Module 3: Setting up Group Accounts
- A group is a collection of user accounts. Assigning a user
to a group, will give that user all the rights and permissions of that group.
To types of groups are:
- Local groups: to give users permissions to one or more
network resources.
Note:
- If you create a local group on a member server, you can
only assign resources located on that member server
- If you create local groups on a PDC or BDC, you can grant
domain wide permissions to all accessible resources within the domain.
- Global groups: to organize domain user accounts,
typically by function or geographical location.
Note:
- Global groups are always created on the PDC in the domain
where the account resides.
- It cannot contain user accounts from a different domain. To
give members from a global group access to a resource, add the global group to the local
group where the resource is located.
- The local group can be found in any domain with the
appropriate trust relationship.
Local Groups |
Global Groups |
Provide users with
permissions or rights |
Organize domain
users |
Can include (from any
domain):
- User accounts
- Global groups
|
Can only include user accounts
in the domain where it resides |
Cannot include other local
groups |
Cannot contain local or global
groups |
Are assigned permissions and
rights in the local domain |
Are added to a local group to
give its members rights |
Can only be assigned to local
resources on an computer running
- Windows NT Workstation or
- on a member server
|
Are not assigned to resources |
On a PDC, can be assigned
resources on any domain controller in the domain |
Must be created in the
domain where the accounts reside. |
- Global groups can be created on a PDC from any Windows NT
platform running user manager for domains.
- To be able to create groups, you must be a member of the
Administrators or Account Operators group.
- Group names must be unique. Not identical to other; users
or group names.
Note again: |
To give users access to a resource on a member server, you HAVE to create the local
group on the member server |
Implementing Built-In Groups |
Built-in groups are predefined groups that have a
predetermined set of user rights. These rights determine the tasks a user of member of a
group can perform.
Built-in Local Groups
- give the rights to perform tasks such as backup or restore,
change system time, etc.
- are on ALL NT computers
Built-in Global Groups
- are on Domain Controllers only (PDC/ BDC)
System Group
- automatically organize users for system use
- there is no assigning for a human to do here
- users are members by default during network activity
- Computers running Windows NT have these
types of built-in groups:
- Built-in local groups, that are on all NT machines.
- Users: Perform tasks for which they have granted
rights and access resources to which they have permissions.
- Administrators: Can perform all administrative tasks on
the local computer. If the computer is a DC, they can fully administer the full domain.
- Guests: Perform tasks for which they have granted rights
and access resources to which they have permissions. Members cannot make permanent changes
to their environment.
- Backup Operators: Use the NT backup program to backup
and restore all computers running Windows NT.
- Replicators: Used by the directory Replicator service.
The group is not used for administration.
- Power Users: This group only resides on computers
running Windows NT /WS and Member Servers, they can create and modify accounts, and
they can share resources.
Built-in Groups - Domain Controller Only |
Built-in local groups, that are on NT Domain
Controllers only, there are no initial members in these groups.
Group Name |
What they can do |
Account Operators |
- Can create, delete, modify users, global groups and local groups
- Cannot: modify the Administrators or Server
Operators group.
|
Server Operators |
- Share disk resources, and backup and restore the server.
|
Print Operators |
- Setup and manage network printers
|
Built-in Global Groups
Built-in global groups. Are on Domain
Controllers only, and there are no initial members in these groups.
This
Group |
Is
automatically added to the
|
Domain Users |
Local users group. When a domain
user account is created it is automatically made a member of this group. The Administrator
is a member by default |
Domain Admins |
Local Administrators group.
Members of the domain Admins group can then perform administrative tasks on the local
computer. The Administrators account is member by default. |
Domain Guests |
Local guests group. The Guest
account is a member by default. |
Built-in System Groups
System groups. Are on all NT machines.
Automatically organizes users for system use. Built-in system groups reside on all
computers running Windows NT. Users become members by default during network activity.
Membership cannot be modified.
System groups |
Description |
Key system groups used for network
administration. |
Everyone |
Includes
all local and remote users who access the computer. Unlike the Domain Users group, this
group contains user accounts other than those created by the administrator in the domain.
Administrators can assign permissions and rights to this group. |
Creator Owner |
Includes
the users that created or took ownership of a resource. |
System groups that are not used for
network administration. |
Network |
Any user who is
currently connected to a shared resource via network. |
Interactive |
Members access
resources on computer at which they physically sitting. |
- In order to effectively implement local and global groups
use the following steps:
- Organize users into global groups.
- Assign permissions to local groups.
- Add global groups to local groups.
Use the global group Domain Users instead of Everyone, it
contains only accounts you've created, not all that have connected to the network.
- To enable Administrators to perform administrative tasks in
other domains, add the Global group Domain Admins to the local Administrators group on the
computer in the remote domain.
|