Implementing Permissions and Rights
When controlling a user's access to the system, you typically modify the user's rights and permissions. Microsoft has made a huge distinction between a permission and a right. A permission is a user's level of access to a resource - such as a printer or file - while a right is a user's privilege to perform an operating system task. In this section, you discover the difference between permissions and rights within the Windows operating system and how to implement both.
Rights
If you were to log on to your Windows system as just a user account and then double-click the time in the bottom-right corner to change that time, you get an error message indicating that you do not have the privilege to change the time. This is an example of user rights. The user account that you are currently logged in with does not have the right to change the system time, an action that typically has to be performed by an administrative account.
There is a large list of user rights; some of the most popular ones are listed below:
- Access this computer from the network: This right is needed by anyone who wants to connect to the system from across the network. For example, if you wish to connect to a shared folder on Computer A, you need to have the access this computer from the network right on Computer A.
- Back up files and directories: This right is needed by anyone who wishes to back up files on the computer. For security reasons, not everyone should be able to perform backups on a system, so Windows controls who can perform a backup via this right.
- Change the system time: In order to change the time on the computer, your user account must be given the change the system time right.
- Log on locally: In order to log on to the system by pressing Ctrl+Alt+ Delete, you need to have the log-on-locally right. Microsoft classifies a local logon as you sitting in front of the computer at the keyboard . a remote logon is you connecting from across the network, which is controlled by the first right mentioned in this list.
- Shut down the system: In order to shut down the computer, you must have this right.
- Take ownership of files and other objects: In Windows, the owner of the object, such as a file or folder, always has the ability to change the permissions of the resource. You may want to give selected individuals the take-ownership right so that they can take ownership of a resource and then change the permissions.
To change the user rights (for example, to assign Bob Smith the right to change the system time), you need to modify the user rights assignments in the local security policies of the Windows computer. The local security policy controls all security settings for the system. To change the local security policies in Windows XP, follow these steps:
- Choose Start.Control Panel.
- In the Control Panel, choose Performance and Maintenance and then Administrative Tools, located at the bottom of the window.
- In the Administrative Tools, double-click Local Security Policy to start the Local Security Policy console.
- To modify the user rights within the local security policy, expand
Local Policies and then highlight User Rights Assignments.
When the User Rights Assignments node on the left side has been selected, you will notice the list of user rights on the right side of the screen in the Details pane. - To modify a user right, double-click the user right.
You will see a list of users or groups that have been assigned that right. - To add a user or group to the list, click the Add User or Group button and then type the name of the account you wish to add and then click Check Names to ensure that Windows recognizes the user account.
- Click OK to add the account to the right you chose and then click OK to close the window.