Windows 2000 User Groups

Windows 2000 User Groups

You need to understand several concepts about user groups in Windows 2000/.NET before you begin to create them. Groups are helpful because they simplify administrative tasks when you have groups of users that must be treated similarly when it comes to rights and permissions. Second, because groups can be limited in scope, they can be useful for security purposes, limiting the computers or domains in which a user can be granted access.

Choosing a Group Based on the Group 's Scope

Groups each have a scope, which is basically the area of the domain or global forest that the group covers. By having several types of groups, each with its own particular kind of membership and scope, you can put together combinations that should solve most of your administrative needs for managing users with similar needs. The types of groups, and the scope implied by each, are as listed here:

• Domain local group These groups are limited to just the domain in which they are created. Users can be placed into these groups for local domain management purposes.

• Global group These groups are made up of users or groups from a single domain but are used to grant access for the members of the group in other trusted domains. Think of this as a way to "export" users to allow them access to resources in other domains.

• Universal group This type of group can contain user accounts and global group accounts from any trusted domain that exists in the Active Directory forest. This is similar to a global group but allows members of the group to be granted permission to resources in domains throughout the entire forest.

As described previously, groups can be members of other groups just like users, and this is where things can become a little complicated. For example, a domain local scope group can have the following as members:

• Groups that have global scope You place the global group into a local group and then manage the local group when granting rights and permissions.

• Groups that have universal scope Again, you can place universal scope groups into a local group and then use the local group for management purposes.

• Groups with domain local scope Other domain local scope groups can be placed in a domain local scope group.

• User accounts You can put individual users into a group with domain local scope.

Note that the domain local group does not have to have just one of the preceding groups (or users) as its members. You can combine any of the preceding and place them into a single domain local scope group, and then use the group to manage the members of these other groups locally in your domain.

A domain local group is a very useful management tool. For example, if you have a particular resource that several users share, place the users in the group and grant the group the necessary access to the resource. The resource can be a folder or a file, or perhaps a printer. If the resource changes in the future (for example, you decide to use a new file server for a particular set of files), you have to change permissions only on the group to let the group members access the new resource. Otherwise, you'd have to modify the permissions for each individual user, which in a large environment can be an almost impossible task if your network changes frequently.

Unlike domain local groups, global groups can have as members only users or other groups from within a single domain. Yet global groups can be granted access to resources in other trusted domains. This enables you to package a group of users that need similar treatment in other domains when it comes to resource permissions.

Universal groups also can be used to grant permissions in multiple domainsthroughout the forest of domain trees. Note that these groups are available only if you have an Active Directory structure that is part of a multidomain forest. They serve no purpose in a single-domain tree because domain local groups and global groups provide the necessary functions in a single-domain tree.

The membership of a universal group should not change on a frequent basis. This is because when a universal scope group's membership changes, the entire list of members is replicated to every global catalog in the forest of trees. Use universal groups for grouping users and other groups that are more stable in membership. Although global groups enable you to create groups of users and other groups that can be granted access in trusted domains, their membership must come from a single domain. To make managing a universal group easier, first place users into global groups in their own domains, and then place these global groups into a universal group. Thus, when the membership of a global group changes, there is no need to replicate the universal group membership to every other global catalog. Only the global group has changed. The universal group has as its member the global group, not the individual users who come and go from the global group.

Built-In Groups

There are several kinds of built-in groups, depending on where you look in the directory structure. For example, in Figure 37.10 you can see the list of groups found under the Built-in folder. Simply click the Built-in folder and you'll see the list of built-in domain local groups. As the name implies, each group was designed to give the access permissions to perform specific types of administrative jobs.

The domain local scope built-in groups can include the following:

• Account Operators Users placed into this group can perform account management duties , such as creating new users.

• Administrators This is the most powerful group. Members of this group can do just about anything they want in the domain, including taking ownership of files and creating user accounts.

• Backup Operators Members of this group get the access rights needed to perform backups on computers in the domain.

• Guests A guest group, which can be used to grant very limited access to users from other domains.

• Incoming Forest Trust Builders Users in this group can create incoming trust relationships from other forests. Keep in mind that trust relations in the Active Directory are transitive but must be established manually between Active Directory trees in the forest.

• Network Configuration Operators This group allows users to manage some aspects of network configuration.

• Performance Log Users Members of this group can schedule logging of performance monitors on this computer, from a remote computer.

• Performance Monitor Users This user group can monitor performance on this computer from a remote computer.

• PreWindows 2000 Compatible Access This group is meant for preWindows 2000 users to enable them to have read access for users and groups in the domain stored in the Active Directory.

• Print Operators You guessed it: Members of this group can control printers and print jobs.

• Remote Desktop Users Users in this group can log in to this computer from a remote computer.

• Replicator Used by services responsible for replication.

• Server Operators Members of this group can perform tasks on specific servers.

• Users A built-in group for ordinary users in the domain, which can run applications, but not make systemwide configuration changes.

In addition to these built-in groups, you can click on the Users folder and see a list of predefined groups, which also can be used to organize users. These are global scope groups, so you can use them to organize users and computers, and then place them in domain scope groups in the current domain or in other domains. If none of the following group names fits your needs, you can create your own groups, which we'll look at next .

The Predefined groups found in the Users folder are listed here:

• Cert Publishers Users can publish certificates to the Active Directory.

• DHCP Administrator Members can administer the DHCP service.

• DHCP Users Members of this group have view-only access to the DHCP service.

• DnsAdmins The DNS Administrators group who can manage the DNS service.

• DnsUpdateProxy This group allows members to update the Domain Name System (DNS) service for other clients , such as a DHCP server.

• Domain Admins Users who administer the domain.

• Domain Computers All workstations and servers joined to the domain.

• Domain Controllers Every domain controller in this domain is a member of this group.

• Domain Guests Members are guests in the domain, with limited access.

• Domain Users All members of the domain.

• Enterprise Admins Members can administer the entire enterprise.

• Group Policy Creator Owners These users can modify the group policy for a domain.

• HelpServicesGroup Users that provide help via the Help and Support Center.

• IIS_WPG Members who manage the Internet Information Server.

• PasswordPropDeny Members of this group should not have their password synchronized.

• RAS and IAS Servers Servers that are members of this group can access the remote access properties of users.

• Schema Admins Administrators of the Active Directory schema.

• Terminal Server Computers Computers that can communicate with the Terminal Services License server.

• WINS Users Members of this group have view-only access to the WINS server.

In general, the groups you'll use most in the list will probably be the Domain Computers and Domain Users groups. By default, when you create a user account, the new account is placed automatically into the Domain Users group. Likewise, when you add a computer to the domain, the computer is automatically placed into the Domain Computers group. Looking at the domain from an overall picture, you can use these two groups when you want to make changes that apply to all users or all computers in a domain. The Domain Admins group can be used to give selected individuals administrator-level rights in a domain. It is always a good idea to not use the actual built-in Administrator account for a domain. Instead, create individual accounts for each user, and then place the user into one or more groups that give him the access he needs. If you need to grant a user administrator-level rights, just place him into the Domain Admins groups.

The other groups will depend on the services you have installed. Some may not appear if you have not installed that service (such as DHCP).

A few notes about these predefined groups in the Users folder:

• The Domain Users group is a member of the domain's Users group (the one located in the Builtin folder).

• The Domain Admins group is automatically a member of the Administrator's group in the Builtin folder.

• The Domain Guests group is automatically placed into the Guests group in the Builtin folder.

Note

User Profiles are never cached locally on any system for members of any out-of-the-box Guest groups.