|
Implement, configure, manage, and
troubleshoot user rights.
Administrators can assign specific rights to
group accounts or to individual user
accounts. These rights authorize users to
perform specific actions, such as logging on
to a system interactively or backing up
files and directories. User rights are
different from permissions because user
rights apply to user accounts, and
permissions are attached to objects.
User rights define capabilities at the local
level. Although user rights can apply to
individual user accounts, user rights are
best administered on a group account basis.
This ensures that a user logging on as a
member of a group automatically inherits the
rights associated with that group. By
assigning user rights to groups rather than
individual users, you simplify the task of
user account administration. When users in a
group all require the same user rights, you
can assign the set of user rights once to
the group, rather than repeatedly assigning
the same set of user rights to each
individual user account.
User rights that are assigned to a group are
applied to all members of the group while
they remain members. If a user is a member
of multiple groups, the user's rights are
cumulative, which means that the user has
more than one set of rights. The only time
that rights assigned to one group might
conflict with those assigned to another is
in the case of certain logon rights. In
general, however, user rights assigned to
one group do not conflict with the rights
assigned to another group. To remove rights
from a user, the administrator simply
removes the user from the group. In this
case, the user no longer has the rights
assigned to that group. There are two types
of user rights: privileges and logon rights.
Privilege. An example of a privilege
is the right to back up files and
directories. (Some privileges can override
permissions set on an object.)
Logon right. An example of a logon
right is the right to log on to a system
locally.
The special user account LocalSystem has
almost all privileges and logon rights
assigned to it, because all processes that
are running as part of the operating system
are associated with this account, and these
processes require a complete set of user
rights. |
