Learn Win XP Pro in 15 Minutes a Week: User Rights and User Privileges

Learn Win XP Pro in 15 Minutes a Week: User Rights and User Privileges


May 23, 2003

Welcome to this installment of "Learn Windows XP Professional in 15 minutes a week," the 23rd in this series. In this article we will look at User Rights/User Privileges under Windows XP Professional.

User Rights - PART 1 - User Privileges category

Windows XP Professional allows for rights to be configured to both individual users as well as to groups of users. Right are best described as permitted actions that are allowed to those users or groups on a specific system or allowed actions within the domain.

[NOTES FROM THE FIELD] - For the 70-270 exam it is probably not critical that the different rights mentioned below be specifically memorized, however, you should have a good overview and understanding of each.

You may also see these terms listed in some text books as User Privileges and sometimes as Logon Rights. The terms are totally interchangeable and merely denote what can be done by users or groups on a given system, however, they are often split into the two classifications.

This article will focus on the ones that are normally segmented under the User Privileges category.

On a stand alone Windows XP Professional system you can view the Rights Assignments for users by using the Local Security Policy MMC.

You could also do this for a domain member as well, but in most cases in a managed environment you may find that many settings are affecting the local system via Group Policies enabled through links at the domain level and possibly at the OU levels.

[NOTES FROM THE FIELD] - For more information on Group Policy and how it works you can check out my Active Directory Group Policy article.

You can see in the image below that both "Deny logon as a service" and "Force Shutdown from a remote system" have a different image from the rest of the rights in the User Rights Assignment section of the Local Security Policy.

This is because those two settings are being forced onto the local system via a Group Policy Object that is linked to the domain. This Windows XP Professional system is a member of that domain and thus affected by that GPO.

The following is a list of all of the default User Privileges on a Windows XP Professional system.

  • Act as part of the operating system
  • Add workstations to domain
  • Adjust memory quotas for a process
  • Back up files and directories
  • Bypass traverse checking
  • Change the system time
  • Create a pagefile
  • Create a token object
  • Create permanent shared objects
  • Debug programs
  • Enable computer and user accounts to be trusted for delegation
  • Force shutdown from a remote system
  • Generate security audits
  • Increase scheduling priority
  • Load and unload device drivers
  • Lock pages in memory
  • Manage auditing and security log
  • Modify firmware environment values
  • Perform volume maintenance tasks
  • Profile single process
  • Profile system performance
  • Remove computer from docking station
  • Replace a process level token
  • Restore files and directories
  • Shut down the system
  • Synchronize directory service data
  • Take ownership of files or other objects

Of all of these listed above, the following below have no users or groups listed by default as having the explicit right to perform the given action.

  • Act as part of the operating system
  • Add workstations to domain
  • Create a token object
  • Create permanent shared objects
  • Enable computer and user accounts to be trusted for delegation
  • Lock pages in memory
  • Synchronize directory service data

Members of the built-in Administrators group on the local Windows XP Professional system have full control of the computer and can assign user rights and access control permissions to users for any of the resources. The built in Administrator account is a default member of the Administrators local group.

If this system is joined to a domain, the Domain Admins group is automatically added to the Administrators local group, giving them full control of the local system as well. Members of the built in Administrators group are granted the following User Privileges by default:

  • Adjust memory quotas for a process
  • Back up files and directories
  • Bypass traverse checking
  • Change the system time
  • Create a pagefile
  • Debug programs
  • Force shutdown from a remote system
  • Increase scheduling priority
  • Load and unload device drivers
  • Manage auditing and security log
  • Modify firmware environment variables
  • Perform volume maintenance tasks
  • Profile single process
  • Profile system performance
  • Remove computer from docking station
  • Restore files and directories
  • Shut down the system
  • Take ownership of files or other objects.

Members of the built in Backup Operators group can back up and restore files on the local system. Members of this group need no additional access to the data other than membership to this group in order to back up the data on the local system. The right to perform a backup takes precedence over all file and folder level security permissions.

There are no user accounts in this group by default.

Members of the built in Backup Operators group are granted the following user privileges by default:

  • Back up files and directories
  • Bypass traverse checking
  • Restore files and directories
  • Shut down the system.

Members of the built in Guests group on Windows XP Professional systems will have limited access to the computer. The local Guest account is disabled by default and is a default member of the Guests local group. Members of the built in Guest group have no explicit user privileges by default.

Members of the built in HelpServicesGroup allow an administrator to set rights that will be used across all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance, and regular users should not be added to this group. The HelpServicesGroup has no explicit user privileges by default.

Members of the built in Power Users group can create user accounts and local groups. They can also modify and delete just those accounts and groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups as well as create shared resources and administer the shared resources they have created. The limitations to the Power Users group have been set so that they cannot perform data back ups or restorations, they cannot take ownership of files, nor can they manage audit or security logs. They are also prevented from loading or unloading device drivers.

There are no user accounts in this group by default.

Members of the built in Power Users group are granted the following User Privileges by default:

  • Bypass traverse checking
  • Change the system time
  • Profile single process
  • Remove computer from docking station
  • Shut down the system.

[NOTES FROM THE FIELD] - It is important to note that with a little effort and the correct level of knowledge a user with Power User rights on a local system can elevate their privileges on that system to the point where they can operate with a level of administrative access.

Great care should be taken as to who is a member of this group and if that level of access is really necessary.

Members of the built in Remote Desktop Users group can remotely log on to another system via Remote Desktop Connection and Terminal Services. While this group actually has no user privileges on the local system by default they are able to log on remotely.

There are no user accounts in this group by default.

Members of the built in Users group can perform common tasks on the local Windows XP system and are allowed to use the local resources to which they have the proper permission rights to use. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group when the system is joined to the domain.

This makes any domain user account created a member of this group automatically at the time of the account creation.

Members of the built in Users group are granted the following User Privilege by default:

  • Bypass traverse checking.

Users added to the Network Configuration Operators built-in group have no default user privileges from their membership to this group but they are able to make changes to TCP/IP settings and renew and release TCP/IP addresses.

There are no user accounts in this group by default.

The built in Replicator< group is available to support replication functions on the local system. The only member of the Replicator group should be the specific domain user account used to log on the Replicator services of a domain controller. User accounts of actual users should not be added to this group.

There are no user accounts in this group by default and the group has no user privileges on the local system.

Well, that wraps up this section of "Learn Windows XP Professional in 15 Minutes a Week." I hope you found it informative and will return for the next installment. If you have any questions, comments, or even constructive criticism, please feel free to drop me a note. I want to write solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until next time, best of luck in your studies and remember,



I used to think that "Legally Drunk" was the funniest oxymoron I had heard until I heard someone mention something about "Business Ethics."


Jason Zandri, MCT, MCSE, Security+ Certified Professional, Certified Information Systems Security Professional (CISSP), currently holds the position of Technical Account Manager at Microsoft Corporation and has worked as a technical trainer and consultant for a variety of corporate clients in Connecticut over the past six years. He is available to work on an independent contract basis for technical authoring and editing, including books, articles, and whitepapers as well as customized corporate training and Microsoft CTEC training.