User Rights Assignement

By winthrop.polk ·
I am working on defining user rights for local policies. When I set a right to "Not Defined" what does that do? does it set it to the default?

Also, based on the help files, I get the impression that in addition to either the user defined groups or the default windows defined groups that there are other hidden groups such as "local system".

What are all of these hidden groups? Can and should I assign user rights to "local system"?

Specifically, the setting for "deny logon as batch job" I have read the following:

"This right is useful for explicitly denying users the ability to run Scheduled Tasks under their own account. Scheduling tasks running under an admin/operator?s personal account is bad practice since the jobs will fail if and when the person leaves the organization and their account is disabled or deleted or if the account is locked out due to repeated password failures. In addition, the user must remember to edit all scheduled tasks when he changes his password."

Based on that, should I not include all my groups in this setting; Then in the setting "logon as batch job", should I not only assign this to "local system"?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Not Defined = Default

by CG IT In reply to User Rights Assignement

I won't recommend what you should do regarding local system user rights assignment. If you don't understand what the local policies are and what they do, I suggest you go to MS Technet and read up.

here is a chart of local user rights assignments.

Collapse -

I do but....

by winthrop.polk In reply to Not Defined = Default

I understand what they do and how to implement, but this is my first time defining an entire security template.

Looking through that table, it did not assign "localsystem" to any of the user rights even though localsystem still has permissions to some of the rights, according to help file.

One more question: If I am in a non-domain environment, and I want to use my own group names rather than the default defined by MS, how do I ensure the other deafult groups have been deleted?

Collapse -

the NT service account or the local system account

by CG IT In reply to I do but....

here is a brief Microsoft Technet article on the local systems account.

Note: everything dealing with the chart deals with Microsoft Configuration manager [SMS] which can be ignored.

Note: the local system account or NT Services Accounts are the operating system.

As far as hidden accounts, if your referring to the C$ administrative share account,

here's a Microsoft article on that:

for NT Services:

The NT AUTHORITY\SYSTEM account is the name of the local system account.
Definitions from the Windows Security Resource Kit.
The Local System SID is the security context in which core components of the
operating system run. In Windows 2000, Local System is the only build-in
account with which to run system services.

Network Service available in Windows Server 2003 and Windows XP only, is
used to run system services that do not require operating system-wide
permissions to operate, but do need access to resources on other computers.

Collapse -


by winthrop.polk In reply to the NT service account or ...

I'll read that.

What happens if I set a user right to "not defined", but I created my own groups and deleted all the default groups?

Collapse -

define what "group names" means to you

by CG IT In reply to I do but....

groups are really containers. if you assign rights and permissions to a group, then those accounts contained in that group will have to rights and permissions.

you can create your own groups but the built in groups ought to provide you with what you want.

note: anything you do on the local machine applies only to the local machine even in a workgroup setting.

Collapse -


by winthrop.polk In reply to define what "group names" ...

Thanks for the assitance man. I am moving the question to here:

Related Discussions

Related Forums