How role-based access rights can be used

Role-based access rights are more flexible than Active Directory group membership because Active Directory groups provide static permissions. For example, if Jonah is a member the Active Directory Backup Operators group, he has all of the permissions defined for members of that group regardless of when or where he logs on to computers in the forest. In contrast, role assignments can be scheduled to start and end, apply only during specific hours, or only be available on specific computers. For example, Jonah may only be in the Backup Operators role on a specific computer or only on weekends.

Role-based access rights also prevent password sharing for privileged accounts, helping to ensure accountability. Users who need to be able to launch applications with elevated privileges can log on with their regular account credentials but run the application using an appropriate role without being prompted to provide the administrative password. For example, if Angela is assigned a role that enables her to run Disk Defragmenter using elevated privileges, she can log on with her normal credentials and select the role that enables her to run Disk Defragmenter without being prompted to provide an administrator user name and password.