dcsimg

Learn AD in 15 Minutes a Week: Active Directory Groups Page 4

By ServerWatch Staff (Send Email)
Posted Oct 17, 2002


The most commonly used built-in local groups and their default properties are as follows:

  • Administrators: Members of the built-in Administrators local group are allowed by default to perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Microsoft Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Admins predefined global group to the local Administrators group.
  • Backup Operators: Members of the built-in Backup Operators local group are allowed by default to use Windows Backup to backup and restore the local system.
  • Guests: Members of the built-in Guests local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. When a member server or a computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Guests predefined global group to the local guests group.
  • Power Users: Members of the built-in Power Users local group are allowed by default to create and modify user accounts on the local system and share resources on the local system.
  • Replicator: This built-in local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users t
    o this group.
  • Users: Members of the built-in Users local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions. By default, Windows 2000 adds to the Users group local user accounts that you create on the computer. When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users predefined global group to the local Users group.

Special identity groups do not have specific memberships that Administrators directly modify, but they represent different users at different times, depending on how a user accesses a given system or resource on that system. Special identity groups are not found in the Local Computers and Users or Active Directory Users and Computers MMC (Microsoft Management Console) snap-ins for direct administration, but these groups are available for use when you assign rights and permissions to resources.

The most commonly used special identity groups and their default properties are as follows:

  • Anonymous Logon special identity group includes any user account that Windows 2000 did not authenticate to the local system, such as an anonymous FTP user.

  • Authenticated Users special identity group includes all users with a valid user account on the computer or in Active Directory service. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

  • Creator Owner special identity group includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource.

  • Dialup special identity group includes any user who currently has a dial-up connection to the local system.

  • Everyone special identity group includes all users who access the computer. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 authenticates as Guest a user who does not have a valid user account. The user automatically gets all rights and permissions that you have assigned to the Everyone group. The Everyone group is assigned full control to many resources by default.

  • Interactive special identity group includes the user account for the user who is logged on at the local system console. Members of the Interactive group gain access to resources on the computer at which they are physically located.

  • Network special identity group includes any user with a current connection from another computer on the network to a shared resource on the computer.


Well, that wraps up this section of 'Learn Active Directory Design and Administration in 15 Minutes a Week.'

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write solid technical articles that appeal to a large range of readers and skill levels, and I can only be sure of that through your feedback.

Until next time, best of luck in your studies and remember,


"Clones are people two."


Jason Zandri
Jason@Zandri.net
www.2000trainers.com


Page 4 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.