To make assigning access rights and privileges easier to manage, Windows NT enables you to group users together. Rather than spending an inordinate amount of time granting each user the right to access a particular file share, for example, you can simply put multiple users into a user group and grant or revoke the right from the group. User groups can be either a local group that exists on a particular computer, or domain-wide local or global groups. Local groups in a particular server are used to allow the local administrator of a member server to control access to local resources. For example, when a member server (a Windows NT Server computer that is not a domain controller) joins a domain, the domain's global group called Domain Admins is placed into the server's local group called Administrators. It is through this mechanism that the domain administrators are granted the capability to administer the local server. Of course, it is also quite possible for the user of the member server to use the server's built-in Administrator account to remove the Domain Admins global group from the local administrators group, and thereby deny the domain administrators their access to administer resources on the member server. Local domain groups function in much the same way, but on a domain-wide scale. When a trust relationship is created between two domains, users in one domain do not automatically gain access rights to resources in the trusting domain. Instead, the administrator in the trusting domain needs to grant each user the needed access privilege. Because granting access rights on a user-by-user basis can be quite tedious in a large network, groups can be used for that purpose as well. Local domain groups can contain users from the domain in which the group is created, and users or global groups from other trusted domains. Domain administrators can grant or deny access to domain resources by granting or denying access to the local domain groups. Global user groups contain only users or groups from a single domain. Global user groups are used to "export" users to another trusting domain as a single unit. For example, the domain administrator of a trusting domain can place global groups from trusted domains into a local domain group and grant or deny access to domain resources by the local domain group. Built-In User GroupsTo make things easier when you first set up a Windows NT computer, several local and global groups are created by default. If the computer is a Windows NT Server computer operating as a domain controller, you will find these domain local groups:
The functions of most of these groups are fairly obvious at first glance. The Administrators group is a local group that is granted rights to manage the domain. The Backup Operators group can be used to enable users to perform backups, bypassing normal security restrictions for this purpose. The Print Operators group has the necessary privileges to manage printers and print queues for the domain, and so on. The Users local group is used to group users on the particular server, whereas the Domain Users group usually contains all users in the domain. If you look at the membership of the server's Users group, you can see that the Domain Users global group is a member of the group, which is how ordinary domain users are able to get limited access rights to the server. If the server is a domain controller, you also will see three built-in global groups:
Windows NT Workstation computers, along with Windows NT Server computers that are operating as a non-domain controller computer (called a member server) have the following built-in local groups:
Note The rights associated with built-in user groups are what give them their functionality. For an in-depth discussion of user rights and the functions that a member of a built-in user group can perform, see Chapter 39. Creating User GroupsThese built-in groups make it easy to set up initial groups of users that can perform standard server or network management tasks. For more specific functions you can create your own groups. To do so, use the User Manager for Domains utility. First make a list of the functional groups you want to create, based on the resources or type of access you think each group will need. For example, if your domain supports several different business units, such as an accounting department, a research department, and a warehouse, you might want to create three user groups, one for each of these departments. If one group of users, such as the accounting users, needs to be further subdivided into groups with some having more access to confidential data than others, you can create several user groups for that department instead of a single group. The important point to remember is that by creating groups you will make the job of granting or revoking access rights easier as resources or users on the network change. To create a group, you need to activate the User menu in the User Manager for Domains, and select either Create New Local Group or Create New Global Group. In Figure 36.6 you can see the dialog box used to create a new local group. Figure 36.6. To create a new local group, specify the group name and then add members.
After you enter the name of the new group and an optional description, you can click the Add button to bring up the Add Users and Groups dialog box. This dialog box is used for many different functions in the User Manager for Domains when selecting users is required. In Figure 36.7 you can see that all you have to do is select a username or a group name, and then click the Add button to move that name to the Add Names display at the bottom of the dialog box. You can use the Search button to locate names if the list for your network is very large and you don't want to scroll through the entire list to find the correct name. Figure 36.7. Select user or other groups to place into the new local group.
After you have finished selecting users or groups to add to this local group, click the OK button. You are returned to the New Local Group dialog box, and the users or group names that were selected now appear in the Members list at the bottom of the dialog box. Click OK to dismiss this dialog box when you are finished. If you need to modify group membership later, all you need to do is select the user group from the display on the main window of the User Manager for Domains and then, from the User menu, select Properties. Alternatively, you can simply double-click the group name to bring up the Properties sheet. This display is exactly like the one used when creating the new group except for its title. You can use the Add and Remove buttons to modify group membership. Special User GroupsBesides the local and global built-in groups that were just described, there are several user groups whose memberships are not assigned by the administrator. These groups are not seen when looking in the list of user groups in the User Manager for Domains. They are, however, seen when you use other utilities, such as the Windows NT Explorer, to grant access to files and directories. These are the groups:
|