Using Default Group Accounts The default group accounts are designed to be versatile. By assigning users to the correct groups, you can make managing your Windows Server 2003 workgroup or domain a lot easier. Unfortunately, with so many different groups, understanding the purpose of each isn't easy. To help, let's take a closer look at groups used by administrators and groups that are implicitly created. Groups Used by Administrators An administrator is someone who has wide access to network resources. Administrators can create accounts, modify user rights, install printers, manage shared resources, and more. The main administrator groups are Administrators, Domain Admins, and Enterprise Admins, as compared in Table 8-8. Table 8-8. Administrator Groups Overview Administrator Group Type | Network Environment | Group Scope | Membership | Account Administration | Administrators | Active Directory domains | Domain Local | Administrator, Domain Admins, Enterprise Admins | Administrators | Administrators | Workgroups, computers not part of a domain | Local | Administrator | Administrators | Domain Admins | Active Directory domains | Global | Administrator | Administrators | Enterprise Admins | Active Directory domains | Global or Universal | Administrator | Administrators | Tip The local group Administrator and the global groups Domain Admins and Enterprise Admins are members of the Administrators group. The Administrator user membership is used to access the local computer. The Domain Admins membership allows other administrators to access the system from elsewhere in the domain. The Enterprise Admins membership allows other administrators to access the system from other domains in the current domain tree or forest. To prevent enterprise-wide access to a domain, you can remove Enterprise Admins from this group. Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group. Tip In a Windows Server 2003 domain, the Administrator local user is a member of Domain Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to all resources in the domain. To prevent this, you can remove the local Administrator account from the Domain Admins group. Enterprise Admins is a global group designed to help you administer all the computers in a domain tree or forest. This group has administrative control over all computers in the enterprise because it's a member of the Administrators group by default. To make someone an administrator for the enterprise, make that person a member of this group. Tip In a Windows Server 2003 domain, the Administrator local user is a member of Enterprise Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to the domain tree or forest. To prevent this, you can remove the local Administrator account from the Enterprise Admins group. Implicit Groups and Identities Windows Server 2003 defines a set of special identities that you can use to assign permissions in certain situations. You usually assign permissions implicitly to special identities. However, you can assign permissions to special identities when you modify Active Directory objects. The special identities include -
The Anonymous Logon identity Any user accessing the system through anonymous logon has the Anonymous Logon identity. This identity is used to allow anonymous access to resources, such as a Web page published on the corporate presence servers. -
The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity is used to allow access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. -
The Batch identity Any user or process accessing the system as a batch job (or through the batch queue) has the Batch identity. This identity is used to allow batch jobs to run scheduled tasks , such as a nightly cleanup job that deletes temporary files. -
The Creator Group identity Windows Server 2003 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory. -
The Creator Owner identity The person who created the file or the directory is a member of this group. Windows Server 2003 uses this group to automatically grant access permissions to the creator of a file or directory. -
The Dial-Up identity Any user accessing the system through a dial-up connection has the Dial-Up identity. This identity is used to distinguish dial-up users from other types of authenticated users. -
The Enterprise Domain Controllers identity Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise using transitive trusts. -
The Everyone identity All interactive, network, dial-up, and authenticated users are members of the Everyone group. This group is used to give wide access to a system resource. -
The Interactive identity Any user logged on to the local system has the Interactive identity. This identity is used to allow only local users to access a resource. -
The Network identity Any user accessing the system through a network has the Network identity. This identity is used to allow only remote users to access a resource. -
The Proxy identity Users and computers accessing resources through a proxy have the Proxy identity. This identity is used when proxies are implemented on the network. -
The Restricted identity Users and computers with restricted capabilities have the Restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity. -
The Self identity The Self identity refers to the object itself and allows the object to modify itself. -
The Service identity Any service accessing the system has the Service identity. This identity grants access to processes being run by Windows Server 2003 services. -
The System identity The Windows Server 2003 operating system itself has the System identity. This identity is used when the operating system needs to perform a system-level function. -
The Terminal Server User identity Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows terminal server users to access terminal server applications and to perform other necessary tasks with Terminal Services. |