28
Member Servers
•
Power Users
Power Users possess most administrative powers with some restrictions. Thus, Power Users can
run legacy applications in addition to certified applications.
•
Help Services Group
This is the group for the Help and Support Center. Support_388945a0 is a member of this group
by default.
•
Telnet Clients
Members of this group have access to Telnet Server on the system.
Domain Controllers
•
Server Operators
Members of this group can administer domain servers.
•
Terminal Server License Services
Members of this group have access to Terminal Server License Servers on the system.
•
Windows Authorization Access Group
Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on
user objects.
The group
Guests
and the user accounts Guest and Support_388945a0 have unique SIDs between
different domains. Therefore, this Group Policy for user right assignments may need to be modified on
a system where only the specific target group exists. Alternatively, the policy templates can be edited
individually to include the appropriate groups within the .inf files.
This section provides details on the prescribed user rights assignments for the three environments
defined in this guide for the MSBP. For a summary of the prescribed settings in this section, see the
Windows Server 2003 Security Guide Settings Excel spreadsheet. For information on the default
settings and a detailed explanation of each of the settings discussed in this section, go and review
Microsoft’s
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows
XP,
available at:
http://go.microsoft.com/fwlink/?LinkId=15159
.
Note:
Throughout the following section, User Rights Assignments, "Not defined" means Administrators
still have the privilege for every right not defined. Local administrators can make changes, but any
domain-based Group Policy settings will override them the next time that the Group Policies are
refreshed or reapplied.