The following ways are introduced using server R2 computer, and also apply to Windows 7 and Windows server R2. Step 2: In the console tree, click Groups.
Step 3: Right-click the group to which you want to add a member, click Add to Group , and then click Add. In other Windows operational systems, you may have to click "Start", type "cmd" and press Enter to run command prompt. Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time.
In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. Table B User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.
For more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server R2 on the Microsoft TechNet site.
As of the writing of this document, corresponding documentation for Windows Server is not yet published. For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified. Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. Each securable object has an associated access control list ACL , which contains access control entries ACEs that grant or deny security principals users, services, computers, or groups the ability to perform various operations on the object.
For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects. With the exception of each domain's built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier SID added to its access token by default.
Therefore, whether a user, service, or computer account attempts to read general properties on user objects in a domain, the read operation is successful.
If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is present in the principal's access token, the principal cannot access the object. Within this document, permissions refers to capabilities that are granted or denied to security principals on securable objects. Whenever there is a conflict between a user right and a permission, the user right generally takes precedence.
For example, if an object in Active Directory has been configured with an ACL that denies Administrators all read and write access to an object, a user who is a member of the domain's Administrators group will be unable to view much information about the object.
However, because the Administrators group is granted the user right "Take ownership of files or other objects," the user can simply take ownership of the object in question, then rewrite the object's ACL to grant Administrators full control of the object.
It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-day administration, rather than trying to restrict the capabilities of the accounts and groups.
It is not effectively possible to stop a determined user who has access to powerful credentials from using those credentials to gain access to any securable resource. Active Directory is intended to facilitate delegation of administration and the principle of least privilege in assigning rights and permissions.
Users who require additional privilege can be granted membership in various privileged groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties. A fourth group, the Schema Admins SA group, has privileges that, if abused, can damage or destroy an entire Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups. In addition to these four groups, there are a number of additional built-in and default accounts and groups in Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be performed.
Although this appendix does not provide a thorough discussion of every built-in or default group in Active Directory, it does provide a table of the groups and accounts that you're most likely to see in your installations. For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and groups may be created in the Built-in and Users containers in your domains.
This appendix describes only the groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native roles and features. Accounts and groups that are created by the installation of enterprise software are not included. The Enterprise Admins EA group is located in the forest root domain, and by default, it is a member of the built-in Administrators group in every domain in the forest. The Built-in Administrator account in the forest root domain is the only default member of the EA group.
EAs are granted rights and permissions that allow them to affect forest-wide changes. These are changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust.
The EA group is located by default in the Users container in the forest root domain, and it is a universal security group, unless the forest root domain is running in Windows Server mixed mode, in which case the group is a global security group. Although some rights are granted directly to the EA group, many of this group's rights are actually inherited by the EA group because it is a member of the Administrators group in each domain in the forest. Enterprise Admins have no default rights on workstations or member servers.
Each domain in a forest has its own Domain Admins DA group, which is a member of that domain's built-in Administrators BA group in addition to a member of the local Administrators group on every computer that is joined to the domain.
The only default member of the DA group for a domain is the Built-in Administrator account for that domain. DAs are all-powerful within their domains, while EAs have forest-wide privilege. In a properly designed and implemented delegation model, DA membership should be required only in "break glass" scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made.
Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process. The DA group is a global security group located in the Users container for the domain. There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account.
Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.
The built-in Administrators BA group is a domain local group in a domain's Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers.
However, the Administrators group for a domain does not have any privileges on member servers or on workstations. Membership in domain-joined computers' local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers' local Administrators groups by default.
The Administrators group is a domain-local group in the domain's Built-in container. By default, every domain's BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest root domain's EA group. Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs.
A domain's BA group is granted full control permissions on most directory objects, and can take ownership of directory objects. Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from their membership in BA groups.
Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups. In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent. The Schema Admins SA group is a universal group in the forest root domain and has only that domain's Built-in Administrator account as a default member, similar to the EA group.
Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema. You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less privileged" than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.
To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. These groups are described briefly in the following table. The following table lists the built-in and default groups in Active Directory. Both sets of groups exist by default; however, built-in groups are located by default in the Built-in container in Active Directory, while default groups are located by default in the Users container in Active Directory.
Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts Administrator, Guest, and Krbtgt.
In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.
Domain-local security group Members of this group can remotely query authorization attributes and permissions for resources on this computer. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Account Operators Built-in container Domain-local security group Members can administer domain user and group accounts.
Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Administrator account Users container Not a group Built-in account for administering the domain.
Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Backup Operators Built-in container Domain-local security group Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.
Direct user rights: Allow log on locally Back up files and directories Log on as a batch job Restore files and directories Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Cert Publishers Users container Domain-local security group Members of this group are permitted to publish certificates to the directory.
Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Cryptographic Operators Built-in container Domain-local security group Members are authorized to perform cryptographic operations. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Debugger Users This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation.
The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. This group allows remote debugging access to computers. When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller.
Denied RODC Password Replication Group Users container Domain-local security group Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Distributed COM Users Built-in container Domain-local security group Members of this group are allowed to launch, activate, and use distributed COM objects on this computer.
Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set DnsAdmins Users container Domain-local security group Members of this group have administrative access to the DNS Server service. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set DnsUpdateProxy Users container Global security group Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates.
Members of this group are typically DHCP servers. I'm up to my eyebrows on this one. There is a difference between a user administrator account and windows system administrator, which sounds like where your problem may be coming from.
The system administrator is there to protect your PC from unauthorised changed. Some things may have got mixed up during the upgrade. Can you describe how you are trying to change the privileges and on which folders.
Also what folders you are trying to delete or which folders they are in. Was this reply helpful? Yes No. Sorry this didn't help. Thanks for your feedback. What do you mean by "cannot download most of the time"? What are you trying to download from where to where? What happens when you try?
I've had this problem since Windows 7. It's random. I'll delete a program, go into program files to delete the folder, and it won't let me. But the part that really gets my goat is when I try to download a program and it says I don't have permission. Whose permission?
Because that's the only entity I think should have a say on what I download or do. This of coarse does not include illegal downloads. I'm talking about a program I want, say an audio program, or a screen saver, whatever. I'm the only one on here.
Who is the Administrator? I don't have time for this. Let's say I decide that I don't want a program anymore, say a anti-spyware program.
I do an uninstall, but often folders are left behind. Most of the time, I'm told that I don't have permission to delete those folders. And then let's say that I want to download a screen saver, for instance. When attempting to download, I'm told that I do not have permission.
There have been other instances, so numerous that it's difficult to remember specifics because they are so random. Now, let's say that I want to move files from one hard drive to another:. My files. I'm often told that I do not have permission. Okay, I'm working on my novel. I've finished writing for the day and save it. The next day, I do not have permission to edit this file.
It's all over the place. Bottom line, I am disgusted that I am told what I can and cannot do on my own computer of which I am the only operator. No one has the right to tell me what I can and cannot do. I don't go out looking for illegal sites; I don't try to download illegal content; I'm simply an author and an artist who tries to get work done as simply and efficiently as I can. These issues eat up my time, which is sometimes billed.
So I end up trying to work for ten billable hours but can only bill, say six.
0コメント