Default User Rights on Professional and Member Servers

The following terms are used in Windows 2000:

Permission: Access Control List describing and regulating the type of operations that can be performed on a resource (Reading or writing a file or directory). Permissions are usually granted by the owner of an object. Non-Microsoft systems often refer to this type of definitions as rights. In Windows 2000, the term user right has a very specific meaning.
User-Right: An authorization that can be granted to a user, a group or a process to perform an operation on a Windows 2000 system, like shutting down a computer. Rights in Windows 2000 must be explicitly granted. Windows 2000 comes with a set of default User-Rights already assigned to various built-in groups. There is only one right that is not assigned, because it is inherent: The right to deny or allow access to a resource that you own. User-Rights are divided into two groups: logon rights and privileges.
Logon rights control how security principals are authorized to access a system (through the keyboard, as a service, over the network, etc.).
Privileges control which users, groups or processes are authorized to manipulate the systems resources (change the system time, load and unload drivers), actions that affect the system as a whole.
Capabilities: Inherent powers associated with given built-in groups, like lock the server or create user account. In contrast to User-Rights, capabilities cannot be changed.

The tables below list the default User-Rights assignments and Inherent Capabilities on Windows 2000 Systems.

  Default User Rights assignments on Windows 2000 Domain Controllers
  Default User Rights assignments on Windows 2000 Professional and Windows 2000 Member server (non DCs)
  Default Capabilities inherent on Windows 2000 Servers (DCs)
  Default Capabilities inherent on Windows 2000 Professional and Windows 2000 Servers (non DCs)

Default User Rights assignments on Windows 2000 Domain Controllers

User Right	Groups
Access this computer from the network	Administrators Authenticated Users Backup Operators Everyone IWAM_<computername> IUSR_<computername> <domainname>\IUSR_<computername> <domainname>\IWAM_<computername> Power Users Users
Act as Part of the Operating System
Add Workstations to Domain	Authenticated Users
Back up Files and Directories	Administrators Backup Operators Server Operators
Bypass Traverse Checking	Administrators Authenticated Users Backup Operators Everyone Power Users Users
Change the System Time	Administrators Power Users Server Operators
Create a Pagefile	Administrators
Create a Token Object
Create Permanent Shared Objects
Debug Programs	Administrators
Deny Access to this Computer from the Network
Deny Logon as a Batch Job
Deny Logon as a Service
Deny Logon Locally
Enable Computer and User Accounts to be Trusted for Delegation
Force Shutdown from a Remote System	Administrators Server Operators
Generate Security Audits
Increase Quotas	Administrators
Increase Scheduling Priority	Administrators
Load and Unload Device Drivers	Administrators
Lock Pages in Memory
Log on as a Batch Job	IUSR_<computername> IWAM_<computername> <domainname>\IUSR_<computername> <domainname>\IWAM_<computername>
Log on as a Service
Log on Locally	Account Operators Administrators Backup Operators IUSR_<computername> <domainname>\Guest <domainname>\IUSR_<computername> <domainname>\TsInternetUser Power Users Print Operators Server Operators TsInternetUser Users
Manage Auditing and Security Log	Administrators
Modify Firmware Environment Values	Administrators
Profile Single Process	Power Users Administrators
Profile System Performance	Administrators
Remove Computer from Docking Station	Administrators Power Users Users
Replace a Process Level Token
Restore Files and Directories	Administrators Backup Operators Server Operators
Shut Down the System	Account Operators Administrators Backup Operators Print Operators Power Users Server Operators
Synchronize Directory Service Data
Take Ownership of Files or Other Objects	Administrators

Top

Default User Rights assignments on Windows 2000 Professional and Windows 2000 Member server (non domain controller)

Note: The only differences in the default assigned User Rights between Windows 2000 Professional systems and Windows 2000 Member Servers is to be found in the right: Log on locally and Shutdown the system.

User Right	Professional	Server
Access this computer from the network	Administrators Backup Operators Everyone Power Users Users <computername>\IUSR_<computername> <computername>\IWAM_<computername>	Administrators Backup Operators Everyone Power Users Users <computername>\IUSR_<computername> <computername>\IWAM_<computername>
Act as Part of the Operating System
Add Workstations to Domain
Back up Files and Directories	Administrators Backup Operators	Administrators Backup Operators
Bypass Traverse Checking	Administrators Backup Operators Everyone Power Users Users	Administrators Backup Operators Everyone Power Users Users
Change the System Time	Administrators Power Users	Administrators Power Users
Create a Pagefile	Administrators	Administrators
Create a Token Object
Create Permanent Shared Objects
Debug Programs	Administrators	Administrators
Deny Access to this Computer from the Network
Deny Logon as a Batch Job
Deny Logon as a Service
Deny Logon Locally
Enable Computer and User Accounts to be Trusted for Delegation
Force Shutdown from a Remote System	Administrators	Administrators
Generate Security Audits
Increase Quotas	Administrators	Administrators
Increase Scheduling Priority	Administrators	Administrators
Load and Unload Device Drivers	Administrators	Administrators
Lock Pages in Memory
Log on as a Batch Job	<computername>\IUSR_<computername> <computername>\IWAM_<computername>	<computername>\IUSR_<computername> <computername>\IWAM_<computername>
Log on as a Service
Log on Locally	Administrators Backup Operators Power Users Users <computername>\Guest <computername>\IUSR_<computername>	Administrators Backup Operators Power Users Users Guest <computername>\IUSR_<computername> <computername>\TsInternetUser
Manage Auditing and Security Log	Administrators	Administrators
Modify Firmware Environment Values	Administrators	Administrators
Profile Single Process	Administrators Power Users	Administrators Power Users
Profile System Performance	Administrators	Administrators
Remove Computer from Docking Station	Administrators Power Users Users	Administrators Power Users Users
Replace a Process Level Token
Restore Files and Directories	Administrators Backup Operators	Administrators Backup Operators
Shut Down the System	Administrators Backup Operators Power Users Users	Administrators Backup Operators Power Users
Synchronize Directory Service Data
Take Ownership of Files or Other Objects	Administrators	Administrators

Top

Default Capabilities inherent on Windows 2000 Servers (DCs)

Built-in Capability	Groups
Assign user rights	Administrators
Create and manage global groups	Account Operators Administrators
Create and manage local groups	Account Operators Administrators
Create and manage user accounts	Account Operators Administrators
Create common program groups	Administrators Server Operators
Format server's hard drive	Administrators Server Operators
Keep local profile	Account Operators Administrators Backup Operators Guests Printer Operators Server Operators Users
Lock the server	Administrators Backup Operators Guests Server Operators
Manage auditing of system events	Administrators
Override lock of server	Account Operators Administrators
Share and stop sharing directories	Administrators
Share and stop sharing printers	Administrators Power Users Server Operators Users

Top

Default Capabilities inherent on Windows 2000 Professional and Windows 2000 Servers (non DCs)

Built-in Capability	Groups
Assign user rights	Administrators
Create and manage local groups	Administrators Power Users Users
Create and manage user accounts	Administrators Power Users
Create common program groups	Administrators Power Users
Format computer's hard drive	Administrators
Keep local profile	Administrators Backup Operators Power Users Users
Lock computer	Administrators Backup Operators Power Users
Manage auditing of system events	Power Users
Override lock on computer	Administrators
Share and stop sharing directories	Administrators Power Users
Share and stop sharing printers	Administrators Power Users

[ TOP ]