Using Default Group Accounts

from Chapter 7, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

The default group accounts are designed to be versatile. By assigning users to the right groups, you can make managing your Windows 2000 workgroup or domain a lot easier. Unfortunately, with so many different groups, understanding the purpose of each isn't easy. To help, let's divide the groups into five categories: groups used by administrators, groups used by operators, groups used by users, groups used by computers, and groups that are implicitly created.

Groups Used by Administrators

An administrator is someone who has wide access to network resources. Administrators can create accounts, modify user rights, install printers, manage shared resources, and more. The main administrator groups are Administrators, Domain Admins, and Enterprise Admins, as compared in Table 7-10.

Tip The local group Administrator and the global groups Domain Admins and Enterprise Admins are members of the Administrators group. The Administrator user membership is used to access the local computer. The Domain Admins membership allows other administrators to access the system from elsewhere in the domain. The Enterprise Admins membership allows other administrators to access the system from other domains in the current domain tree or forest. To prevent enterprise-wide access to a domain, you can remove Enterprise Admins from this group.

Table 7-10 Administrators Group Overview

Administrators Group Type

Network Environment

Group Scope

Membership

Account Administration

Administrators

Active Directory domains

Domain Local

Administrator, Domain Admins, Enterprise Admins

Administrators

Administrators

Workgroups, computers not part of a domain

Local

Administrator

Administrators

Domain Admins

Active Directory domains

Global

Administrator

Administrators

Enterprise Admins

Active Directory domains

Global or Universal

Administrator

Administrators

Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account.

Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group.

Tip In a Windows 2000 domain, the Administrator local user is a member of Domain Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to all resources in the domain. To prevent this, you can remove the local Administrator account from the Domain Admins group.

Enterprise Admins is a global group designed to help you administer all the computers in a domain tree or forest. This group has administrative control over all computers in the enterprise because it's a member of the Administrators group by default. To make someone an administrator for the enterprise, make that person a member of this group.

Tip In a Windows 2000 domain, the Administrator local user is a member of Enterprise Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to the domain tree or forest. To prevent this, you can remove the local Administrator account from the Enterprise Admins group.

Groups Used by Operators

Operators are users who have privileges to perform very specific administrative tasks, such as creating accounts or backing up file systems. By default, no other group or user accounts are members of the operator groups. This feature exists primarily to make sure that you grant explicit access to these accounts. Additionally, because these are local groups, operators can only perform the tasks on a specific computer.

The operator groups are Account Operators, Backup Operators, Print Operators, Server Operators, and Replicator Operators, as compared in Table 7-11.

Table 7-11 Operators Group Overview

Operators Group Type

Network Environment

Group Scope

Membership

Account Administration

Account Operators

Active Directory domains

Built-In Local

None

Administrators

Backup Operators

Any server or workstation

Built-In Local, Local

None

Administrators

Print Operators

Active Directory domains

Built-In Local

None

Administrators

Server Operators

Active Directory domains

Built-In Local

None

Administrators

Replicator

Any server or workstation

Built-In Local, Local

None

Administrators, Account Operators, Server Operators

Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights.

Backup Operators is a local group that enables a user to back up and restore files and directories on workstations and servers in a Windows 2000 domain. Members of this group can log on to a computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. However, they can't change access permissions of the files or perform other administrative tasks.

Print Operators is a local group for managing network printers. Members of this group can manage printers running in a Windows 2000 domain. They can define which printers are shared, which printers aren't, and other related printer privileges. Print Operators can also log on to a server locally and shut it down.

Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include sharing server resources, performing file backup and recovery, and more. As with other operator accounts, Server Operators can also log on to a server locally and shut it down. Server Operators can perform most common server administration tasks.

Replicator, which is a special group account, is used with the directory replication service. Administrators and operators can set up this service to manage the replication of files and directories in a domain. If you do this, you'll need to set up a special user account for the replication service and make the account a member of this group.

Groups Used by Users

Windows 2000 provides many different types of user accounts. These accounts are designed to meet the needs of diverse networking environments. The user groups are Users, Domain Users, Power Users, Guests, and Domain Guests, as compared in Table 7-12.

Table 7-12 Users Group Overview

Users Group Type

Network Environment

Group Scope

Membership

Account Administration

Users

Active Directory domains, domain member server, or workstation

Built-In Local, Local

Authenticated Users, Domain Users

Administrators, Account Operators

Users

Stand-alone workstation or server

Local

User account selected during installation of the operating system

Administrators

Domain Users

Active Directory domains

Global

Administrators, Guest

Administrators, Account Operators

Power Users

Domain member server or workstation

Local

Interactive; user account selected during installation of the operating system

Administrators

Power Users

Stand-alone workstation or server

Local

User account selected during installation of the operating system

Administrators

Guest

Active Directory domains

Built-In Local

Domain Guests, Guest

Administrators, Account Operators

Guest

Domain member server or workstation; stand-alone workstation or server

Local

Guest

Administrators

Domain Guest

Active Directory domains

Global

Guest

Administrators, Account Operators

Users are the people who do most of their work on a single Windows 2000 workstation. Because of this, members of the Users group have more restrictions than privileges. By default, members of the Users group can't log on locally to a Windows 2000 server acting as a domain controller. However, they can access the controller's resources over the network.

On Windows 2000 workstations, members of the Users group can log on to a workstation locally, keep a local profile, lock the workstation, and shut down the workstation. Users can also create local groups and manage those groups.

In Windows 2000 domains, implicitly authenticated users and the global Domain Users are members of this group by default. For workgroups or isolated workstations, there are no predefined members of this group.

Domain Users is a global group for users in Active Directory domains. When you create new domain users, they're automatically added to this group. By default, the local Administrator and Guest accounts are members of this group.

Power Users exist only on computers that aren't domain controllers. Power Users have all the privileges of members of the Users group, as well as a few additional privileges, such as the capability to modify computer settings and install programs.

To give users of a Windows 2000 workstation extra control, Microsoft recommends that you make them members of the Power Users group. This allows users to perform limited administration on their workstations.

Guests are users with very limited privileges. Members of the Guests group can access the system and its resources remotely, but they can't perform most other tasks.

In Active Directory domains, the members of this group are Domain Guests and the local Guest user. On nondomain controllers, the only member is Guest.

Note: Keep in mind that any action available to the Everyone group is available to the Guests group. This means that if someone is a member of the local Guests account, that person can perform any task that anyone in the Everyone group can.

Domain Guests are users with guest privileges throughout a domain. By default, the local Guest user is a member of this account. Therefore, anytime you create a local guest account in a Windows 2000 domain, the guest user gains access to the entire domain.

Groups Used by Computers

Windows 2000 provides two types of user accounts for computers. These accounts are designed to set permissions for member servers, workstations, and domain controllers. The computer groups are Domain Computers and Domain Controllers, as compared in Table 7-13.

Table 7-13 Computers Group Overview

Computers Group Type

Network Environment

Group Scope

Membership

Account Administration

Domain Computers

Active Directory domains

Global

All member servers and workstations in the domain

Administrators, Account Operators

Domain Controllers

Active Directory domains

Global

All domain controllers in a domain

Administrators, Account Operators

You use Domain Computers to identify and set default permissions for member servers and workstations in a domain. By default, Domain Computers have more restrictions than they have capabilities. This configuration reflects their role in the domain environment.

You use Domain Controllers to identify and set default permissions for domain controllers in a domain. By default, Domain Controllers have more capabilities than restrictions. This configuration reflects their high-priority role in the domain environment.

Implicit Groups and Identities

Windows 2000 defines a set of special identities that you can use to assign permissions in certain situations. You usually assign permissions implicitly to special identities. However, you can assign permissions to special identities when you modify Active Directory objects. The special identities include

  • The Anonymous Logon identity Any user accessing the system through anonymous logon has the Anonymous Logon identity. This identity is used to allow anonymous access to resources, such as a Web pages published on the corporate presence servers.

  • The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity is used to allow access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.

  • The Batch identity Any user or process accessing the system as a batch job (or through the batch queue) has the Batch identity. This identity is used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files.

  • The Creator Group identity Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory.

  • The Creator Owner identity The person who created the file or the directory is a member of this group. Windows 2000 uses this group to automatically grant access permissions to the creator of a file or directory.

  • The Dial-Up identity Any user accessing the system through a dial-up connection has the Dial-Up identity. This identity is used to distinguish dial-up users from other types of authenticated users.

  • The Enterprise Domain Controllers identity Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise using transitive trusts.

  • The Everyone identity All interactive, network, dial-up, and authenticated users are members of the Everyone group. This group is used to give wide access to a system resource.

  • The Interactive identity Any user logged on to the local system has the Interactive identity. This identity is used to allow only local users to access a resource.

  • The Network identity Any user accessing the system through a network has the Network identity. This identity is used to allow only remote users to access a resource.

  • The Proxy identity Users and computers accessing resources through a proxy have the Proxy identity. This identity is used when proxies are implemented on the network.

  • The Restricted identity Users and computers with restricted capabilities have the Restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.

  • The Self identity The Self identity refers to the object itself and allows the object to modify itself.

  • The Service identity Any service accessing the system has the Service identity. This identity grants access to processes being run by Windows 2000 services.

  • The System identity The Windows 2000 operating system itself has the System identity. This identity is used when the operating system needs to perform a system-level function.

  • The Terminal Server User identity Any user accessing the system through terminal services has the Terminal Server User identity. This identity allows terminal server users to access terminal server applications and to perform other necessary tasks with terminal services.

from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order