Windows 2000 User Groups

You need to understand several concepts about user groups in Windows 2000/.NET before you begin to create them. Groups are helpful because they simplify administrative tasks when you have groups of users that must be treated similarly when it comes to rights and permissions. Second, because groups can be limited in scope, they can be useful for security purposes, limiting the computers or domains in which a user can be granted access.

Choosing a Group Based on the Group's Scope

Groups each have a scope, which is basically the area of the domain or global forest that the group covers. By having several types of groups, each with its own particular kind of membership and scope, you can put together combinations that should solve most of your administrative needs for managing users with similar needs. The types of groups, and the scope implied by each, are as listed here:

• Domain local group These groups are limited to just the domain in which they are created. Users can be placed into these groups for local domain management purposes.

• Global group These groups are made up of users or groups from a single domain but are used to grant access for the members of the group in other trusted domains. Think of this as a way to "export" users to allow them access to resources in other domains.

• Universal group This type of group can contain user accounts and global group accounts from any trusted domain that exists in the Active Directory forest. This is similar to a global group but allows members of the group to be granted permission to resources in domains throughout the entire forest.

As described previously, groups can be members of other groups just like users, and this is where things can become a little complicated. For example, a domain local scope group can have the following as members:

• Groups that have global scope You place the global group into a local group and then manage the local group when granting rights and permissions.

• Groups that have universal scope Again, you can place universal scope groups into a local group and then use the local group for management purposes.

• Groups with domain local scope Other domain local scope groups can be placed in a domain local scope group.

• User accounts You can put individual users into a group with domain local scope.

Note that the domain local group does not have to have just one of the preceding groups (or users) as its members. You can combine any of the preceding and place them into a single domain local scope group, and then use the group to manage the members of these other groups locally in your domain.

A domain local group is a very useful management tool. For example, if you have a particular resource that several users share, place the users in the group and grant the group the necessary access to the resource. The resource can be a folder or a file, or perhaps a printer. If the resource changes in the future (for example, you decide to use a new file server for a particular set of files), you have to change permissions only on the group to let the group members access the new resource. Otherwise, you'd have to modify the permissions for each individual user, which in a large environment can be an almost impossible task if your network changes frequently.

Unlike domain local groups, global groups can have as members only users or other groups from within a single domain. Yet global groups can be granted access to resources in other trusted domains. This enables you to package a group of users that need similar treatment in other domains when it comes to resource permissions.

Universal groups also can be used to grant permissions in multiple domainsthroughout the forest of domain trees. Note that these groups are available only if you have an Active Directory structure that is part of a multidomain forest. They serve no purpose in a single-domain tree because domain local groups and global groups provide the necessary functions in a single-domain tree.

The membership of a universal group should not change on a frequent basis. This is because when a universal scope group's membership changes, the entire list of members is replicated to every global catalog in the forest of trees. Use universal groups for grouping users and other groups that are more stable in membership. Although global groups enable you to create groups of users and other groups that can be granted access in trusted domains, their membership must come from a single domain. To make managing a universal group easier, first place users into global groups in their own domains, and then place these global groups into a universal group. Thus, when the membership of a global group changes, there is no need to replicate the universal group membership to every other global catalog. Only the global group has changed. The universal group has as its member the global group, not the individual users who come and go from the global group.

Built-In Groups

There are several kinds of built-in groups, depending on where you look in the directory structure. For example, in Figure 37.10 you can see the list of groups found under the Built-in folder. Simply click the Built-in folder and you'll see the list of built-in domain local groups. As the name implies, each group was designed to give the access permissions to perform specific types of administrative jobs.

Figure 37.10. The Builtin folder contains a collection of domain local scope groups you can use.

The domain local scope built-in groups can include the following:

• Account Operators Users placed into this group can perform account management duties, such as creating new users.

• Administrators This is the most powerful group. Members of this group can do just about anything they want in the domain, including taking ownership of files and creating user accounts.

• Backup Operators Members of this group get the access rights needed to perform backups on computers in the domain.

• Guests A guest group, which can be used to grant very limited access to users from other domains.

• Incoming Forest Trust Builders Users in this group can create incoming trust relationships from other forests. Keep in mind that trust relations in the Active Directory are transitive but must be established manually between Active Directory trees in the forest.

• Network Configuration Operators This group allows users to manage some aspects of network configuration.

• Performance Log Users Members of this group can schedule logging of performance monitors on this computer, from a remote computer.

• Performance Monitor Users This user group can monitor performance on this computer from a remote computer.

• PreWindows 2000 Compatible Access This group is meant for preWindows 2000 users to enable them to have read access for users and groups in the domain stored in the Active Directory.

• Print Operators You guessed it: Members of this group can control printers and print jobs.

• Remote Desktop Users Users in this group can log in to this computer from a remote computer.

• Replicator Used by services responsible for replication.

• Server Operators Members of this group can perform tasks on specific servers.

• Users A built-in group for ordinary users in the domain, which can run applications, but not make systemwide configuration changes.

In addition to these built-in groups, you can click on the Users folder and see a list of predefined groups, which also can be used to organize users. These are global scope groups, so you can use them to organize users and computers, and then place them in domain scope groups in the current domain or in other domains. If none of the following group names fits your needs, you can create your own groups, which we'll look at next.

The Predefined groups found in the Users folder are listed here:

• Cert Publishers Users can publish certificates to the Active Directory.

• DHCP Administrator Members can administer the DHCP service.

• DHCP Users Members of this group have view-only access to the DHCP service.

• DnsAdmins The DNS Administrators group who can manage the DNS service.

• DnsUpdateProxy This group allows members to update the Domain Name System (DNS) service for other clients, such as a DHCP server.

