network service user rights assignment

• Definitions

Network Information Service

Related Articles

Complete list of cybersecurity acronyms, human resources management system, how to defend yourself against identity theft, infographic, scalahosting, best managed service providers....

By Sharky , Computerworld |

True tales of IT life: useless users, hapless bosses, clueless vendors and adventures in the IT trenches. Compiled over the years from the frontlines.

Because the user is always right, right?

This company manages an automated teller machine network -- controlling the ATMs and moving money between banks -- and is upgrading its billing system, according to a pilot fish who's working on the project.

And the new features aren't exactly simple. "The new release would allow a rolled-up integer count of items to be charged, integrated with the various pricing schemes including tiered pricing, parent pricing, and child-pays-full-price-while-parent-gets-discount pricing," fish says.

Fortunately, the team is well into the testing stage and the worst of the complications are past.

At least that's what fish thinks, until the lead user in the billing department tells fish his people have come up with a new idea: That item count could also be used as a money field -- dollars and cents -- to report the total transaction value.

That's not in the original requirements, but fish responds, walking through the alternative ways of doing something like this.

One is to just sum up the dollars. It's an integer field in the database, so anything less than a dollar would disappear from the total.

Another way would be to multiply each amount by 100 to include both dollars and cents, sum it up, then divide by 100 to get the right result before using the total is used in reports or other systems.

Third possibility: Add some entirely new functionality that would sum up the transaction amounts, in addition to the existing transaction count.

Fourth option: Do nothing in this release and add it in later.

Fish recommends either the first or second approach, with number 4 as the fallback.

And naturally, the billing department wants number 3.

Sighs fish, "I told the lead user there wasn't enough time to write the code, unit test, user-acceptance test, and still make the deadline. I promised that we could put it in for the subsequent release, and pointed out that they approved the original requirements.

"The response I got: 'If I change my mind the day before implementation, you still have to meet those new requirements.'

"Needless to say, they did not get what they wanted."

All Sharky wants is your story. So send me your true tale of IT life at [email protected] . You'll snag a snazzy Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives .

Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter .

• Enterprise Applications

Copyright © 2016 IDG Communications, Inc.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

User Rights Assignment

• 2 minutes to read

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in the Windows operating system.

User rights govern the methods by which a user can log on to a system. User rights are applied at the local computer level, and they allow users to perform tasks on a computer or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a computer and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.

Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment , or on the local computer by using the Local Group Policy Editor (gpedit.msc).

For information about setting security policies, see How to Configure Security Policy Settings .

The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.

Additional resources

• PowerShell Wiki
• IT Administration Forum
• PowerShell Forum
• Community Forum
• Site-Wide Activity
• PowerShell Group
• Earning as 4sysops member
• Member Ranks
• Member Leaderboard – This Month
• Member Leaderboard – This Year
• Member Leaderboard – All-time
• Author Leaderboard – Last 30 Days
• Author Leaderboard – This Year
• Cloud Computing
• Write for 4sysops
• User rights assignment in Windows Server 2016

4sysops - The online community for SysAdmins and DevOps

Built-in local security principals and groups

Center for internet security, local policies/user rights assignment.

• Recent Posts

• Cannot delete a file or folder - Wed, Feb 22 2023
• Analyze Windows memory usage with RAMMap - Fri, Feb 3 2023
• PsLoggedOn: View logged-on users in Windows - Mon, Jan 2 2023

Security policy settings are sets of rules that control various aspects of protection. They include account policies, local policies, user rights assignment, the Windows firewall, software restrictions, and so on. There are several ways to configure security policy settings. The most common are:

• Group policy objects (GPO) – Used in Active Directory domains to configure and regularly reapply security settings to multiple computers.
• Local security policy (secpol.msc) – Used to configure a single (local) computer. Note that this is a one-time action. If another administrator changes these settings, you will need to manually change them back to the required state.

As most organizations use an Active Directory domain, it is preferred to apply security settings via group policies. You should have at least three security baselines created and linked in your domain, based on the following machine types:

• Domain Controllers (DC)
• Member Servers (MS)
• User Workstations

Configuring user rights assignment via Goup Policy

If you have multiple versions of operating systems (OS) running on these machines, you should create separate baselines for each OS version, as some settings might not be available. This also enables stricter configuration for older systems, as they are usually less secure.

