A local group is a collection of user accounts on a computer. You can use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows 2000 creates local groups in the local security database. In this lesson, you learn what groups are and how you can use them to simplify user account administration.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
A group is a collection of user accounts. Administration is simplified when you assign permissions and rights to a group of users rather than to each individual user account (see Figure 7.1).
Figure 7.1 Simplified administration using groups
Permissions control what users can do with a resource, such as a folder, file, or printer. When you assign permissions, you give users the capability to gain access to a resource, and you define the type of access they have. For example, if several users need to read the same file, you would add their user accounts to a group. You would then give the group permission to read the file. Rights allow users to perform system tasks such as changing the time on a computer, backing up or restoring files, or logging on locally.
Users can be members of multiple groups. A group contains a list of members with references to the actual individual user account.
The following are guidelines for using local groups:
You can use local groups only on the computer on which you create the local groups. Although local groups are available on member servers and domain computers running Windows 2000 Professional, don't use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups don't appear in directory services based on Active Directory technology, and you have to administer local groups separately for each computer.
NOTE
You can't create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory directory service.
Membership rules for local groups include the following:
Use the Computer Management snap-in to create local groups, as shown in Figure 7.2. You create local groups in the Groups folder.
Figure 7.2 The Computer Management snap-in
Follow these steps to create a local group:
Table 7.1 describes the options available in the New Group dialog box.
Table 7.1 New Local Group Options
Option | Description |
---|---|
Group Name | A unique name for the local group. This is the only required entry. Use any character except for the backslash (\). The name can contain up to 256 characters; however, very long names might not be displayed completely in some windows. |
Description | Describes the group. |
Add | Adds a user to the list of members. |
Remove | Removes a user from the list of members. |
Create | Creates the group. |
Close | Closes the New Group dialog box. |
You can add members to a local group when you create the group by using the Add button, but you can also add users to a local group after you create it.
Use the Computer Management snap-in to delete local groups. Each group that you create has a unique identifier. Windows 2000 uses this value to identify the group and the permissions that are assigned to it. When you delete a group, Windows 2000 doesn't use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.
When you delete a group, you delete only the group and remove the permissions and rights that are associated with it. Deleting a group doesn't delete the user accounts that are members of the group. To delete a group, right-click the group, and then click Delete.
To add members to a group that has already been created, start the Computer Management snap-in and expand Local Users And Groups. Click Groups, and then in the details pane, right-click the appropriate group and click Properties. In the Properties dialog box, click Add. The Select Users Or Groups dialog box appears, as shown in Figure 7.3.
Figure 7.3 The Select Users Or Groups dialog box
In the Look In list, ensure that the computer on which you created the group is selected. In the Name box, select the user account that you want to add to the group, and then click Add.
NOTE
If you want to add multiple user accounts, you can repeat the process of selecting them one at a time and then click Add, or you can hold down the Shift or Ctrl key to select multiple user accounts at once. With the Shift key down you can select a consecutive range of accounts; with the Ctrl key down you can pick some accounts and skip others. Click Add when you have selected all the accounts that you want to add.
Clicking Add lists the accounts you have selected. Review the accounts to make sure that they are the accounts you want to add to the group, and click OK to add the members.
NOTE
You can also add a user account to a group from the Member Of tab in the Properties dialog box for that user account. Use the Member Of tab to quickly add the same user account to multiple groups.
In this practice, you create two local groups. You add members to the local groups when you create them and then add another member to one of the groups after the groups have been created. You delete a member from one of the groups, and then you delete one of the local groups that you created.
NOTE
This practice requires user accounts that you created when you complete the practice "Creating Local User Accounts" in Chapter 4, "Managing User Accounts." If you didn't set up the user accounts as described in Chapter 4, go back and do the practice in that chapter to set up the user accounts you will work with in this practice.
In this exercise, you create two local groups, Sales and Testing. You add members to both groups when you create them. You add a member to an existing group by adding an additional member to the Testing group, and then you remove a member from the Testing group.
To create a local group
In the details pane, Computer Management displays a list of current and built-in local groups.
Computer Management displays the New Group dialog box.
The Select Users Or Groups dialog box appears.
PRO1\User1 and PRO1\User3 should be listed in the box below the Add button.
NOTE
If you didn't name your computer PRO1, then PRO1 will be replaced by the name of your computer.
In the New Group dialog box, notice that User1 and User3 are listed in the Members box.
Windows 2000 creates the group and adds it to the list of users and groups. Note the New Group dialog box is still open and might block your view of the list of users and groups.
Notice that the Sales and Testing groups are listed in the details pane.
To add members to and remove members from a local group
The Testing Properties dialog box displays the properties of the group. Notice that User2 and User4 are listed in the Members box.
The Select Users Or Groups dialog box appears.
The Testing Properties dialog box displays User2, User3, and User4 listed in the Members box.
Notice that User4 is no longer listed in the Members box. User4 still exists as a local user account, but it is no longer a member of the Testing group.
In this exercise, you delete the Testing local group.
A Local Users And Groups dialog box appears, asking whether you are sure that you want to delete the group.
Notice that Testing is no longer listed in the Computer Management window. The members of the group were not deleted. User2 and User3 are still local user accounts on PRO1.
In this lesson, you learned that a group is a collection of user accounts. Administration is simplified when you assign permissions and rights to a group of users rather than to each individual user account.
You also learned that when naming a group you should make the name intuitive. You use the Computer Management snap-in to create groups, to add members to a group, to remove members from a group, and to delete groups. In the practice portion of this lesson, you created two local groups and added members to the groups as you created the local groups. You then added another member to one of the local groups. You deleted a member from one of the local groups, and then you deleted one of the local groups.