Although the built-in capabilities for accounts cannot be changed, user rights for accounts can be administered. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because they apply to user accounts, whereas permissions are attached to objects. Keep in mind that changes made to user rights can have a far-reaching effect. Because of this, only experienced administrators should make changes to the user rights policy.
Microsoft defines user rights in two types of categories: Logon Rights and Privileges. These are defined as follows:
Logon Right: A user right that is assigned to a user and that specifies the ways in which a user can log onto a system. An example of a logon right is the right to log on to a system remotely.
Privilege: A user right that is assigned to a user and that specifies allowable actions on the system. An example of a privilege is the right to shut down a system.
User rights define capabilities at the local level. Although they can apply to individual user accounts, user rights are best administered on a group account basis. This ensures that a user logging on as a member of a group automatically inherits the rights associated with that group. By assigning rights to groups rather than individual users, user account administration can be simplified. When users in a group all require the same user rights, they can be assigned the set of rights once to the group, rather than repeatedly assigning the same set to each individual user account.
User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights and privileges. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. For example a member of multiple groups who is given the "Deny Access to This Computer from the Network" logon right would not be able to log on despite the logon rights granted to the user by other groups. The user would be logged on locally with cached credentials, but when attempting to access the domain resources would receive the following message:
In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group. In this case, the user no longer has the rights assigned to that group.
The following lists show the logon rights and privileges that can be assigned to a user.
Some of the privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all other users, including members of the Backup Operators group. A user privilege, in this case, the right to perform a backup, takes precedence over all file and directory permissions. The privileges, which can override permissions set on an object, are listed below.
Take Ownership of Files or Other Object
Manage Auditing and Security Log
Back Up Files and Directories
Restore Files and Directories
Bypass Traverse Checking
The Take Ownership of Files or Other Object (TakeOwnership) privilege grants WriteOwner access to an object. Backup and Restore privileges grant read and write access to an object. The Debug Programs (debug) privilege grants read or open access to an object. The Bypass Traverse Checking (ChangeNotify) privilege provides the reverse access on directories. This privilege is given, by default, to all users and is not considered security relevant. The Manage Auditing and Security Log (Security) privilege provides several abilities including access to the security log, overriding access restrictions to the security log. The Event Logger is responsible for enforcing the Security privilege in this context. The TakeOwnership, Security, Backup, Restore, Debug privileges should only be assigned to administrator accounts (See Appendix C, User Rights and Privileges, of the Windows 2000 Security Configuration Guide, for the restrictions of the assignment of privileges to be in accordance with the Evaluated Configuration).
The special user account LocalSystem has almost all privileges and logon rights assigned to it, because all processes that are running as part of the operating system are associated with this account, and these processes require a complete set of user rights.
Appendix C – User Rights and Privileges, of the Windows 2000 Security Configuration Guide, contains a cross-reference table of user rights and privileges to applicable Security Target requirements that should be used as reference when implementing a user rights policy that must address specific ST requirements.
Assigning User Rights
User rights are assigned through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, local policies can be configured and then imported into Active Directory. Local policies can also be configured as part of an existing Group Policy for a site, domain, or organizational unit. When this is done, the local policies will apply to computer accounts in the site, domain, or organizational unit.
User rights policies can be administered as follows:
Log on using an administrator account.
Open the Active Directory Users and Computers tool.
Right-click the container holding the domain controller and click Properties.
Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.
Select User Rights Assignment.
Note: All policies are either defined or not defined. That is, they are either configured for use or not configured for use. A policy that is not defined in the current container could be inherited from another container.
To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box.
For a site, domain, or organizational unit, individual user rights can be configured by completing the following steps:
Open the Security Policy Setting dialog box for the user right to be modified.
Select Define these policy settings to define the policy.
To apply the right to a user or group, click Add.
In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups.
The following selection options appear on the Select Users Or Groups box:
Name: The Name column shows the available accounts of the currently selected domain or resource.
Add: Add selected names to the selection list.
Check Names: Validate the user and group names entered into the selection list. This is useful if names are typed in manually and it is necessary ensure that they're actually available.
To access account names from other domains, click the Look In list box. A drop-down list will appear that shows the current domain, trusted domains, and other resources that can be accessed. Select Entire Directory to view all the account names in the directory.
