Access Denied: Understanding the Access this computer from the network User Right

To which services and resources does the Access this computer from the network user right actually control access? Windows documentation on this right is nothing more than a wordy restatement of the user right's name and gives the impression that without this right you can't access the computer by any remote means. But that doesn't seem to be the case. My tests seem to show that you don't need this right to log on via Terminal Services, for instance.

Despite the broad-sounding name, the Access this computer from the network user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary. For instance, to control who can connect via Telnet, you need to create a local group called TelnetClients and populate it with your authorized users. When a user tries to connect to Telnet, Windows checks for the existence of TelnetClients. If the group exists, Windows verifies that the user trying to log on belongs to the group.

To control who can connect via Terminal Services, Windows Server 2003 has the new user right Allow logon through Terminal Services. On Windows 2000 Server, you must control Terminal Services logons through connection object permissions. See the Web-exclusive article "Terminal Services, Part 3," March 2001, InstantDoc ID 20145, for more details about connection objects. The Remote Registry service provides network access to the registry, and Windows uses the permissions on the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg subkey to determine who can connect to the registry remotely. For more information about the Remote Registry service, see the Web-exclusive article "Dangerous Services, Part 1," December 2000, InstantDoc ID 16301.