Windows 2000 Groups
Groups cannot be renamed. Four types of group accounts:
- Local group - Has local computer permissions and rights only.
- Global group - The groups permissions and rights exist in the group's domain and domains that have a trust relationship with the group's domain. Global groups may be given rights and permissions of local groups. Only NT Server can create global groups.
- Domain Local group - Created on Active Directory controllers and are used manage access to resources in the domain.
- Universal group - Users from multiple domains that perform similar tasks or share resourses across the domains. Any group or user in any domain can be a member of the universal group. The universal group is however, not available in Active Directory mixed mode.
Local groups can include global groups. They will not include other local groups. Local groups are created in the User Manager. Created groups may be deleted with the User Manager, but built in system groups may not be deleted. When a domain is joined the domain administrators group is added to the local administrators group and the domain users group is added to the local users group on the computer that joins the domain.
Local Groups created on non domain controllers at installation time
- Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
- Power Users - Have some administrative privileges such as ability to share directories and printers. Can manage Power Users, Guests and User groups.
- Users - Have privileges for daily tasks. All users on the computer are normally in this group. Can manage local groups they create.
- Guests - Have minimal privileges. Can be renamed. but can't be deleted.
- Backup Operators - Have privileges for performing system backup.
- Replicators - A service account that NT uses to perform the replication function. Allows the server to replicate files to the NT workstation machine.
Non-Domain Controller Special Groups
These are special groups that are not on the group menu. These groups also exist on domain controllers.
- System * - Used to manage accounts that provide system services such as the webserver.
- Everyone * - All on the local machine, in the domain and trusted domains.
- Interactive * - A user at the local machine.
- Network * - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the
- Creator/Owner * - The owner of the resource.
- Creator Group - For Apple users or POSIX application users.
- Anonymous Logon - Any user that used anonymous logon.
- Authenticated Users - Any Windows 2000 locally or globally authenticated user.
- Batch - A program that logged on using the logon as batch job user right.
- Dialup - A user logged on using a phone line, VPN, or cable connection.
- Service - A service logged on with a user account.
- Terminal Server Unit - A user logged on using a terminal.
Local Groups on domain controllers
Created during Active Directory installation.
- Administrators * - Those who administer the domain and the server. It initially contains the DOMAIN ADMINS global group.
- Account Operators * - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. This group is only on domain controllers.
- Backup Operators * - Those who can save file to tape backup media. This group is on all NT servers.
- Print Operators * - This local group can control the sharing of printers, along with shutting down the domain controller.
- Server Operators * - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.
- Replicators * - Used to perform directory replication. This group is on all NT servers.
- Users * - Those who use the server.
- Guests * - Includes the Guest account and Domain Guests group.
- Pre-Windows 2000 Compatible Access - Allows Windows NT 4.0 users to get domain access. The everyone needs to be a member of this group when there are NT computers in the domain.
Global and Universal Groups
- Domain Admins * - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account.
- Domain Users * - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests.
- Domain Guests * - Contains the domain Guest account.
- Enterprise Admins - It is automatically a member of the administrators local group on all machines that are a member of all domains in the forest.
- Schema Admins - This group has rights to modify the schema of the Active Directory database. This group only exists on the highest level domain in the forest.
- Domain Controllers
- Domain Computers - Computers that are members of the domain.
- Cert Publishers - Users that can publish security certificates.
- Group Policy Admins - Users who can modify group policy settings for objects in the domain.
- Local group - Open the "Computer Management" dialog box by clicking on "My Computer", and "Manage". Click + next to "Local Users and Groups", highlight "Groups", select "Action", and "New Groups".
- Global group - The Administrative Tool, "Active Directory Users and Computers" is used to create and manage these groups.
Pass through authentication is the process of a local user logon being passed to the domain allowing the user to be logged onto the domain at the same time. The local user name and password must be the same as the domain user name and password. domain user and group accounts are created and stored on the PDC (Primary Domain Controller) SAM (Security Accounts Manager) database. Two types of groups in a domain are:
- Local groups - These groups are used to manage local resources. They can exist on workstations, member servers, and domain controllers (PDC and BDC).
- Global groups - These groups can be used on any computer that is a part of the domain. Domain controllers are the only way to create and modify global groups.
Three domain global groups built in to the NT domain:
- Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain.
- Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group.
- Domain Guests - Contains the domain Guest account.
Three local groups on the domain controller:
- Account Operators - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller.
- Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller.
- Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.
Active Directory Groups
There are two types of Active Directory groups, each with a different purpose. These are:
- Security principal groups. These groups can be assigned permissions. Their scope can be:
- Domain local
- Distribution groups- Used to group users for applications such as mail.