Security policies do not support generated group names

The following groups are used throughout this article:

• Administrators – Members of this group have full, unrestricted access to the computer. Even if you remove some privileges from the Administrators group, a skilled administrator can still bypass those settings and gain control of the system. Only add highly trusted people to this group.
• Authenticated Users – A special security principal that applies to any session that was authenticated using some account, such as a local or domain account.
• Local account and member of Administrators group – A pseudogroup available since Windows Server 2012 R2. It applies to any local account in the Administrators group and is used to mitigate pass-the-hash attacks (lateral movement).
• Remote Desktop Users – Members of this group can access the computer via Remote Desktop services (RDP).
• Guests – By default, this group has no permissions. I don't think there is any need to use the Guest account and group today.

The Center for Internet Security (CIS) is a well-known non-profit organization that focuses on cybersecurity. To improve your knowledge of cybersecurity, you can access their free materials:

• CIS Controls – A set of 20 basic and advanced cybersecurity actions (controls). Using these, you can stop the most common attacks.
• CIS Benchmarks – Guidelines with specific configuration steps and detailed explanations. CIS Benchmarks are available for various products such as Windows Server, SQL Server, Apple iOS, and many more.

Both can be downloaded in exchange for your email address. There's no need to worry—there will be no further email, unless you choose to receive them.

Many companies and institutions create their security baselines based on CIS. I recommend you read CIS Controls. It really helped me to understand the importance of various security actions and settings.

CIS Benchmarks example

User rights assignments are settings applied to the local device. They allow users to perform various system tasks, such as local logon, remote logon, accessing the server from network, shutting down the server, and so on. In this section, I will explain the most important settings and how they should be configured.

For each setting, the following format is used:

Name of the setting: Recommended value, or values

Access Credential Manager as a trusted caller: No one (empty value)

Access to the Credential Manager is granted during Winlogon only to the user who is logging on. Saved user credentials might be compromised if someone else has this privilege.

Access this computer from the network: Administrators, Authenticated Users

Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.

Note : On DCs, you should also add the “ENTERPRISE DOMAIN CONTROLLERS“ group.

Allow log on locally: Administrators

The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.

Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users

It's common practice that some applications are used via RDP sessions by standard users. This privilege is also frequently required for remote assistance offered by an organization's helpdesk. If a server is running Remote Desktop Services with the Connection Broker role, the Authenticated Users group must also be added to this privilege.

Note: On the DC, it is recommended to allow only administrators to connect via RDP.

Back up files and directories: Administrators

This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.

Deny access to this computer from the network/Deny log on through Terminal Services: Local account and member of Administrators group, Guests

The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.

Force shutdown from a remote system/Shut down the system: Administrators

Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.

Manage auditing and security log: Administrators

This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.

Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.

Restore files and directories: Administrators

Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.

Take ownership of files or other objects: Administrators

User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.

Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests

To increase security, you should include the Guests group in these three settings.

Debug programs/Profile single process/Profile system performance: Administrators

This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.

Change the system time: Administrators, Local Service

Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.

Create a token object: No one (empty value)

Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.

Impersonate a client after authentication: Administrators, Local Service, Network Service, Service

An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.

Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.

Load and unload device drivers: Administrators

Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.

I hope this article helped you to understand why it is important to define a security baseline for your systems. Many of the settings are already configured properly following server deployment; however, if they are not controlled by a GPO, they can be manipulated by malicious users. Be careful to whom you grant administrator permissions.

Want to write for 4sysops? We are looking for new authors.

4sysops members can earn and read without ads!

• Windows Server security features and best practices
• Security options in Windows Server 2016: Accounts and UAC
• Security options in Windows Server 2016: Network security

Restrict logon time for Active Directory users

Show or hide users on the logon screen with Group Policy

Cannot delete a file or folder

Manage BitLocker centrally with AppTec360 EMM

Local password manager with Bitwarden unified

Recommended security settings and new group policies for Microsoft Edge (from 107 on)

Save and access the BitLocker recovery key in the Microsoft account

Manage Windows security and optimization features with Microsoft’s free PC Manager

IIS and Exchange Server security with Windows Extended Protection (WEP)

Remove an old Windows certificate authority

Find the source of AD account lockouts

Unlock AD accounts with PowerShell

Privacy: Disable cloud-based spell checker in Google Chrome and Microsoft Edge

PsLoggedOn: View logged-on users in Windows

Controlled folder access: Configure ransomware protection with Group Policy and PowerShell

Self-service password reset with ManageEngine ADSelfService Plus

Find Active Directory accounts configured for DES and RC4 Kerberos encryption

List Windows processes with PsList

Smart App Control: Protect Windows 11 against ransomware

Encrypt email in Outlook with Microsoft 365

Created a domain account to use as a service account and then tried to run powershell cmdlets against the active RDS management server.

