Windows server 2008 network configuration operators

Direct user rights: Log on as a batch job Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Performance Monitor Users Built-in container Domain-local security group Members of this group can access performance counter data locally and remotely. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Pre-Windows Compatible Access Built-in container Domain-local security group This group exists for backward compatibility with operating systems prior to Windows Server, and it provides the ability for members to read user and group information in the domain.

Direct user rights: Access this computer from the network Bypass traverse checking Inherited user rights: Add workstations to domain Increase a process working set Print Operators Built-in container Domain-local security group Members of this group can administer domain printers. Direct user rights: Allow log on locally Load and unload device drivers Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RAS and IAS Servers Users container Domain-local security group Servers in this group can read remote access properties on user accounts in the domain.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RDS Endpoint Servers Windows Server Built-in container Domain-local security group Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run.

This group needs to be populated on servers running RD Connection Broker. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RDS Management Servers Windows Server Built-in container Domain-local security group Servers in this group can perform routine administrative actions on servers running Remote Desktop Services.

This group needs to be populated on all servers in a Remote Desktop Services deployment. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set RDS Remote Access Servers Windows Server Built-in container Domain-local security group Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources.

In Internet-facing deployments, these servers are typically deployed in an edge network. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Read-only Domain Controllers Users container Global security group This group contains all read-only domain controllers in the domain. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Remote Desktop Users Built-in container Domain-local security group Members of this group are granted the right to log on remotely using RDP.

This applies only to WMI namespaces that grant access to the user. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Replicator Built-in container Domain-local security group Supports legacy file replication in a domain.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Schema Admins exists only in forest root domain Users container Universal security group Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled.

Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Server Operators Built-in container Domain-local security group Members of this group can administer domain servers.

Direct user rights: Allow log on locally Back up files and directories Change the system time Change the time zone Force shutdown from a remote system Restore files and directories Shut down the system Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Terminal Server License Servers Built-in container Domain-local security group Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage Default direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Users Built-in container Domain-local security group Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most.

Users are prevented from making accidental or intentional system-wide changes and can run most applications. Direct user rights: None Inherited user rights: Access this computer from the network Add workstations to domain Bypass traverse checking Increase a process working set Feedback Submit and view feedback for. Skip to main content.

This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified. Note Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups.

Submit and view feedback for This product This page. View all page feedback. In this article. Access Credential Manager as a trusted caller. Access this computer from the network. Act as part of the operating system. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Back up files and directories. Bypass traverse checking.

Change the system time. Change the time zone. Create a pagefile. Create a token object. Create global objects. Create permanent shared objects.

Create symbolic links. Debug programs. Deny access to this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Enable computer and user accounts to be trusted for delegation. Force shutdown from a remote system. Generate security audits. Impersonate a client after authentication. Increase a process working set. Increase scheduling priority.

If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the Log on as a batch job user right.

The Performance Log Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.

Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.

The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. Members of the Pre—Windows Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.

By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.

The Pre—Windows Compatible Access group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. If you choose the Pre—Windows Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows only permissions mode, Authenticated Users are members. Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain.

They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. The Print Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.

This security group has not changed since Windows Server However, in Windows Server R2, functionality was added to manage print administration.

Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.

This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default.

The only method to modify the protection for an account is to remove the account from the security group. This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server R2 and Windows 8.

This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. Passwords are not cached on a device running Windows 8. This means that the domain must be configured to support at least the AES cipher suite. This means that former connections to other systems may fail if the user is a member of the Protected Users group.

The default Kerberos ticket-granting tickets TGTs lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again. The Protected Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version.

This group was introduced in Windows Server R2. For more information about how this group works, see Protected Users Security Group. By default, this group has no members. Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run.

This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment.

In Internet facing deployments, these servers are typically deployed in an edge network. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role also known as flexible single master operations or FSMO. The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. This group is comprised of the Read-only domain controllers in the domain.

A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group.

A Read-only domain controller encompasses the following functionality:. This applies only to WMI namespaces that grant access to the user. Computers that are members of the Replicator group support file replication in a domain.

FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.

Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. The group is authorized to make schema changes in Active Directory. This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain.

This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. The Schema Admins group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. Members in the Server Operators group can administer domain servers.

This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer.

By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group.

Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks such as backup and restore , and they have the ability to change binaries that are installed on the domain controllers.

Note the default user rights in the following table. The Server Operators group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. Restore files and directories : Restore files and directories SeRestorePrivilege. Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance.

The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group.

When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.

The Users group applies to versions of the Windows Server operating system listed in the Active Directory default security groups by operating system version. The Administrators group has built-in capabilities that give its members full control over the system. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins.

This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.

Default user rights changes: Allow log on through Terminal Services existed in Windows Server , and it was replaced by Allow log on through Remote Desktop Services.

Remove computer from docking station was removed in Windows Server R2. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer.

By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins.

It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files including operating system files on domain controllers.

Because of this, members of this group are considered service administrators. Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory. Members of the Cloneable Domain Controllers group that are domain controllers may be cloned.

In Windows Server R2 and Windows Server , you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.

This security group was introduced in Windows Server , and it has not changed in subsequent versions. Members of this group are authorized to perform cryptographic operations. This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions. The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups.

No Safe to move out of default container? Safe to delegate management of this group to non-Service admins? Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group. Microsoft Component Object Model COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model DCOM allows applications to be distributed across locations that make the most sense to you and to the application.

This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role also known as flexible single master operations or FSMO. They are permitted to perform dynamic updates on behalf of other clients such as DHCP servers. Adding clients to this security group mitigates this scenario. However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account user name, password, and domain.

Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers.

The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.

The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain Administrators and Domain Admins , and by members of the Enterprise Admins group.

This is considered a service administrator account because its members have full access to the domain controllers in a domain. Yes Safe to move out of default container? Yes Safe to delegate management of this group to non-Service admins?

By default, any computer account that is created automatically becomes a member of this group. The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.

The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.

By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group or add the Domain Users group to a local group on the print server that has permissions for the printer.

The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers.

Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain.

This is considered a service administrator account. Members of this group are Read-Only Domain Controllers in the enterprise.

Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller. Read-only domain controllers address some of the issues that are commonly found in branch offices.

These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it. Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. You may want to make sure any group policies that you applied related to this are removed.

You can view group policies applied to a workstation using the rsop. To find all the policies that are applied to your user account, you would use the following command:. If you are looking for all policies applied to your Computer, all you need to do is change the scope:. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group.

Create a free Team What is Teams? Learn more. Asked 5 years, 3 months ago. Active 4 years, 11 months ago. Viewed 1k times.