Windows NT Workstation Groups
Groups cannot be renamed. Two types of group accounts:
- Local group - Has local computer permissions and rights only.
- Global group - The groups permissions and rights exist in the group's domain and domains that have a trust relationship with the group's domain. Global groups may be given rights and permissions of local groups. Only NT Server can create global groups.
Local groups can include global groups. They will not include other local groups. Local groups are created in the User Manager. Created groups may be deleted with the User Manager, but built in system groups may not be deleted. When a domain is joined the domain administrators group is added to the local administrators group and the domain users group is added to the local users group on the computer that joins the domain.
Local Groups created at installation time
- Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
- Power Users - Have some administrative privileges such as ability to share directories and printers.
- Users - Have privileges for daily tasks. All users on the computer are normally in this group.
- Guests - Have minimal privileges. Can be renamed. but can't be deleted.
- Backup Operators - Have privileges for performing system backup.
- Replicators - A service account that NT uses to perform the replication function. Allows the server to replicate files to the NT workstation machine.
Special Groups created at installation time
These are special groups that are not on the group menu.
- System - Used to manage accounts that provide system services such as the webserver.
- Everyone - All on the local machine, in the domain and trusted domains.
- Interactive - A user at the local machine.
- Network - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network.
- Creator/Owner - The owner of the resource.
Pass through authentication is the process of a local user logon being passed to the domain allowing the user to be logged onto the domain at the same time. The local user name and password must be the same as the domain user name and password. domain user and group accounts are created and stored on the PDC (Primary Domain Controller) SAM (Security Accounts Manager) database. Two types of groups in a domain are:
- Local groups - These groups are used to manage local resources. They can exist on workstations, member servers, and domain controllers (PDC and BDC).
- Global groups - These groups can be used on any computer that is a part of the domain. Domain controllers are the only way to create and modify global groups.
Three domain global groups built in to the NT domain:
- Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain.
- Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group.
- Domain Guests - Contains the domain Guest account.
Three local groups on the domain controller:
- Account Operators - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller.
- Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller.
- Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.