How to Change User Rights Assignment Security Policy Settings in Windows 10

  • Last updated
How to Change User Rights Assignment Security Policy in Windows blog banner image
  • Last updated

Managing user privileges in Windows 10 by configuring User Rights Assignments security policy offers IT administrators more control over device accessibility and security. User Rights Assignments also allow IT teams to configure more secure networks or extend administrative privileges to users such as for remote IT support specialists.

This blog will break down what User Rights Assignments in Windows 10 do and how to modify its settings to strengthen your security posture and create custom access privileges.

What Are Windows Security Policies?

Windows Security Policies are a set of operating system configurations that govern how users can interact with devices and corporate resources. From access control to enforcing password complexity, security policies ensure that a system operates securely while still adhering to organizational requirements.

The role of User Rights Assignment in Windows security

User Rights Assignment defines what a user or system account is authorized to do on a machine, such as logging on locally, accessing a system over a network, or backing up files. This targeted approach allows custom configurations tailored to different roles, enhancing security without limiting functionality. Always ensure that the chosen group memberships and their access rights align with organizational compliance and operational needs.

Common security policies controlled by User Rights Assignment

  • “Log on locally”

This setting controls who can sign in directly through the device.

  • “Access this computer from the network”

This setting determines who can control a PC remotely. Several types of network protocols, such as NetBIOS require this right to function. The “Deny access to this computer from the network “ right overrides this.

  • “Allow log on through Remote Desktop Services”

This right determines who can access a device’s sign-in screen through Windows’ remote access tool, Remote Desktop Services (formerly known as Terminal Services).

  • “Shut down the system”

This setting specifies which accounts can turn off or reset the Windows device.

  • “Back up files and directories”

This right allows a user or group to bypass permissions that they lack in order to back up critical files for data security.

  • “Take ownership of files or other objects”

This security policy allows users to take ownership of files and other resources, regardless of prior permissions. IT administrators can use this right to recover access to a file on a locked device or to gain ownership of files after an employee leaves the organization.

Step-by-step guide to changing User Rights Assignment settings

Prerequisites for modifying User Rights Assignment in Windows 10

Before making changes to these policies, you must have administrator-level access. If you wish to update a group policy object on the domain controller, you also need admin access to install the Microsoft Management Console (MMC). To change security policy settings on Windows 10, you will need to access either the Local Group Policy Editor or the Local Security Policy Editor.

However, you also need to make sure that you have a compatible version of Windows as some tools, like Local Group Policy Editor, are available only on Windows 10 Pro or Enterprise editions, not the Home version.

How to configure a User Right Assignment using the Local Security Policy console

  1. Navigate to the Local Security Policy by typing “secpol.msc” into the Start menu search bar.
  2. Go to the Security Settings, then select Local Policies. You can edit a User Rights Assignment from here.
  3. Double-click the security policy that you need to modify.
  4. Modify which users and groups are included by clicking either the “Add user or group…” or “Remove” buttons.
  5. Click the OK button once you’re finished.

How to configure a security policy setting using the Local Group Policy Editor console

  1. Go to the Local Group Policy Editor (gpedit.msc).
  2. Navigate to Computer Configuration > Windows Settings> Security Settings.
  3. From here, you can click on Local Policies to edit a User Right Assignment setting by double-clicking the security policy.
  4. You can select which users or groups are included by clicking either the “Add user or group…” or “Remove” buttons.
  5. Click “OK” to save your changes.

Windows 10 user rights management guide: best practices for configuring User Rights Assignment

1. Avoid overly permissive configurations

Granting excessive permissions increases the chances of misuse, accidental changes, misconfigurations, or even exploitation by cybercriminals. Apply the Least Privilege Access, which dictates that users or groups should only have the minimum rights required to perform their tasks. Make use of the Local Security Policy Editor for granular control of security policy settings.

2. Log and document changes for troubleshooting

Track changes to all changes made to User Rights Assignments to make it easier for technicians to troubleshoot any security configurations. IT documentation software makes it faster and more efficient to log and access information detailing the default and current configurations, along with any history of prior modification.

3. Test changes in a non-production environment before applying them broadly

Changes to User Rights Assignment policies can have far-reaching consequences if not implemented carefully. For example, incorrectly modifying “Access this computer from the network” can lead to losing remote access functionality. You can use a virtual machine with tools like Hyper-V or VMware to create isolated testing environments.

Use cases and practical uses for configuring user privileges on Windows 10

1. Controlling logon permissions

Login privileges allow administrators to define how users can access a system. Restricting logon privileges is highly recommended for kiosk devices or shared workstations. For example, IT administrators can assign the “Log on locally” right to the technician user groups, allowing them to access devices to troubleshoot and resolve any issues remotely.

2. Securing Windows devices and servers

IT administrators should change the security policy settings on Windows 10 to prevent unauthorized access and protect sensitive data. Modifying user rights access policies ensures that access to Windows devices and servers is only given to authorized users and roles. This helps prevent unauthorized access that can lead to data breaches.

3. Compliance management

Modifying local security policy settings makes it easier for IT compliance as it allows organizations in industries like finance or healthcare to meet regulatory standards. For example, PCI compliance requires administrative access to systems managing payment data to reduce risks that user rights access can enforce strict controls over logon privileges and administrative rights to comply with these guidelines.

 FAQs

1. What is the difference between User Rights Assignment and NTFS permissions?

A User Rights Assignment defines what actions users or groups are authorized to perform at the system level, such as logon access. NTFS permissions, on the other hand, control users’ access to interact with files and folders stored on an NTFS-formatted drive. For example, a user may have NTFS permission to Read a file in a shared folder but may not be able to access the laptop from the network because of a User Rights Assignment policy.

2. Can User Rights Assignment settings be reverted to default?

Yes, you can use the Local Security Policy Editor to revert User Rights Assignments to the default. Alternatively, for domain-joined systems, Group Policy configurations can enforce standard settings defined by your organization, effectively reverting any local changes directly.

3. Are these changes applicable across all users or just specific accounts?

You can configure User Rights Assignment settings to apply to specific accounts or groups rather than all users.

Managing user privileges in Windows 10 for enhanced security

User Rights Assignment allows IT administrators to proactively protect their Windows systems and effectively manage user access controls. By modifying Local Security Policy settings, IT administrators can ensure that their Windows 10 systems are secure while also ensuring that end-users, technicians, and other stakeholders have the appropriate user privileges to complete their tasks.

Simplify Windows 10 security settings management with NinjaOne Windows Endpoint Management. With NinjaOne, you can get real-time information on all your endpoint devices, manage user permissions at scale, and back up critical files from a single pane of glass. NinjaOne’s automation tools reduce manual workloads by taking care of repetitive tasks so IT professionals can focus on strategic tasks. See NinjaOne in action today – watch a demo, or try it for free.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

Start your Free Trial

You might also like

How to Convert GPT Disk to MBR Disk in Windows blog banner image

How to Convert GPT Disk to MBR Disk in Windows 10 and Windows 11

How to Convert NTFS to FAT32 without Data Loss blog banner image

How to Convert NTFS to FAT32 without Data Loss in Windows

How to Configure Narrator in Windows 10 blog banner image

How to Configure Narrator in Windows 10

How to Configure Inherited Permissions for Files and Folders in Windows blog banner image

How to Configure Inherited Permissions for Files and Folders in Windows

how to remove a kiosk account with Assigned access in windows blog banner image

How to Set Up or Remove a Kiosk Account with Assigned Access in Windows 10 & 11

How to Add and Remove a Network location in Windows blog banner image

How to Add and Remove a Network Location in Windows 10

Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept