Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  36. Shares
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Groups

Groups cannot be renamed. Four types of group accounts:

  • Local group - Has local computer permissions and rights only.
  • Global group - The groups permissions and rights exist in the group's domain and domains that have a trust relationship with the group's domain. Global groups may be given rights and permissions of local groups. Only NT Server can create global groups.
  • Domain Local group - Created on Active Directory controllers and are used manage access to resources in the domain.
  • Universal group - Users from multiple domains that perform similar tasks or share resourses across the domains. Any group or user in any domain can be a member of the universal group. The universal group is however, not available in Active Directory mixed mode.

Local groups can include global groups. They will not include other local groups. Local groups are created in the User Manager. Created groups may be deleted with the User Manager, but built in system groups may not be deleted. When a domain is joined the domain administrators group is added to the local administrators group and the domain users group is added to the local users group on the computer that joins the domain.

Local Groups created on non domain controllers at installation time

  • Administrators - Used to administer the system. It is a good idea to make a backup administrator user.
  • Power Users - Have some administrative privileges such as ability to share directories and printers. Can manage Power Users, Guests and User groups.
  • Users - Have privileges for daily tasks. All users on the computer are normally in this group. Can manage local groups they create.
  • Guests - Have minimal privileges. Can be renamed. but can't be deleted.
  • Backup Operators - Have privileges for performing system backup.
  • Replicators - A service account that NT uses to perform the replication function. Allows the server to replicate files to the NT workstation machine.

Non-Domain Controller Special Groups

These are special groups that are not on the group menu. These groups also exist on domain controllers.

  • System * - Used to manage accounts that provide system services such as the webserver.
  • Everyone * - All on the local machine, in the domain and trusted domains.
  • Interactive * - A user at the local machine.
  • Network * - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network.
  • Creator/Owner * - The owner of the resource.
  • Creator Group - For Apple users or POSIX application users.
  • Anonymous Logon - Any user that used anonymous logon.
  • Authenticated Users - Any Windows 2000 locally or globally authenticated user.
  • Batch - A program that logged on using the logon as batch job user right.
  • Dialup - A user logged on using a phone line, VPN, or cable connection.
  • Service - A service logged on with a user account.
  • Terminal Server Unit - A user logged on using a terminal.

Local Groups on domain controllers

Created during Active Directory installation.

  • Administrators * - Those who administer the domain and the server. It initially contains the DOMAIN ADMINS global group.
  • Account Operators * - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. This group is only on domain controllers.
  • Backup Operators * - Those who can save file to tape backup media. This group is on all NT servers.
  • Print Operators * - This local group can control the sharing of printers, along with shutting down the domain controller.
  • Server Operators * - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.
  • Replicators * - Used to perform directory replication. This group is on all NT servers.
  • Users * - Those who use the server.
  • Guests * - Includes the Guest account and Domain Guests group.
  • Pre-Windows 2000 Compatible Access - Allows Windows NT 4.0 users to get domain access. The everyone needs to be a member of this group when there are NT computers in the domain.

Global and Universal Groups

  • Domain Admins * - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account.
  • Domain Users * - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests.
  • Domain Guests * - Contains the domain Guest account.
  • Enterprise Admins - It is automatically a member of the administrators local group on all machines that are a member of all domains in the forest.
  • Schema Admins - This group has rights to modify the schema of the Active Directory database. This group only exists on the highest level domain in the forest.
  • Domain Controllers
  • Domain Computers - Computers that are members of the domain.
  • Cert Publishers - Users that can publish security certificates.
  • Group Policy Admins - Users who can modify group policy settings for objects in the domain.

Group Creation

  • Local group - Open the "Computer Management" dialog box by clicking on "My Computer", and "Manage". Click + next to "Local Users and Groups", highlight "Groups", select "Action", and "New Groups".
  • Global group - The Administrative Tool, "Active Directory Users and Computers" is used to create and manage these groups.

Group Accounts

Pass through authentication is the process of a local user logon being passed to the domain allowing the user to be logged onto the domain at the same time. The local user name and password must be the same as the domain user name and password. domain user and group accounts are created and stored on the PDC (Primary Domain Controller) SAM (Security Accounts Manager) database. Two types of groups in a domain are:

  • Local groups - These groups are used to manage local resources. They can exist on workstations, member servers, and domain controllers (PDC and BDC).
  • Global groups - These groups can be used on any computer that is a part of the domain. Domain controllers are the only way to create and modify global groups.

Three domain global groups built in to the NT domain:

  • Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain.
  • Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group.
  • Domain Guests - Contains the domain Guest account.

Three local groups on the domain controller:

  • Account Operators - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller.
  • Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller.
  • Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time.

Active Directory Groups

There are two types of Active Directory groups, each with a different purpose. These are:

  • Security principal groups. These groups can be assigned permissions. Their scope can be:
    • Domain local
    • Global
    • Universal
  • Distribution groups- Used to group users for applications such as mail.