Question

  • Creator
    Topic
  • #2201420

    User Rights Assignement

    Locked

    by winthrop.polk ·

    I am working on defining user rights for local policies. When I set a right to “Not Defined” what does that do? does it set it to the default?

    Also, based on the help files, I get the impression that in addition to either the user defined groups or the default windows defined groups that there are other hidden groups such as “local system”.

    What are all of these hidden groups? Can and should I assign user rights to “local system”?

    Specifically, the setting for “deny logon as batch job” I have read the following:

    “This right is useful for explicitly denying users the ability to run Scheduled Tasks under their own account. Scheduling tasks running under an admin/operator?s personal account is bad practice since the jobs will fail if and when the person leaves the organization and their account is disabled or deleted or if the account is locked out due to repeated password failures. In addition, the user must remember to edit all scheduled tasks when he changes his password.”

    Based on that, should I not include all my groups in this setting; Then in the setting “logon as batch job”, should I not only assign this to “local system”?

    Thanks

All Answers

  • Author
    Replies
    • #3018431

      Clarifications

      by winthrop.polk ·

      In reply to User Rights Assignement

      Clarifications

    • #3018427

      Not Defined = Default

      by cg it ·

      In reply to User Rights Assignement

      I won’t recommend what you should do regarding local system user rights assignment. If you don’t understand what the local policies are and what they do, I suggest you go to MS Technet and read up.

      here is a chart of local user rights assignments.

      http://technet.microsoft.com/en-us/library/dd277311.aspx

      • #3018398

        I do but….

        by winthrop.polk ·

        In reply to Not Defined = Default

        I understand what they do and how to implement, but this is my first time defining an entire security template.

        Looking through that table, it did not assign “localsystem” to any of the user rights even though localsystem still has permissions to some of the rights, according to help file.

        One more question: If I am in a non-domain environment, and I want to use my own group names rather than the default defined by MS, how do I ensure the other deafult groups have been deleted?

        • #3018382

          the NT service account or the local system account

          by cg it ·

          In reply to I do but….

          here is a brief Microsoft Technet article on the local systems account.

          http://technet.microsoft.com/en-us/library/bb680595.aspx

          Note: everything dealing with the chart deals with Microsoft Configuration manager [SMS] which can be ignored.

          Note: the local system account or NT Services Accounts are the operating system.

          As far as hidden accounts, if your referring to the C$ administrative share account,

          here’s a Microsoft article on that:

          http://support.microsoft.com/kb/314984

          for NT Services:

          The NT AUTHORITY\SYSTEM account is the name of the local system account.
          Definitions from the Windows Security Resource Kit.
          System:
          The Local System SID is the security context in which core components of the
          operating system run. In Windows 2000, Local System is the only build-in
          account with which to run system services.

          NetworkService:
          Network Service available in Windows Server 2003 and Windows XP only, is
          used to run system services that do not require operating system-wide
          permissions to operate, but do need access to resources on other computers.

        • #3018370

          thanks

          by winthrop.polk ·

          In reply to the NT service account or the local system account

          I’ll read that.

          What happens if I set a user right to “not defined”, but I created my own groups and deleted all the default groups?

        • #2755362

          define what “group names” means to you

          by cg it ·

          In reply to I do but….

          groups are really containers. if you assign rights and permissions to a group, then those accounts contained in that group will have to rights and permissions.

          you can create your own groups but the built in groups ought to provide you with what you want.

          note: anything you do on the local machine applies only to the local machine even in a workgroup setting.

        • #2996278

          Explaination

          by winthrop.polk ·

          In reply to define what “group names” means to you

          Thanks for the assitance man. I am moving the question to here:

          http://techrepublic.com.com/5208-1035-0.html?forumID=101&threadID=317280

Viewing 1 reply thread