Gave that account local admin access on the broker servers and then was able to get further.

Got the error “Access is denied” when trying to run the invoke-RDUserLogoff(with correct hostserver and unifiedsessionID values) to log off a session using that account.

Need to know what permissions should be granted to the account to provide ability to run this command and where like on the broker or the session host.

I can’t run the RD cmdlets on the RD broker to remove a user session without local administrator privileges on the broker and session host.

I need to know what user permissions are necessary to run these cmdlets as giving local admin is not desired.

Sir we are having user1 in server1. We want to collect logs of server1 from server2 using credentials of user1. Surprisingly even after entering the credentials of user1 in event viewer it is taking loggedin credentials of the user logged into server2.

Leave a reply Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Receive new post notifications

Subscribe to Newsletter

Follow 4sysops.

Please ask IT administration questions in the forums . Any other messages are welcome.

Log in with your credentials

or      Create an account

Forgot your details?

Create account.

Receive news updates via email from this site

WinSecWiki  > Security Settings  > Local Policies  > User Rights

User Rights Assignments

Although in this section they are called user rights, these authority assignments are more commonly called privileges.

Privileges are computer level actions that you can assign to users or groups. For the sake of maintainability you should only assign privileges to groups not to individual users. Each computer has its own user rights assignments. In particular this means you should be cognizant of rights assignments on member servers which may easily differ from the rights assignments you find on your domain controllers. To centrally control user rights assignments on computers throughout your domain use group policy.

• Logon rights
• Admin equivalent rights
• Tracking user rights with the security log
• User rights in-depth
• Access this computer from the network
• Act as part of the operating system
• Add workstations to domain
• Adjust memory quotas for a process
• Allow log on locally
• Allow logon through Terminal Services
• Back up files and directories
• Bypass traverse checking
• Change the system time
• Create a pagefile
• Create a token object
• Create global objects
• Create permanent shared objects
• Debug programs
• Deny access to this computer from the network
• Deny logon as a batch job
• Deny logon as a service
• Deny logon locally
• Deny logon through Terminal Services
• Enable computer and user accounts to be trusted for delegation
• Force shutdown from a remote system
• Generate security audits
• Impersonate a client after authentication
• Increase scheduling priority
• Load and unload device drivers
• Lock pages in memory
• Log on as a batch job
• Log on as a service
• Manage auditing and security log
• Modify firmware environment values
• Perform volume maintenance tasks
• Profile single process
• Profile system performance
• Remove computer from docking station
• Replace a process level token
• Restore files and directories
• Shut down the system
• Synchronize directory service data
• Take ownership of files and other objects

Child articles:

• Logon Rights
• Admin Equivalent Rights
• Tracking User Rights with the Security Log
• User Rights In-Depth

Back to top

• NIST 800-53
• Common Controls Hub

User rights assignments must meet minimum requirements.

Check your inbox and confirm the subscription

The meaning of “Log on as a Service” and when to use the “Log on as a Service” policy?

Written by Radu Popescu  ·  September 9th, 2022

In this article, we will learn what “Log on as a Service" is, when and where to use it, and how to enable it.

Let’s get started!

What is Log on as a service?

According to Microsoft documentation, log on as a service is a user permission right that allows an account to launch network services or programs that operate on a device whether or not the user is logged on.

The security context from which this service is executed determines if the service can access local or network resources. By default, services run under Local System, Local Service, and Network Service accounts.

Local System , Local Service, and Network Service accounts are the predefined accounts in a Windows operating system. When you install a service using a Service User account, you need to specify the user name and password of the account. The reason behind it is the built-in CreateService function that is called during this operation. It modifies the configuration information for the chosen service in the service control manager database.

How to enable Log on as a service?

The Log on as a service permission is granted through a domain policy or a local group policy.

If you want to enable Log on as a service for a local group policy, follow these steps:

1. Log in with an administrator account to the computer you want to provide the Log on as Service permission.

2. From Administrative Tools, click Local Security Policy.

3. Expand Local Policy and click User Rights Assignment .

4. Right-click Log on as a service and select Properties .

5. Click Add User or Group option to add the new user.

6. In the Select Users or Groups dialogue, find the user you wish to add and click OK.

How to install a service with Log on as a service policy?

