LSA Privileges
Jean-Baptiste Marchand
Jean-Baptiste.Marchand at hsc.fr
Mon Feb 10 16:04:52 GMT 2003
tridge at samba.org wrote:
> I found the GUI interface in w2k (its in
> local_security_settings->user_rights_assignment) and it looks like
> there are 34 currently.
Strictly speaking, this GUI presents privileges and logon rights.
In Windows 2000, the following logon rights are defined :
Access this computer from the network
Deny access to this computer from the network
Log on locally
Deny logon locally
Log on a service
Deny logon as a service
Log on a batch job
Deny logon as a batch job
In Windows XP and Windows Server 2003, there is also :
Allow logon through Terminal Services
Deny logon through Terminal Services
The main difference between privileges and logon rights is that logon
rights do not appear in a security token. A logon right is only verified
when a session is created.
Depending on the type of the session, an SID is added to the token,
representing the type of session :
INTERACTIVE
NETWORK
BATCH
SERVICE
DIALUP
REMOTE INTERACTIVE LOGON (only in Windows XP)
Then, it is possible to use this SID to do access control or auditing,
using one of the SID above in DACL or SACL.
Sorry for being pedantic about that ;-)
Jean-Baptiste Marchand
--
Jean-Baptiste.Marchand at hsc.fr
Hervé Schauer Consultants
http://www.hsc.fr/
More information about the samba-technical
mailing list