Problem solve Get help with specific problems with your technologies, process and projects.

Active Directory user rights for Windows domain controllers and servers

Some Active Directory user rights are more critical than others because they control key aspects of the server that an attacker could exploit. This tip reviews the differences between some critical user rights settings for domain controllers versus member servers.

When you perform a task on a Windows computer, that task is typically controlled by user rights, which are, in turn, controlled by each server individually. Some of the most common user rights that you have become familiar with include local logon, access to backup files and folders and access to the computer over the network.

However, there are some user rights that are more critical than others because they control key aspects of the server, which an attacker could exploit. In this tip, I will point out some of the settings that are different for domain controllers versus member servers.

Domain controller user rights

The user rights for domain controllers and member servers are different because of the default behavior of the domain controller in Active Directory. Domain controllers' default user rights are established by one of the two default Group Policy Objects (GPOs) that are included with every installation of Active Directory. The Default Domain Controllers policy is the GPO responsible for establishing the user rights on a domain controller when it is entered into the domain.

Allow logon locally user right

There are a few user rights that the Default Domain Controllers policy establishes for domain controllers that you might want to consider for your member servers. For domain controllers, only "Administrator" type groups are given the privilege to log on to the console. This helps protect the domain controller from just any user logging on in this manner. However, since there are no GPOs from Active Directory modifying the default user rights for member servers, any user is allowed to log on locally to a Windows 2000 or Windows Server 2003 member server. This includes your servers containing HR data and financial data.

Allow Logon Through Terminal Services

If you are running a Windows 2000 server configured to allow Terminal Services sessions, you must give those connecting users the "Allow Logon Locally" user right. Of course, this is not a desired configuration, it's a mandatory one to allow these connections. Knowing that this was a security issue, Microsoft added a new user right for Windows XP and Windows Server 2003 computers. The user right is "Allow Logon Through Terminal Services." This new right allows users to connect to a Terminal Services session without having the privilege to logon locally.


User rights are important to every Windows computer on the network. They provide controls that allow or deny a user from performing tasks on each computer. User rights are in most cases associated with security areas of the computer, including accessing it locally, accessing it over the network and even backing up the files located on the server. Windows domain controllers receive more secure user rights because of the Default Domain Controllers policy. However, member servers are left with the default insecure configuration for many user rights. Knowing that there is a difference can help you protect all computers better. Also knowing that there are new user rights for the newer operating systems provides insight that might encourage you to upgrade to the newest operating system to get better security options.

Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].
More information from

Dig Deeper on Windows systems and network management