Note: Only domains that have been designated as trusted are available in the Look In drop-down list. Because of the transitive trusts in Windows 2000, this usually means that all domains in the domain tree or forest are listed. A transitive trust is one that is not established explicitly. Rather, the trust is established automatically based on the forest structure and permissions set in the forest.
After selecting the account names to add to the group, click OK. The Add user or group dialog box should now show the selected accounts. Click OK again.
The Security Policy Setting dialog box is updated to reflect the selections. If a mistake is made, select a name and remove it by clicking Remove.
When finished granting the right to users and groups, click OK.
Top Of Page
Configuring Local User Rights
For local computers, such as Windows 2000 Professional, apply user rights by completing the following steps:
Log in as Administrator.
Open Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
In the Local Security Settings window, navigate to Local Policies, and then select User Rights Assignment.
To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box. The effective policy for the computer is displayed, but it cannot be changed. However, the local policy settings can be adjusted. Use the fields provided to configure the local policy. Remember that site, domain, and organizational unit policies have precedence over local policies.
The Assigned To column shows current users and groups that have been given a user right. Select or clear the related check boxes under the Local Policy Setting column to apply or remove the user right.
Apply the user right to additional users and groups by clicking Add. This opens the Select Users Or Groups dialog box. Local users and groups can now be added.
To access account names from the domain, click the Look In list box. There should be a list that shows the current machine, the local domain, trusted domains, and other resources that can be accessed. Select the local domain to view all the account names in the domain.
Top Of Page
Warning #1: "...services require user rights in Windows security policies..."
This warning message indicates that domain group policy objects (GPOs) are restricting which rights are assigned to virtual service accounts.
To learn more see If user rights are missing.
Warning #2: "...cannot read the user rights that are specified..."
This warning message indicates that the installer may not be able to determine whether the correct rights are assigned to virtual service accounts in domain GPOs.
To learn more see If user rights cannot be determined.
Note: You must be a domain administrator, or coordinate with your domain administrator, to make changes to the affected domain GPOs.
If you are upgrading Endpoint Protection Manager from a previous version, the warning might prompt you to add Endpoint Protection Manager services to policies. Click Try Again to review the policies again during the installation.
You must log in as a domain administrator to use this option. If you do not log in as a domain administrator, you can either cancel the installation and log back in with domain administrator credentials, or you can continue with the installation and update the policies after the upgrade is completed.
To perform some of the steps below, you must install Group Policy Management Console (GPMC) on the machine where you install Endpoint Protection Manager. For more information see, Install the GPMC on Microsoft.com.
If user rights are missing
Perform the following tasks to successfully complete the Endpoint Protection Manager installation:
- Identify the service accounts, user rights assignments, and domain GPOs you need to modify
- Change the domain policies and propagate them to the computer
- Recheck the policies or restart the services for Endpoint Protection Manager
There will be additional log entries in one of the following log locations depending on when the warning message appears:
- New installations:
Note: if you do not see the log file in this folder, search for the log file by name.
- Configuration wizard:
- Upgrade wizard:
SEPM_Installation_Folder represents the installation folder for Endpoint Protection Manager. By default, this folder is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager (64-bit operating system) or C:\Program Files\Symantec\Symantec Endpoint Protection Manager (32-bit operating system).
From the alert message, make note of the missing service accounts. With the alert window active, press Control-C to copy the text of the message, which you can then paste it into a document. If you encounter this message in the configuration wizard or the upgrade wizard, click Show Details to get more information.
- The virtual service accounts
- The domain GPOs
- The user rights assignments required
For example, the alert message may read:
Group policy setting SeServiceLogonRight in 'New Group Policy Object-testB' does not contain [NT SERVICE\semsrv, NT SERVICE\semwebsrv, NT SERVICE\SQLANYs_sem5, NT SERVICE\semapisrv]
Note: In this example, the user rights appear in green, the domain GPOs in blue, and the virtual service accounts in red.
The required user rights are as follows:
- SeAssignPrimaryTokenPrivilege (Replace a process level token): Required by NT SERVICE\semwebsrv only while installing Endpoint Protection Manager with a Microsoft SQL Server database using Windows authentication.
- SeServiceLogonRight (Logon as a service): Required by all services. (NT SERVICE\SQLANYs_sem5 is not required if you install Endpoint Protection Manager with a Microsoft SQL Server database.)
You must ensure that for the GPOs listed, all of the accounts listed are present in all of the user rights assignments mentioned. For new installations, you can refer to the table above for more information about required rights needed for either database type to avoid additional warnings after configuration.
