Learn AD in 15 Minutes a Week: Active Directory Groups Page 3

By ServerWatch Staff (Send Email)
Posted Oct 17, 2002


Active Directory Default Group Objects

There are predefined global groups created to group common types of user accounts on Windows 2000 domain controllers.

By default, Windows 2000 automatically adds specific members to some predefined global groups. System administrators can add user objects to these predefined groups to provide additional users with the privileges and permissions assigned to the group.

Domain Admins: Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group so that members of Domain Admins can perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member. Also, any computer that joins the domain automatically places the Domain Admins group in the Administrators local group.

Domain Guests: Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member.

Domain Users: Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest, IUSR_computername, IWAM_ computername, Krbtgt, and TsInternetUser accounts are initially members, and each new domain user account is automatically made a member.

Enterprise Admins: Windows 2000 allows you to add user accounts to Enterprise Admins for users who require administrative control for the entire network, and then adds Enterprise Admins to the Administrators domain local group in each domain. By default, the Administrator account is a member.

Windows 2000 also creates built-in domain local groups in each Active Directory domain. These groups provide all included users with specific user rights and permissions to perform tasks and are set up with predefined rights and permissions.

The most commonly used built-in domain local groups and their default properties are as follows:

  • Account Operators: Members of the built-in Account Operators domain local group are allowed by default to create, delete, and modify user and group objects; members cannot modify the Administrators group or any of the operators groups.
  • Administrators: Members of the built-in Administrators domain local group are allowed by default to perform all administrative tasks on all domain controllers and on the domain itself. By default, the Administrator user object and the Domain Admins and Enterprise Admins predefined global groups are members.
  • Backup Operators: Members of the built-in Backup Operators domain local group are allowed by default to backup and restore all domain controllers using Windows Backup.
  • Guests: Members of the built-in Guest domain local group can by default perform only tasks for which you have granted rights; members can gain access only to resources for which you have assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.
  • Pre-Windows 2000 Compatible Access: This built-in domain local group is a backward-compatibility group that provides read access for all users and groups in the domain. When you select the Permissions Compatible With Pre-Windows 2000 Servers option in the Active Directory Installation Wizard, the Everyone pre-Windows 2000 system group is made a member.
  • Print Operators: Members of the built-in Print Operators domain local group are allowed by default to set up and manage network printers on domain controllers.
  • Replicator: This built-in domain local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group.
  • Server Operators: Members of the built-in Server Operators domain local group are allowed by default to share disk resources and back up and restore files on a domain controller.
  • Users: Mmbers of the built-in Users domain local group are allowed by default to perform only tasks for which you have granted rights, and they can access only the resources for which you have assigned permissions. By default, the Authenticated Users and Interactive pre-Windows 2000 groups, and the Domain Users predefined global group are members. Use this group to assign permissions and rights that every user with an account in your domain should have.

Windows 2000 stand-alone servers, member servers, and computers running the Windows 2000 Professional and Windows XP Professional desktop operating systems all have built-in local groups that give users the rights to perform specific preconfigured system tasks on the local system. Built-in local groups are located in the \Groups folder in the Local Users and Groups snap-in by default as part of the Computer Management console on every computer running Windows 2000 and Windows XP, and all Windows 2000 stand-alone and member servers.

Page 4: Built-in Local Groups


Page 3 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.