• Domain Admins Users who administer the domain.

• Domain Computers All workstations and servers joined to the domain.

• Domain Controllers Every domain controller in this domain is a member of this group.

• Domain Guests Members are guests in the domain, with limited access.

• Domain Users All members of the domain.

• Enterprise Admins Members can administer the entire enterprise.

• Group Policy Creator Owners These users can modify the group policy for a domain.

• HelpServicesGroup Users that provide help via the Help and Support Center.

• IIS_WPG Members who manage the Internet Information Server.

• PasswordPropDeny Members of this group should not have their password synchronized.

• RAS and IAS Servers Servers that are members of this group can access the remote access properties of users.

• Schema Admins Administrators of the Active Directory schema.

• Terminal Server Computers Computers that can communicate with the Terminal Services License server.

• WINS Users Members of this group have view-only access to the WINS server.

In general, the groups you'll use most in the list will probably be the Domain Computers and Domain Users groups. By default, when you create a user account, the new account is placed automatically into the Domain Users group. Likewise, when you add a computer to the domain, the computer is automatically placed into the Domain Computers group. Looking at the domain from an overall picture, you can use these two groups when you want to make changes that apply to all users or all computers in a domain. The Domain Admins group can be used to give selected individuals administrator-level rights in a domain. It is always a good idea to not use the actual built-in Administrator account for a domain. Instead, create individual accounts for each user, and then place the user into one or more groups that give him the access he needs. If you need to grant a user administrator-level rights, just place him into the Domain Admins groups.

The other groups will depend on the services you have installed. Some may not appear if you have not installed that service (such as DHCP).

A few notes about these predefined groups in the Users folder:

• The Domain Users group is a member of the domain's Users group (the one located in the Builtin folder).

• The Domain Admins group is automatically a member of the Administrator's group in the Builtin folder.

• The Domain Guests group is automatically placed into the Guests group in the Builtin folder.

Note

User Profiles are never cached locally on any system for members of any out-of-the-box Guest groups.

Some of the other groups listed here also can be used to organize users and grant them access to resources on a group basis. However, you can always create your own group and tailor the rights and permissions for the group to match your exact needs.

Creating a New User Group

To start the process, click Action, New, Group. In Figure 37.11, you can see the dialog box that pops up to allow you to enter basic information about the group, such as the new group's name, the scope (Domain Local or Global), and the type (Security or Distribution).

These are the differences between these two types of groups:

• Security groups are used to manage user access and permissions. Users and other groups can be members of a security group. This is the sort of group discussed so far in this chapter.

• Distribution groups are used for functions such as grouping users for other purposes, such as email. These groups cannot be used to grant access to resources.

You can probably guess that after you fill in the basic information and click OK, the group is immediately created. In the example, a group was in the Users folder. Just as with User objects and Computer objects in the Active Directory, you can now bring up a properties page for the group and from there configure additional attributes for the group.

Right-click on the group and select Properties. You also can highlight the group and select Properties from the Action menu. In Figure 37.12 you can see an example of the properties page for the group we just created.

Here you can see fields that allow you to input a description of what the group is used for, as well as an email address that can be used to send email to members of the group. Additionally, you can put in notes about the group that might be helpful in the future. For example, you might create a group to be used only for a short period. You can put notes here to remind yourself to remove the group later.

Two other tabs relate to group membership. The first tab, Members, lists current members of the group. On this tab you can click the Add button to bring up a dialog box to use for adding other users or groups to the group. The Member Of tab displays groups of which this particular group itself is a member. You also can use the Add button on this property sheet tab to add the group to other groups.

Finally, the Managed By tab is similar to that discussed earlier, and is used to define a responsible contact person for this group.

Other Things You Can Do with the Active Directory Computers and Users Snap-In

This utility is not as simple as the User Manager for Domains that was included in previous versions of Windows NT. However, most of the additional functions for which you can use this utility don't directly relate to user or computer management, so it's not relatively important to go into the nitty-gritty details. For example, you can create organizational units and use them to further subdivide the objects managed in your domain.

There are other tools you'll find in the Administrative Tools folder that again don't relate directly to user or computer management, but you should be aware of them in case they are used at your site. Some of these utilities won't show up in your Administrative Tools folder unless you've already installed the prerequisite software. For example, the DHCP manager MMC snap-in won't be there if you haven't installed a DHCP service on the server.

Some of the more popular tools include the following:

• Active Directory Domains and Trusts This utility manages trust relationships. The User Manager for Domains formerly handled that job.

• Component Services This selection allows you to configure COM+ applications.

• Event Viewer Use this standard utility to review the system, security, and application log files. It's similar to its Windows NT 4.0 predecessor but uses the MMC console instead.

• DHCP This snap-in enables you to manage the DHCP service on the local server. If a user's computer is having problems communicating on the network, you can check the DHCP logs to see whether the client has obtained a valid IP address.

• DNS This snap-in will be present if the server is running the DNS service. This service is used by computers on the network to locate both domain controllers (for authentication purposes) and other resources on the network.

• Computer Management Use this tool to manage services and other aspects of your server. You can defragment disk drives, see system information, and use the Event Viewer, among other things.

• Distributed File System This will show up if you've installed the Distributed File System.

• Internet Services Manager IIS can be installed on Windows 2000/2003 servers. This tool can be used to manage the IIS services, as well as to set up printers for the Internet Printing Protocol (IPP). You can also choose to install IIS later if you want to put it off until you have installed the operating system and then want to choose which servers to use for IIS.

There are many other administrative tools you can use, from the Performance Monitor (and Network Monitor) to utilities used to manage Terminal Services. If you are using components that are not part of the default installation, be sure to examine the administrative tools to find an MMC snap-in utility for those components.