Note: When you install Endpoint Protection Manager for the first time, its services are not yet present on the computer. Therefore, virtual accounts that correspond to Endpoint Protection Manager services are not active yet. For a new installation, you can click Continue in the alert that appears during installation. Another warning appears at the end of the configuration wizard, so you can update domain policies using the steps below after configuration finishes.
Make the appropriate changes to the necessary domain GPOs with the Group Policy Management Console on your Active Directory server, or work with your domain administrator to make these changes. See Create and Edit a Group Policy Object on Microsoft.com to learn how to edit group policies.
To update the domain policy, follow these steps:
Note: These steps are for the Windows Server 2012 Server Manager. Other versions of Windows may vary slightly.
- Open Group Policy Management Console (GPMC).
- Locate the policy name mentioned in the alert box.
Typically, it appears under the node Group Policy Objects, under your domain tree.
- Right-click the policy, and then click Edit to open the Group Policy Editor for this policy.
- Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
This lists all of the user assignments.
- Locate the user rights mentioned in the alert, and add the accounts mentioned in the alert.
These accounts are created locally on the Endpoint Protection Manager computer after configuration or upgrade finishes. However, they are virtual service accounts without predetermined SIDs, so you can add them to domain GPOs before they are created on the Endpoint Protection Manager computer.
- Click OK.
Note: After you update domain policies, ensure that the Endpoint Protection Manager computer receives and applies them.
- On the Endpoint Protection Manager computer, open an elevated command prompt (run cmd.exe as Administrator), and enter the following command:
This command refreshes all domain policies on this computer.
III. Recheck the policies or restart the services for Endpoint Protection Manager
- If you see the warning during installation and the Endpoint Protection Manager installer is paused at the Warning pane, click Try Again. If the installer previously rolled back, launch it again.
Note: if you click Continue, the installer ignores the warnings. You still need to correct the user rights in the domain policies for the installation to work correctly.
- If you see the warning during configuration or during an upgrade, click Finish to start Endpoint Protection Manager. The changes you make ensure that Endpoint Protection Manager runs reliably. If necessary, you can restart the Endpoint Protection Manager services using the Service Control Manager.
- As an additional verification, you can also reconfigure Endpoint Protection Manager after you apply the group policies on the Endpoint Protection Manager computer. The Management Server Configuration Wizard reviews the updated policies again.
You must ensure that you see the message "Configuration Completed" without any warnings in the final panel before you click Finish.
If user rights cannot be determined
When Endpoint Protection Manager cannot read the domain policies, it does not provide the missing user rights in the alert message. In this instance, you (or your domain administrator) should manually inspect the domain policies based on the user rights assignments guidelines provided above, and ensure all required rights apply to Endpoint Protection Manager services.
If you are satisfied that the domain policies meet the appropriate criteria, click OK to continue with the installation, and then ignore the subsequent warning messages during the configuration or upgrade wizard.
How to check domain policies manually
You can manually check for the presence of required accounts and privileges before you begin a new installation or upgrade.
To check domain policies manually, follow these steps:
- Log on to the Endpoint Protection Manager computer using domain admin credentials.
- Open a command prompt (cmd.exe) and enter the following command:
This command writes the results of the command to a new file, gpresult.xml, at the root of the C: drive.The Endpoint Protection Manager installer uses this command to retrieve the Windows domain policies. If this command fails, then the domain policy check fails during installation.
- Open C:\gpresult.xml and search for the privileges listed in the requirements noted above, under Cause.
If you find the privileges, then the domain GPOs do not enforce them. You do not need to make a change to domain GPOs.
If you do not find the privileges, but do not contain any of the Endpoint Protection Manager accounts, then you must add them into the corresponding policy.
To determine which domain policy to modify, follow these steps:
- Open the gpresult.xml file.
- Navigate down the following XML tree to where you previously found the required privilege, to the Identifier tag:
Where PrivilegeName is SeServiceLogonRight or SeAssignPrimaryTokenPrivilege.
- Note the value given within the Identifier tag. For example:
- Navigate the following XML tree, to the Identifier tag:
- Search for the identifier value found in Step 2.
- Navigate up the tree to the Name tag, which encloses the name of the policy you must modify.
- You can now open the Group Policy Management Console (GPMC) and add the Endpoint Protection Manager accounts with the required privileges, as noted above.
For more information, see the following Microsoft technical articles: