User Groups | Running Microsoft Windows 2000 Professional

[Previous] [Next]

User groups allow a system administrator to create classes of users sharing common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user can belong to one group, more than one group, or no group at all.

Groups are a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. But even if you're not an administrator, you're likely to work with groups if you assign permissions to files that you own on an NTFS volume. See "Securing Files."

Permissions and rights are cumulative. That means that if a user belongs to more than one group, he or she enjoys all the privileges accorded to both groups. For more information, see "How Permissions Conflicts Are Resolved."

For convenience, Windows 2000 provides a number of predefined, standard groups: Administrators, Power Users, Users, Guests, Backup Operators, Replicator, and several special system groups. Each of these groups has various privileges associated with it by default. Administrators can use the predefined groups exactly as Windows 2000 provides them, or they can make adjustments as needed. Here is an overview of the predefined groups.

Administrators Group

The Administrators group, which includes the Administrator account by default, has more control over the system than any other user group. (In fact, members of the Administrators group can grant to themselves any right that the group or user doesn't have by default.) All accounts in the Administrators group automatically receive the privileges reserved for the system administrator.

Although members of the Administrators group have maximum control, it is possible for a user to create a file that an Administrators group member can't access by normal means. The NTFS file system allows users to deny access to particular users or user groups, including the Administrators group. An administrator thus restrained can access the file only by assuming ownership of it, and that action generates an entry in the system event log. See "Taking Ownership of a File or Folder."

Power Users Group

The Power Users group is intended for those who need many, but not all, of the privileges of the Administrators group. Power Users can't take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power Users can create and delete file shares; create, manage, delete, and share local printers; and create local users and groups.

Users Group

The Users group is a catchall group. It provides base-level access to the system. Members of the Users group can't share folders or create local printers (unless they also happen to be members of the Power Users or Administrators group). Except for the special Administrator and Guest accounts, all user accounts are members of the Users group by default. Usually, the great majority of users are members of the Users group and no other.

NOTE
When a Windows 2000 computer participates in a domain, the Users group includes all members of the Domain Users global group. This means that anyone accessing your system over the network from another computer in your domain enjoys the same privileges as members of the Users group on your own system.

NOTE
Members of the Users group don't have sufficient privileges to run some older programs that don't conform to Windows 2000 standards. If you find a program that can't be run by Users but can be run by Power Users, check with the publisher to see whether they have a Windows 2000-compliant version, or add the users who need the program to the Power Users group.

Guests Group

The built-in Guest account is automatically a member of the Guests group. Users who log on infrequently are also good candidates for the Guests group. Privileges granted to regular, well-known users of the system (who are usually members of the Users group) can be withheld from members of the Guests group. This limits these users' access and improves security.

Backup Operators Group

Members of the Backup Operators group have the right to back up and restore folders and files—even ones that they don't otherwise have permission to access. Backup operators also have access to Windows 2000 Backup. For information on backing up, see Chapter 29, "Protecting Your Data with Backup."

Replicator Group

Members of the Replicator group can manage the replication of files on the domain, workstation, or server. (File replication is beyond the scope of this book.)

System Groups

Windows 2000 manages several special system groups for the system. Windows controls the membership of these groups; administrators can't specify who should or should not be in them. These groups aren't displayed in Local Users And Groups, but appear in certain other group lists, such as the one you see when you apply permissions to a shared folder or shared printer. You won't have occasion to use most of these, but you should be aware of two in particular:

Everyone. A group containing anyone who uses the computer, including both local and remote users.

Authenticated Users. A subset of Everyone that excludes the Guest user and users who anonymously access the computer across a network; by default, the Authenticated Users group is a member of the Users group.

Other system groups comprise users depending on how they connect to your system, such as Interactive (users who log on locally), Network (users who access the computer through the network), and Dialup (users who connect to your computer via a dial-up connection).