Using the Built-In Group Accounts

Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

from Chapter 4, Windows NT Administrator's Pocket Consultant by William R. Stanek.

The built-in group accounts are designed to be versatile. By assigning users to the right groups, you can make managing your Windows NT workgroup or domain a lot easier. Unfortunately, with so many different groups, understanding the purpose of each isn't easy. To help, let's divide the groups into four categories: those used by administrators, those used by operators, those used by users, and those that are implicitly created.

Groups Used by Administrators

An administrator is someone who has wide access to network resources. Administrators can create accounts, modify user rights, install printers, manage shared resources, and more. The main administrator groups are Administrators and Domain Admins.

Table 4-7 The Administrators Group Overview

Administrators is a local group that provides full administrative access to a workstation or server. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account (see Table 4-7).

Tip The local group Administrator and the global group Domain Admins are members of this group. The Administrator user membership is used to access the local computer. The Domain Admins membership allows other administrators to access the system from elsewhere in the domain. Thus, if you want to isolate a server, you could remove Domain Admins from this group.

Table 4-8 Domain Admins Group Overview

Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it is by default a member of the Administrators group. To make someone an administrator for a domain, make that person a member of this group. When you add a stand-alone server or workstation to a domain, the Domain Admins group is automatically added to the computer's Administrators group (see Table 4-8).

Tip In a Windows NT domain, the Administrator local user is a member of Domain Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to all resources in the domain. To prevent this, you can remove the local Administrator account from the Domain Admins group.

Groups Used by Operators

Operators are users who have privileges to perform very specific administrative tasks, such as creating accounts or backing up file systems. By default, no other group or user accounts are members of the operator groups. This is primarily to ensure that you grant explicit access to these accounts. Additionally, because these are local groups, operators can only perform the tasks on a specific computer.

The operator groups are Account Operators, Backup Operators, Print Operators, Server Operators, and Replicator.

Table 4-9 Account Operators Group Overview

Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights (see Table 4-9).

Table 4-10 Backup Operators Group Overview

Backup Operators is a local group that enables a user to back up and restore files and directories on workstations and servers in a Windows NT domain. Members of this group can log on to a computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. However, they can't change access permissions of the files or perform other administrative tasks (see Table 4-10).

Table 4-11 Print Operators Group Overview

Print Operators is a local group for managing network printers. Members of this group can manage printers running in a Windows NT domain. They can define which printers are shared, which printers aren't, and other related printer privileges. Print Operators can also log on to a server locally and shut it down (see Table 4-11).

Table 4-12 Server Operators Group Overview

Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include creating common program groups, sharing server resources, performing file backup and recovery, formatting the server's disk drives, and more. As with other operator accounts, Server Operators can also log on to a server locally and shut it down. Server Operators can perform most common server administration tasks (see Table 4-12).

Table 4-13 Replicator Group Overview

Replicator, a special group account, is used with the directory replication service. Administrators and operators can set up this service to manage the replication of files and directories in a domain. If you do this, you'll need to set up a special user account for the replication service and make the account a member of this group (see Table 4-13).

Groups Used by Users

Windows NT provides many different types of user accounts. These accounts are designed to meet the needs of diverse networking environments. The user groups are Users, Domain Users, Power Users, Guests, and Domain Guests.

Table 4-14 Users Group Overview

Users are the people who do most of their work on a single Windows NT workstation. Because of this, members of the Users group have more restrictions than privileges. By default, members of the Users group cannot log on locally to a Windows NT server acting as a domain controller. However, they can access the controller's resources over the network.

On Windows NT workstations, members of the Users group can log on to a workstation locally, keep a local profile, lock the workstation, and shut down the workstation. Users can also create local groups and manage those groups.

In Windows NT domains, the local Administrator and the global Domain Users are members of this group by default. For workgroups or isolated workstations, there are no predefined members of this group (see Table 4-14).

Table 4-15 Domain Users Group Overview

Domain users is a global group for users in a Windows NT domain. When new domain users are created, they are added to this group automatically. By default, the local Administrator is a member of this group (see Table 4-15).

Table 4-16 Power Users Group Overview

Power Users exist only on computers that are not domain controllers. Power Users have all the privileges of members of the Users group, as well as a few additional privileges. They can create accounts and modify the accounts they create. They can also modify the groups for Users, Guests, and Power Users. Beyond this, Power Users can also create common program groups, lock the workstation, have a local profile, and share system resources.

To give users of a Windows NT workstation extra control, Microsoft recommends that you make them members of the Power Users group. This allows users to perform limited administration on their workstations (see Table 4-16).

Table 4-17 Guests Group Overview

Guests are users with very limited privileges. Members of the Guests group can access the system and its resources remotely, but they can't perform most other tasks, such as logging on locally.

For Windows NT domains, the only member of this group is Domain Guests. On workgroups or isolated computers, there are no default members for this group (see Table 4-17).

Note: Keep in mind that any action available to the group Everyone is available to the Guests group. This means that if someone is a member of the local Guests account, they can lock a Windows NT domain controller or workstation, access a Windows NT domain controller or workstation remotely, and shut down a workstation.

Table 4-18 Domain Guests Group Overview

Domain Guests are users with guest privileges throughout a domain. By default, the local Guest user is a member of this account. Therefore, anytime you create a local guest account in a Windows NT domain, the guest user gains access to the entire domain (see Table 4-18).

Implicit Groups

Windows NT defines a set of implicit groups that can be used to handle directory and file permissions in certain situations. These groups are not available in the User Manager. The implicit groups are Interactive, Network, Everyone, System, and Creator Owner.

The Interactive Group

Any user logged in to the local system is a member of the Interactive group. This group is used to allow only local users to access a resource.

The Network Group

Any user accessing the system through a network is a member of the Network group. This group is used to allow only remote users to access a resource.

The Everyone Group

All interactive and network users are members of the Everyone group. This group is used to give wide access to a system resource.

The System Group

The Windows NT Operating System itself is the member of this group. This group is used when the operating system needs to perform a system-level function.

The Creator Owner Group

The person who created the file or directory is a member of this group. This group is used by Windows NT to automatically grant access permissions to the creator of a file or directory.

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Click to order