Export (0) Print
Expand All

Default User Accounts and Groups

from Chapter 7, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

When you install Windows 2000, the operating system installs default users and groups. These accounts are designed to provide the basic setup necessary to grow your network. Three types of default accounts are provided:

  • Predefined User and group accounts installed with the operating system.

  • Built-In User and group accounts installed with the operating system, applications, and services.

  • Implicit Special groups created implicitly when accessing network resources; also known as special identities.

Note: Although you can modify the default users and groups, you can't delete default users and groups created by the operating system. The reason you can't delete these accounts is that you wouldn't be able to re-create them. The SIDs of the old and new accounts wouldn't match, and the permissions and privileges of these accounts would be lost.

Built-In User Accounts

Built-in user accounts have special uses on Windows 2000. While all Windows 2000 systems have one built-in account called LocalSystem, other built-in user accounts may be available.

The LocalSystem Account

LocalSystem is a pseudo-account for running system processes and handling system-level tasks. The account is available on the local system only. You can't change the settings for the LocalSystem account with the user administration tools. Users can't log on to a computer with this account.

Note: While users can't log on to a computer with the LocalSystem account, certain processes can log on using this account. For example, Windows 2000 services can be configured to log on to a computer using the System account. For more information, see the section of Chapter 3 entitled "Managing System Services."

Other Built-In Accounts

When you install add-ons or other applications on a workstation or server, other default accounts may be installed. You can usually delete these accounts.

When you install Internet Information Services, you may find several new accounts, including IUSR_host and IWAM_host, where host is the computer name. The IUSR_host account is the built-in account for anonymous access to Internet Information Services. The IWAM_host account is used by Internet Information Services to start out of process applications. These accounts are defined in Active Directory when they're configured on a domain. However, they're defined as local users when they're configured on a stand-alone server or workstation. Another built-in account that you may see is TSInternetUser. This account is used by Terminal Services.

Predefined User Accounts

Two predefined user accounts are installed with Windows 2000—Administrator and Guest. With workstations and member servers, predefined accounts are local to the individual system they're installed on.

Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems.

The Administrator Account

Administrator is a predefined account that provides complete access to files, directories, services, and other facilities. You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.

Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows 2000 account, you may want to rename the account as an extra security precaution.

In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. By default, the Administrator account for a domain is a member of these groups: Administrators, Domain Admins, Domain Users, Enterprise Admins, Schema Admins, and Group Policy Creator Owners. You'll find more information on these groups in the next section.

Real World In a domain environment, you'll use the local Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out. You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts.

For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties. Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.

The Guest Account

Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The potential is so great that the account is initially disabled when you install Windows 2000.

Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you may want to rename the account as an added security precaution.

Built-In Groups

Built-in groups are installed with all Windows 2000 workstations and servers. Use the built-in groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory.

The availability of a specific built-in group depends on the current system configuration. Use Table 7-2 to determine the availability of the various built-in groups. Each of these groups is discussed later in the chapter.

Table 7-2 Availability of Built-In Groups Based on the Type of Network Resource

Group Name

Group Type

Active Directory Domain

Windows 2000 Professional or Member Server

Account Operators

Built-In Local

Yes

No

Administrators

Built-In Local, Local

Yes

Yes

Backup Operators

Built-In Local, Local

Yes

Yes

Guests

Built-In Local, Local

Yes

Yes

Power Users

Local

No

Yes

Pre-Windows 2000 Compatible Access

Built-In Local

Yes

No

Print Operators

Built-In Local

Yes

No

Replicator

Built-In Local, Local

Yes

Yes

Server Operators

Built-In Local

Yes

No

Users

Built-In Local, Local

Yes

Yes

Predefined Groups

Predefined groups are installed with Active Directory domains. Use these groups to assign additional permissions to users, computers, and other groups. You do this by making the user a member of the group. Predefined groups include domain local, global, and universal groups. The availability of a specific built-in group depends on the domain configuration.

Use Table 7-3 to determine the availability of the various predefined groups. Key predefined groups are discussed later in this chapter.

Note: The group scope for Enterprise Admins and Schema Admins can be either universal or global, depending on the operations mode. In mixed mode, these are global groups. In native mode, these are universal groups.

Table 7-3 Availability of Predefined Groups Based on Domain Configuration

Group Name

Group Type

When Installed

Cert Publishers

Global

By default

DHCP Administrators

Domain Local

With DHCP

DHCP Users

Domain Local

With DHCP

DnsAdmins

Domain Local

With DNS

DnsUpdateProxy

Global

With DNS

Domain Admins

Global

By default

Domain Computers

Global

By default

Domain Controllers

Global

By default

Domain Guests

Global

By default

Domain Users

Global

By default

Enterprise Admins

Universal/Global

By default

Group Policy Creator Owners

Global

By default

RAS and IAS Servers

Domain Local

With remote access services

Schema Admins

Universal/Global

By default

WINS Users

Domain Local

WINS

Implicit Groups and Special Identities

In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive. In Windows 2000, the object-based approach to the directory structure changes the original rules for implicit groups. While you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers.

To reflect the new role, implicit groups are also referred to as special identities. A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default groups, the availability of a specific implicit group depends on the current configuration. Use Table 7-4 to determine the availability of the various implicit groups. Implicit groups are discussed later in this chapter.

Table 7-4 Availability of Implicit Groups Based on the Type of Network Resource

Group Name

Group Type

Active Directory Domain

Windows 2000 Professional or Member Server

Anonymous Logon

Implicit

Yes

Yes

Authenticated Users

Implicit

Yes

Yes

Batch

Implicit

Yes

Yes

Creator Group

Implicit

Yes

Yes

Creator Owner

Implicit

Yes

Yes

Dialup

Implicit

Yes

Yes

Enterprise Domain Controllers

Implicit

Yes

No

Everyone

Implicit

Yes

Yes

Interactive

Implicit

Yes

Yes

Network

Implicit

Yes

Yes

Proxy

Implicit

Yes

No

Restricted

Implicit

Yes

No

Self

Implicit

Yes

No

Service

Implicit

Yes

Yes

System

Implicit

Yes

Yes

Terminal Server User

Implicit

No

Yes

Account Capabilities

When you set up a user account, you can grant the user specific capabilities. You generally assign these capabilities by making the user a member of one or more groups, thus giving the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups. You withdraw capabilities by removing group membership.

In Windows 2000, you can assign various types of capabilities to an account. These capabilities include

  • Privileges A type of user right that grants permissions to perform specific administrative tasks. You can assign privileges to both user and group accounts. An example of a privilege is the ability to shut down the system.

  • Logon rights A type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. An example of a logon right is the ability to log on locally.

  • Built-in capabilities A type of user right that is assigned to groups and includes the automatic capabilities of the group. Built-in capabilities are predefined and unchangeable, but they can be delegated to users with permission to manage objects, organizational units, or other containers. An example of a built-in capability is the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account Operators. Thus, if a user is a member of the Administrators group, the user can create, delete, and manage user accounts.

  • Access permissions A type of user right that defines the operations that can be performed on network resources. You can assign access permissions to users, computers, and groups. An example of an access permission is the ability to create a file in a directory. Access permissions are discussed in Chapter 13.

As an administrator, you'll be dealing with account capabilities every day. To help track built-in capabilities, refer to the sections that follow. Keep in mind that while you can't change the built-in capabilities of a group, you can change the default rights of a group. For example, an administrator could revoke network access to a computer by removing a group's right to access the computer from the network.

Privileges

A privilege is a type of user right that grants permissions to perform a specific administrative task. You assign privileges through group policies, which can be applied to individual computers, organizational units, and domains. Although you can assign privileges to both users and groups, you'll usually want to assign privileges to groups. In this way, users are automatically assigned the appropriate privileges when they become members of a group. Assigning privileges to groups also makes it easier to manage user accounts.

Table 7-5 provides a brief summary of each of the privileges that can be assigned to users and groups. To learn how to assign privileges, see Chapter 8.

Table 7-5 Windows 2000 Privileges for Users and Groups

Privilege

Description

Act as part of the operating system

Allows a process to authenticate as any user and gain access to resources as any user. Processes that require this privilege should use the LocalSystem account, which already has this privilege.

Add workstations to domain

Allows users to add computers to the domain.

Back up files and directories

Allows users to back up the system regardless of the permissions set on files and directories.

Bypass traverse checking

Allows users to pass through directories while navigating an object path regardless of permissions set on the directories. The privilege doesn't allow the user to list directory contents.

Change the system time

Allows users to set the time for the system clock.

Create a pagefile

Allows users to create and change paging file size for virtual memory.

Create a token object

Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege should use the LocalSystem account, which already has this privilege.

Create permanent shared objects

Allows processes to create directory objects in the Windows 2000 object manager. Most components already have this privilege and it's not necessary to specifically assign it.

Debug programs

Allows users to perform debugging.

Enable user and computer accounts to be trusted for delegation

Allows users and computers to change or apply the trusted-for-delegation setting, provided they have write access to the object.

Force shutdown of a remote system

Allows users to shut down a computer from a remote location on the network.

Generate security audits

Allows processes to make security log entries for auditing object access.

Increase quotas

Allows processes to increase the processor quota assigned to other process, provided they have write access to the process.

Increase scheduling priority

Allows processes to increase the scheduling priority assigned to other processes, provided they have write access to the processes.

Load and unload device drivers

Allows users to install and uninstall plug-and-play device drivers. This doesn't affect device drivers that aren't plug-and-play, which can only be installed by administrators.

Lock pages in memory

In Windows NT, allowed processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk. Not used in Windows 2000.

Manage auditing and security log

Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first.

Modify firmware environment values

Allows users and processes to modify system environment variables.

Profile a single process

Allows users to monitor the performance of nonsystem processes.

Profile system performance

Allows users to monitor the performance of system processes.

Remove computer from docking station

Allows users to unlock a computer

Replace a process-level token

Allows processes to replace the default token for subprocesses.

Restore files and directories

Allows users to restore backed up files and directories, regardless of the permissions set on files and directories.

Shut down the system

Allows users to shut down the local computer.

Synchronize directory service data

Allows users to synchronize directory service data on domain controllers.

Take ownership of files

Allows users to take ownership of any or other objects Active Directory objects.

Logon Rights

A logon right is a type of user right that grants logon permissions. You can assign logon rights to both user and group accounts. As with privileges, you assign logon rights through group policies and you'll usually want to assign logon rights to groups rather than individual users.

Table 7-6 provides a brief summary of each of the logon rights that can be assigned to users and groups. To learn how to assign logon rights, see Chapter 8

Table 7-6 Windows 2000 Logon Rights for Users and Groups

Logon Right

Description

Access this computer from the network

Allows users to connect to the computer over the network. By default, this privilege is granted to Administrators, Everyone, and Power Users.

Deny access to this computer from the network

Denies remote access to the computer.

Deny logon as batch job

Denies the right to log on through a batch job or script.

Deny logon as service

Denies the right to log on as a service.

Deny logon locally

Denies the right to log on to the computer's keyboard.

Log on as a batch job

Allows users to log on using a batch-queue facility. This capability is not supported in the current release of Windows 2000. By default, this privilege is granted to Administrators.

Log on as a service

Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.

Log on locally

Allows users to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.

Built-In Capabilities for Groups in Active Directory

The built-in capabilities for groups in Active Directory are fairly extensive. The tables that follow summarize the most common capabilities that are assigned by default. Table 7-7 shows the default user rights for groups in Active Directory domains. This includes both privileges and logon rights. Note that any action that's available to the Everyone group is available to all groups, including the Guests group. This means that although the Guests group doesn't have explicit permission to access the computer from the network, Guests can still access the system because the Everyone group has this right.

Table 7-7 Default User Rights for Groups in Active Directory

User Right

Groups Assigned

Access this computer from the network

Everyone

Add workstations to domain

Administrators

Back up files and directories

Administrators, Server Operators, Backup Operators

Bypass traverse checking

Everyone

Change the system time

Administrators, Server Operators

Create a pagefile

Administrators

Debug programs

Administrators

Force shutdown from a remote system

Administrators, Server Operators

Increase quotas

Administrators

Increase scheduling priority

Administrators

Load and unload device drivers

Administrators

Log on locally

Administrators, Server Operators, Account Operators, Backup Operators, Print Operators

Manage auditing and security log

Administrators

Modify firmware environment variables

Administrators

Profile a single process

Administrators

Profile system performance

Administrators

Remove computer from docking station

Administrators

Restore files and directories

Administrators, Server Operators, Backup Operators

Shut down the system

Administrators, Server Operators, Account Operators, Backup Operators, Print Operators

Take ownership of files or other objects

Administrators

Table 7-8 shows the default user rights for local groups on member servers and workstations. Again, this includes both privileges and logon rights. Note that on these systems, Power Users have privileges that normal users don't.

Table 7-8 Default User Rights for Local Groups

User Right

Groups Assigned

Access this computer from the network

Administrators, Power Users, Everyone

Back up files and directories

Administrators, Backup Operators

Bypass traverse checking

Everyone

Change the system time

Administrators, Power Users

Create a pagefile

Administrators

Debug programs

Administrators

Force shutdown from a remote system

Administrators

Increase quotas

Administrators

Increase scheduling priority

Administrators

Load and unload device drivers

Administrators

Log on locally

Administrators, Backup Operators, Power Users, Users, Everyone, Guests

Manage auditing and security log

Administrators

Modify firmware environment variables

Administrators

Profile a single process

Administrators, Power Users

Profile system performance

Administrators

Remove computer from docking station

Administrators, Power Users, Users

Restore files and directories

Administrators, Backup Operators

Shut down the system

Administrators, Backup Operators, Power Users, Users

Take ownership of files or other objects

Administrators

Table 7-9 summarizes capabilities that can be delegated to other users and groups. As you study the table, note that restricted accounts include the Administrator user account, the user accounts of administrators, and the group accounts for Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Because these accounts are restricted, Account Operators can't create or modify them.

Table 7-9 Other Capabilities for Built-In and Local Groups

Task

Description

Group Normally Assigned

Assign user rights

Allows users to assign user rights to other users

Administrators

Create, delete, and manage user accounts

Allows users to administer domain user accounts

Administrators, Account Operators

Modify the membership of a group

Allows users to add and remove users from domain groups

Administrators, Account Operators

Create and delete groups

Allows users to create a new group and delete existing groups

Administrators, Account operators

Reset passwords on user accounts

Allows users to reset passwords on user accounts

Administrators, Account Operators

Read all user information

Allows users to view user account information

Administrators, Server Operators, Account Operators

Manage group policy links

Allows users to apply existing group policies to sites, domains, and organizational units for which they have write access to the related objects

Administrators

Manage printers

Allows users to modify printer settings and manage print queues

Administrators, Server Operators, Printer Operators

Create and delete printers

Allows users to create and delete printers

Administrators, Server Operators, Printer Operators

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft