When you grant rights to domain users, the best practice is to use the AGDLP method. This means that you place Accounts in Global groups. Then you place the Global groups into Domain Local groups, to which you grant (or deny) Permissions.
When a permission is explicitly denied to a user or group, even if the user is a member of another group where the same permission is explicitly granted, the Deny permission overrides all others and the user is not allowed access.
Whenever a user requests authorization to use a prohibited object or resource, the user sees an Access Is Denied message.
Table 26 lists Windows XP local groups, and includes their default access, default local members, and default domain members.
Table 26. Default Local Groups in Windows XP Professional
Local Group
Default Access
Default Members Locally
Default Domain Members When Joined to a Domain
Administrators
Unrestricted access to the computer
Administrator
Domain Admins Global Group
Backup Operators
Access to run Windows Backup and sufficient access rights that override other rights when performing backup
N/A
N/A
Guests
Limited only to explicitly granted rights and restricted usage of computer
Guest
Domain Guests Global group IUSR_machine
Power Users
Create\modify local user accounts, share resources
N/A
N/A
Remote Desktop Users
Limited to accessing the computer via a remote desktop connection plus any explicitly granted rights and restricted usage of computer
N/A
N/A
Users
Limited to use of the computer, personal files and folders, and explicitly granted rights
All newly created users NT Authority\Authenticated Users special built-in group NT Authority\ Interactive special built-in group
Domain Users Global group
Table 27 lists Windows XP built-in special groups, and includes their default access, default local members, and default domain members.
Table 27. Built-in Special Groups in Windows XP Professional
Built-in Group
Default Access
Default Members Locally
Default Domain Members When Joined to a Domain
Anonymous Logon
Not provided any default access rights
User accounts that Windows XP cannot authenticate locally
N/A
Authenticated Users
Not given any default access rights
All users with valid local user accounts on this computer
All Active Directory users in the computer's domain or any trusted domain
Creator Owner
Designated full control over resources created or taken over by a member of the Administrators group
Administrators group
N/A
Dialup
No specific rights; this group is not shown on systems without configured modems and dial-up connections
All users who have connected to the computer with a dial-up connection
N/A
Everyone
Full Control is the default permission granted for all files and folders on NTFS volumes; you must remove this permission to implicitly deny access
All users who access the computer
N/A
Interactive
No specific rights
All users who have logged on locally to the computer
N/A
Network
No specific rights
All users who have established a connection to this computer's shared resource from a remote network computer
N/A
Watch out for Audit policy questions that embed the FAT32-formatted disk into the question. FAT file systems do not support auditing. You can audit only an NTFS-formatted volume.
You cannot select Fast User Switching when your computer is a member of a domain or if you have enabled Offline Files.
You can add a .NET Passport only in the Control Panel User Accounts applet.
To configure the Local Group Policy, open the MMC console, click the File menu, click Add/Remove Snap-Ins, click Add, and select the Group Policy Editor snap-in. When asked to select the location of the GPO, select Local Computer.
You can display a user's actual rights to use a file by looking at the Effective Permissions tab of the Advanced Security options.
Cached credentials enable faster logons and single signons.
You can disable cached credentials in Group Policy by setting the Interactive Logon: Number of Previous Logons to Cache (in Case Domain Controller Is Not Available) policy to 0 logons.