To install a service, you can use the “Log on as a Service” policy.

For this scenario, we will use Advanced Installer’s built-in Service functionality to create a package installer with a service.

Are you new to Advanced Installer? Try out our Service functionality through our 30-day full featured trial (no card required).

To see how to achieve that, follow these steps:

1. Go to Service Page -> Accounts

2. Once there, under the Account, you can specify: Start Name (the user account under which your service will run) and Password (the password for the service user account).

3. Set "Log on as a Service'' policy. When this option is checked, the Log on as a Service policy is set for the specified user account.

When and where to use Log on as a Service?

If you don't want to run every service as a System, Network, or Local service account, you need to set up the service user account, and assign them the Log on as a Service right.

The main benefit of using Service Accounts is the low risk of a security breach. If at some point your service is compromised, attackers will be unable to access its resources because they are protected by the security context of the account running it - rather than the SYSTEM-level security context that SYSTEM and NetworkService accounts have.

That’s why the best practice is to assign service install permissions only to accounts that services run under, and to run individual services under service accounts that are configured using the principle of least privilege (only give them the permissions they need to run; don't give them admin or SYSTEM privileges).

When do you think it’s best to use the “Log on as a Service” policy? Have you tried to add it to your package installer?

Let us know in the comment section below!

Subscribe to Our Newsletter

Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.

Popular Articles

Stack Exchange Network

Stack Exchange network consists of 181 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to add NETWORK SERVICE to Users permission group?

I'm adapting an application from a different server, their installation guide tells me to

Add Server Name\Network Service identity to Users permission group.

So how can I?

I've tried:

• Via Computer Management, Groups, Users and adding it there, but it wasn't found (neither netname\NETWORK SERVICE nor BY AUTHORITY\NETWORK SERVICE).

What am I missing here? Thanks in advance.

• permissions

From Administrative Tools > Computer Management, expand System Tools > Local Users and Groups > Groups.

Double-click the Users group and click Add. Click Locations and select your computer node.

Type Network Service into the 'Enter the object names' OR

Click Advanced, then Find Now and select it from the Search Results.

• Thank you! That worked! The location part is what I was missing. –  Madara's Ghost Jan 17, 2013 at 11:52
• NB: Also ensure that Object Types lists Built-in security principals –  JohnLBevan Oct 11, 2017 at 17:46
• How do I do the reverse, ie find out which groups NETWORK Service is in? –  Old Geezer Jan 31, 2019 at 11:14
• @OldGeezer Local or Domain groups? –  jimbobmcgee Jan 31, 2019 at 17:48
• Local machine is good enough. –  Old Geezer Feb 1, 2019 at 1:57

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged iis permissions .net or ask your own question .

• The Overflow Blog
• How Intuit democratizes AI development across teams through reusability sponsored post
• The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie...
• Featured on Meta
• We've added a "Necessary cookies only" option to the cookie consent popup

Hot Network Questions

• AC Op-amp integrator with DC Gain Control in LTspice
• Are there tables of wastage rates for different fruit and veg?
• Why is there a voltage on my HDMI and coaxial cables?
• Why is this sentence from The Great Gatsby grammatical?
• How does fire heat air?
• Follow Up: struct sockaddr storage initialization by network format-string
• Rolling cube on an infinite chessboard
• FAA Handbooks Copyrights
• How to tell which packages are held back due to phased updates
• Counting Letters in a String
• Trying to understand how to get this basic Fourier Series
• Whats the grammar of "For those whose stories they are"?
• Where does this (supposedly) Gibson quote come from?
• Difficulties with estimation of epsilon-delta limit proof
• What am I doing wrong here in the PlotLegends specification?
• Using Kolmogorov complexity to measure difficulty of problems?
• How do I create endgame tablebases?
• Who owns code in a GitHub organization?
• Does a summoned creature play immediately after being summoned by a ready action?
• Precise control of fraction expression
• How to handle a hobby that makes income in US
• How do you ensure that a red herring doesn't violate Chekhov's gun?
• Is it plausible for constructed languages to be used to affect thought and control or mold people towards desired outcomes?
• How do you get out of a corner when plotting yourself into a corner

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .