Previous Page | Next Page

  1. Introduction
  2. Installation
  3. Hardware Issues
  4. Filesystems
  5. Networking
  6. Security
  7. Servers
  8. Services
  9. Utilities
  10. Control Panel
  11. Printing
  12. Performance Monitor
  13. Network Monitor
  14. Event Viewer
  15. Other Issues
  16. User Accounts
  17. Groups
  18. Policies
  19. User Rights
  20. Auditing
  21. System Policies
  22. Sharing
  23. Profiles
  24. Roaming Profiles
  25. Domains
  26. Server Management
  27. Directory Replication
  28. License Management
  29. Client Administrator
  30. Netware Tools
  31. Macintosh Support
  32. RAS Server
  33. SNMP
  34. DHCP
  35. DNS
  36. WINS
  37. Mail Service
  38. Internet
  39. Internet Information Server
  40. Routing and Firewalls
  41. Items to Remember
  42. Terms
  43. Credits

Windows NT Groups

Primary groups are used by NT to be sure that users are members of at least one group. The users default primary group is "Domain Users". The user must first be added to another group to remove them from the domain users group. Groups must be managed from the PDC although it can be done remotely.

Main Group Types

Groups cannot be renamed.

  • Local Groups - Are only used on the local computer. The windows server's local administration can only be managed by local administrators. They may contain
    • Local user accounts
    • This domain user accounts
    • Trusted domain user accounts
    • This Domain Global Groups
    • Trusted Domains' global groups
    They may not contain other local groups.
  • Global Groups - It can be used across domains. They may contain:
    • Domain user accounts, they may not contain user accounts from trusted domains.

Computers and Groups

  • Local groups can exist on workstations, member servers, and domain controllers (PDC and BDC).
  • Local groups reside on NT systems only (servers and workstations).
  • NT workstations and Member servers only contain local groups.
  • Domain controllers contain local and global groups.
  • Global Groups - Are used on the domain across the network and applies to all computers in the domain.
  • Global groups can only reside on PDCs and BDCs.
  • Adding users/global groups to local groups on a domain PDC gives rights to perform that group's rights (such as backup operators local group) on BDCs also.
Therefore any global groups must be added to the local groups on domain controllers for access. These machines come initially configured with some global groups as members of local groups such as GLOBAL ADMINS is a member of the local ADMINISTRATORS group. Only PDCs or BDCs can be used to create global groups unless domain client software is installed on the workstation or server. May contain:
  • Local domain user accounts (IE: Accounts from this domain)

Special Groups created at installation time

These are special groups that are not on the group menu.

  1. System - Used to manage accounts that provide system services such as the webserver.
  2. Everyone - All on the local machine, in the domain and trusted domains.
  3. Interactive - A user at the local machine.
  4. Network - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network.
  5. Creator/Owner - The owner of the resource.

NT Domain Global Groups

  • Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account.
  • Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests.
  • Domain Guests - Contains the domain Guest account.

Domain Controller Local Groups

Domain controllers share the same local groups.

  • Account Operators - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. This group is only on domain controllers.
  • Administrators - Those who administer the domain and the server. It initially contains the DOMAIN ADMINS global group.
  • Backup Operators - Those who can save file to tape backup media. This group is on all NT servers.
  • Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller.
  • Replicator - Used to perform directory replication. This group is on all NT servers.
  • Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.
  • Users - Those who use the server.
  • Guests - Should be empty

Administrators and server operators can create network shares. A password can't be specified for a network share.

Special Groups

Special groups are managed by the operating system.

  • Everyone
  • Guests - Anonomous users that don't have an account. This group is part of the everyone group, do be sure not to give the everyone group access to sensitive data.

Other Special Groups

These are special groups that are not on the group menu.

  1. System - Used to manage accounts that provide system services such as the webserver.
  2. Interactive - A user at the local machine.
  3. Network - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network.
  4. Creator/Owner - The owner of the resource.

Adding a global group to a local group from another domain

  1. Establish the appropriate trust relationship.
  2. Add the required local group at the resource(s) in the trusting domain.
  3. Add the appropriate global group in the trusted domain and add appropriate users to that group.
  4. In the trusting domain, double click on the created local group in step 2, select the domain and the group name from step 3 and add the group to the local group.

Administrator Rights

  • Access the security log.
  • Backup and restore files and directories.
  • Change time.
  • Control user rights.
  • Create and remove network shares.
  • Create and remove printer shares.
  • Create local groups and manage them.
  • Create global groups and manage them.
  • Create user accounts and manage them.
  • Format the hard drive on the server.
  • Keep a local profile on the server.
  • Log on locally.
  • Lock the server and bypass the lock.
  • Manage auditing.
  • Shutdown the system locally or remotely.
  • Take ownership of files.
  • Use the network to access servers.

Server Operator Rights

  • Backup and restore files and directories.
  • Change time.
  • Create and remove network shares.
  • Create and remove printer shares?
  • Create local groups and manage them.
  • Keep a local profile on the server.
  • Log on locally.
  • Lock the server and bypass the lock.
  • Shutdown the system locally or remotely.

Account Operator Rights

  • Add computer accounts to a domain.
  • Create local groups and manage them.
  • Create global groups and manage them.
  • Create user accounts and manage them.
  • Keep a local profile on the server.
  • Log on locally.
  • Shutdown the system locally.
  • Cannot manage Administrator accounts, or Administrators, backup operators, server operators, print operators, account operators local groups or any members of these groups or any global groups in these groups. They cannot administer security policies.

Print Operator Rights

  • Create and remove printer shares.
  • Keep a local profile on the server.
  • Log on locally.
  • Shutdown the system locally.

Backup Operator Rights

  • Backup and restore files and directories.
  • Keep a local profile on the server.
  • Log on locally.
  • Shutdown the system locally.

Replicator Groups

Actual users are not placed in this group, only a user for the replicator service.

Local Group Rights

  • Add computers to the domain - Administrators and Server Operators. Use the "Add workstations and member servers to domain" right to give users this right exclusively.
  • Audit log and security log viewing - Administrators
  • Back up and restore files and directories - Administrators, Server Operators, Backup Operators
  • Change time - Administrators, Server Operators.
  • Load and unload device drivers - Administrators.
  • Local log on - Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
  • Shut the system down - Administrators, Server Operators, Account Operators, Print Operators, Backup Operators
  • Shut the system down remotely - Administrators, Server Operators.
  • Take ownership of files and folders - Administrators