階段主機伺服器和部署中所使用的 RD 模擬主機伺服器需要將這個群組中。RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
RDS 管理伺服器 (Windows Server 2012)RDS Management Servers (Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組中的伺服器可以執行一般管理動作執行遠端桌面服務的伺服器上。Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. 此群組需要填入在遠端桌面服務部署所有伺服器上。This group needs to be populated on all servers in a Remote Desktop Services deployment. 必須在此群組包含執行 RDS 中央管理服務的伺服器。The servers running the RDS Central Management service must be included in this group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
RDS 遠端存取伺服器 (Windows Server 2012)RDS Remote Access Servers (Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組中的伺服器讓 RemoteApp 程式與這些資源個人 virtual 桌面存取的使用者。Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. 在 [網際網路的部署,通常會在 edge 網路部署這些伺服器。In Internet-facing deployments, these servers are typically deployed in an edge network. 此群組需要會填入執行 RD 連接代理人伺服器上。This group needs to be populated on servers running RD Connection Broker. 伺服器 RD 閘道和部署中所使用的 RD 網路存取伺服器需要將這個群組中。RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
唯讀模式網域控制站Read-only Domain Controllers 使用者容器Users container

安全性的全域群組Global security group
此群組包含所有的唯讀的網域控制站網域中。This group contains all read-only domain controllers in the domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
遠端桌面服務使用者Remote Desktop Services Users 建容器Built-in container

網域本機安全性群組Domain-local security group
從遠端使用 RDP 登入的權限授與此群組成員。Members of this group are granted the right to log on remotely using RDP.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
管理遠端伺服器 (Windows Server 2012)Remote Management Servers (Windows Server 2012) 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以存取 WMI 資源透過管理通訊協定 (例如 Ws-management 透過 Windows 遠端管理服務)。Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). 僅適用於的權限授與對使用者 WMI 命名空間。This applies only to WMI namespaces that grant access to the user.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
複製者Replicator 建容器Built-in container

網域本機安全性群組Domain-local security group
支援網域中的舊版檔案複製。Supports legacy file replication in a domain.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
架構系統管理員 (存在只能在森林根網域中)Schema Admins (exists only in forest root domain) 使用者容器Users container

萬用安全性群組Universal security group
架構系統管理員的使用者,就可以進行修改 Active Directory 結構描述與才架構是寫入。Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
伺服器電信業者Server Operators 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以管理網域伺服器。Members of this group can administer domain servers.

直接使用者權限:Direct user rights:

在本機允許登入Allow log on locally

備份的檔案和目錄Back up files and directories

變更系統時間Change the system time

變更時區Change the time zone

從遠端系統推動關機Force shutdown from a remote system

還原的檔案和目錄Restore files and directories

關機Shut down the system

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
終端 Server 授權伺服器Terminal Server License Servers 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員可以更新帳號在 Active Directory 授權發行,為了追蹤及報告 TS 每個使用者 CAL 使用方式的相關資訊Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage

預設直接使用者權限:Default direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
使用者Users 建容器Built-in container

網域本機安全性群組Domain-local security group
使用者必須允許讀取許多物件和屬性在 Active Directory,雖然他們無法變更大部分的權限。Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most. 使用者防止誤或故意的系統變更,且可以執行大部分的應用程式。Users are prevented from making accidental or intentional system-wide changes and can run most applications.

直接使用者權限:Direct user rights:

增加程序運作設定Increase a process working set

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking
Windows 授權的存取群組Windows Authorization Access Group 建容器Built-in container

網域本機安全性群組Domain-local security group
此群組成員存取計算的 tokenGroupsGlobalAndUniversal 屬性對使用者物件Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set
WinRMRemoteWMIUsers_ (Windows Server 2012)WinRMRemoteWMIUsers_ (Windows Server 2012) 使用者容器Users container

網域本機安全性群組Domain-local security group
此群組成員可以存取 WMI 資源透過管理通訊協定 (例如 Ws-management 透過 Windows 遠端管理服務)。Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). 僅適用於的權限授與對使用者 WMI 命名空間。This applies only to WMI namespaces that grant access to the user.

直接使用者權限:Direct user rights: None

繼承的使用者權限:Inherited user rights:

從網路存取此電腦Access this computer from the network

加入網域工作站Add workstations to domain

略過周遊檢查Bypass traverse checking

增加程序運作設定Increase a process working set