Creating Custom User Rights Checks


A user right is a type of control that is placed upon a user. It determines who may perform specific tasks or operations. In a Microsoft Windows environment, a user right refers to a security policy that applies to individual users or to groups of users. It is considered a best practice to manage user rights using security principals and user groups so that they can apply across a wide range of machines rather than a specific machine.


Within VMware vCenter Protect - Configuration Management , you can define a custom check that specifies who should be assigned a specific user right. During a machine scan all users, groups, and security principals with the specified user right are identified. The custom check will be in compliance only if there is an exact match with the users, groups, and security principals specified within the check.


Note: You must define a separate custom check for each user right you want to scan for.

  1. To create a new custom User Rights Assignment check from scratch, from the Custom Check Wizard click Create New Custom Check.

The following dialog is displayed:


  1. Select the desired operating system levels and then click Next.

Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab.

The General Properties dialog is displayed.


  1. Type a unique name for the custom check and a description.

Tip: Include the user right name as part of the custom check name. This will help you identify the purpose of the check later.

  1. In the Type box select User Rights Assignment and then click Next.

The Specific Properties dialog is displayed. For example:


  1. In the User Right box, specify the type of user right for which you want to create a custom check.

The rights available on this dialog are all well known, standard Windows rights. The rights reside in an XML file that can be periodically updated by VMware Inc . For information about any of the listed rights, simply perform a Web search on the term listed in parentheses at the end of a selection.

Note: Not all user rights are available in all operating systems. If after performing a scan you notice that a specific user right is not found, it means the user right is not associated with the operating system. Simply remove that check from the policy.

  1. Click Test Check.

This will show the users on the local machine that are currently assigned the user right. You can use this as a starting point on the next dialog (where you specify the users you want assigned this right).

  1. Click Next.

The Operator and Value dialog is displayed.


  1. Select an operator.

The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check.

  1. Click Specify Users and specify the users that will be affected by this check.



Select this object type

Shows the object types currently available for assigning to a check. To change this, click Object Types. The Object Types dialog is displayed.




There are three possible object types:

  • Built-in security principals: Consists of well known accounts and services that are built-in to Windows operating systems.

  • Groups: Consists of all Windows groups matching the search criteria.

  • Users: Consists of all Windows users matching the search criteria.

From this location

Specifies where the objects that you want to assign to this check reside. The default location is the local machine. In many case the objects will reside elsewhere, such as your network directory. To specify a different location, click Locations. The Locations dialog is displayed. For example:




Navigate to the desired location and then click OK.


Enter the object names to select

Type the name of the object that you want to assign to the user right. You can specify multiple object names at once by separating the object names with a semicolon. When specifying object names you should use the following syntax:


  • Display name: First name Last name

  • Object name: machine1

  • User name: user1

  • Object name@domain name: machine1@domain1

  • Domain name\Object name: domain1\machine1


User rights are typically associated with user groups or security principals. This makes for easier and wider-ranging management of user rights, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management .


Note: The use of machine-specific accounts is not recommended as it may require scanning on a machine-by-machine basis in order to check for compliance. If you do specify a machine-specific account such as a built-in user account or a user defined within a local group, you must include the machine name when typing the object name (example: MachineA\Administrator). To see the built-in user accounts and the users defined within a local group on your machine, select Start > Control Panel > Admin Tools > Computer Management > Local Users & Groups.


To verify the accuracy of the names, click Check Names. The program has built-in intelligence and will return all valid names with their properly formatted syntax. When specifying security principal names, you can type just the first few characters of the name and then click Check Names. The program will present the full name of the nearest match (if any).


If any names cannot be found the Name Not Found dialog is displayed.  





If you want to perform a search for available names using search criteria, click Advanced. The dialog extends to display additional options. For example:




Common Queries: The options on this tab are typically only enabled if you select a location other than the local machine. It enables you to specify the following search criteria:

  • Name

  • Description

  • Disabled accounts

  • Non-expiring password

  • Days since last logon

Columns: Used to specify the columns that will be shown in the list at the bottom of the dialog.

Find Now: Initiate a search for names that match the specified search criteria.

Stop: Stop the name search.



Note: Names are not preserved if you go back & forth between this dialog and another dialog. You must specify all names on this dialog the first time.


Important! If you select any special users specific to the local machine (for example, a SQL Server user such as SQLServer2005SQLBrowserUser$name), the check is likely to fail. This is because the security ID (SID) associated for the name on a remote machine is likely to be different. An exception to this is the built-in user account Support_388945a0, which is used to control access to certain signed scripts on a machine. This user is always supported regardless of the SID associated with the name on remote machines.

When you are finished specifying users, click OK.

  1. On the Operator and Value dialog, click Next.

The following dialog is displayed.



  1. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File.

For more information, see Exporting Custom Checks.

  1. Click Finish.

The custom check is displayed within the policy. For example: