Windows NT Server 4.0 Administration Notes


Module 3: Setting up Group Accounts

  • A group is a collection of user accounts. Assigning a user to a group, will give that user all the rights and permissions of that group.

To types of groups are:

  • Local groups: to give users permissions to one or more network resources.

Note:

  • If you create a local group on a member server, you can only assign resources located on that member server
  • If you create local groups on a PDC or BDC, you can grant domain wide permissions to all accessible resources within the domain.
    • Global groups: to organize domain user accounts, typically by function or geographical location.

Note:

  • Global groups are always created on the PDC in the domain where the account resides.
  • It cannot contain user accounts from a different domain. To give members from a global group access to a resource, add the global group to the local group where the resource is located.
  • The local group can be found in any domain with the appropriate trust relationship.

Local Groups

Global Groups

Provide users with permissions or rights Organize domain users
Can include (from any domain): 
  • User accounts
  • Global groups
Can only include user accounts in the domain where it resides
Cannot include other local groups Cannot contain local or global groups
Are assigned permissions and rights in the local domain Are added to a local group to give its members rights
Can only be assigned to local resources on an computer running
  • Windows NT Workstation or
  • on a member server
Are not assigned to resources
On a PDC, can be assigned resources on any domain controller in the domain Must be created in the domain where the accounts reside.
    • Global groups can be created on a PDC from any Windows NT platform running user manager for domains.
    • To be able to create groups, you must be a member of the Administrators or Account Operators group.
    • Group names must be unique. Not identical to other; users or group names.
Note again:
To give users access to a resource on a member server, you HAVE to create the local group on the member server

 

Implementing Built-In Groups

Built-in groups are predefined groups that have a predetermined set of user rights. These rights determine the tasks a user of member of a group can perform.

Built-in Local Groups

  • give the rights to perform tasks such as backup or restore, change system time, etc.
  • are on ALL NT computers


Built-in Global Groups

  • are on Domain Controllers only (PDC/ BDC)

System Group

  • automatically organize users for system use
  • there is no assigning for a human to do here
  • users are members by default during network activity

  • Computers running Windows NT have these types of built-in groups:
  • Built-in local groups, that are on all NT machines.
    • Users: Perform tasks for which they have granted rights and access resources to which they have permissions.
    • Administrators: Can perform all administrative tasks on the local computer. If the computer is a DC, they can fully administer the full domain.
    • Guests: Perform tasks for which they have granted rights and access resources to which they have permissions. Members cannot make permanent changes to their environment.
    • Backup Operators: Use the NT backup program to backup and restore all computers running Windows NT.
    • Replicators: Used by the directory Replicator service. The group is not used for administration.
    • Power Users: This group only resides on computers running Windows NT /WS and Member Servers, they can create and modify accounts, and they can share resources.
Built-in Groups - Domain Controller Only

Built-in local groups, that are on NT Domain Controllers only, there are no initial members in these groups.
 

Group Name What they can do
Account Operators
  • Can create, delete, modify users, global groups and local groups
  • Cannot: modify the Administrators or Server Operators group.
Server Operators
  • Share disk resources, and backup and restore the server.
Print Operators
  • Setup and manage network printers

Built-in Global Groups

Built-in global groups. Are on Domain Controllers only, and there are no initial members in these groups.

    This Group  Is automatically added to the…
    Domain Users Local users group. When a domain user account is created it is automatically made a member of this group. The Administrator is a member by default
    Domain Admins Local Administrators group. Members of the domain Admins group can then perform administrative tasks on the local computer. The Administrators account is member by default.
    Domain Guests Local guests group. The Guest account is a member by default. 

Built-in System Groups

System groups. Are on all NT machines. Automatically organizes users for system use. Built-in system groups reside on all computers running Windows NT. Users become members by default during network activity. Membership cannot be modified.

System groups

Description

Key system groups used for network administration.

Everyone Includes all local and remote users who access the computer. Unlike the Domain Users group, this group contains user accounts other than those created by the administrator in the domain. Administrators can assign permissions and rights to this group.
Creator Owner Includes the users that created or took ownership of a resource.

System groups that are not used for network administration.

Network Any user who is currently connected to a shared resource via network.
Interactive Members access resources on computer at which they physically sitting.
  • In order to effectively implement local and global groups use the following steps:
    • Organize users into global groups.
    • Assign permissions to local groups.
    • Add global groups to local groups.

Use the global group Domain Users instead of Everyone, it contains only accounts you've created, not all that have connected to the network.

  • To enable Administrators to perform administrative tasks in other domains, add the Global group Domain Admins to the local Administrators group on the computer in the remote domain.

 

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada