In this lesson, you will learn what groups are and how you can use them to simplify user account administration. You will also learn about built-in groups, which have a predetermined set of user rights and group membership. Windows XP Professional has two categories of built-in groups, local and system, which it creates for you to simplify the process of assigning rights and permissions for commonly used functions.
A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually (see Figure 3.12).
Figure 3.12 Groups simplify administration
Permissions control what users can do with a resource such as a folder, file, or printer. When you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.
For more information about permissions, see Chapter 8, "Securing Resources with NTFS." For more information about rights, see Chapter 13, "Configuring Security Settings and Internet Options."
A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows XP Professional creates local groups in the local security database.
Guidelines for using local groups include the following:
You can use local groups only on the computer on which you create them. Although local groups are available on member servers and domain computers running Windows 2000 Server, do not use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups do not appear in the Active Directory service, and you must administer them separately for each computer.
You cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory.
Membership rules for local groups include the following:
Use the Computer Management snap-in (shown in Figure 3.13) to create local groups in the Groups folder.
Figure 3.13 The New Group dialog box
To create a local group, complete the following steps:
MMC displays the New Group dialog box. Table 3.4 describes the available options.
Table 3.4 New Local Group Options
Option | Description |
---|---|
Group Name | Requires a unique name for the local group. This is the only required entry. Use any character except for the backslash (\ ). The name can contain up to 256 characters, but very long names might not display in some windows. |
Description | Describes the group. |
Members | Lists the user accounts belonging to the group. |
Add | Adds a user to the list of members. |
Remove | Removes a user from the list of members. |
Create | Creates the group. |
Close | Closes the New Group dialog box. |
You can add members to a local group when you create the group by clicking Add. In addition, Windows XP Professional provides two methods for adding members to a group that has already been created: the Computer Management snap-in and the Member Of tab in the group-name Properties dialog box.
To use the Computer Management snap-in to add members to a group that has already been created, complete the following steps:
Computer Management displays the group-name Properties dialog box.
Computer Management displays the Select Users dialog box, as shown in Figure 3.14.
Figure 3.14 The Select Users dialog box
The Member Of tab in the group-name Properties dialog box of a user account allows you to add a user account to multiple groups. Use this method to quickly add the same user account to multiple groups. To review how to use the Member Of tab, see the section in Lesson 4 entitled "The Member Of Tab."
Use the Computer Management snap-in to delete local groups. Each group that you create has a unique identifier that cannot be used again. Windows XP Professional uses this value to identify the group and its assigned permissions. When you delete a group, Windows XP Professional does not use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.
When you delete a group, you remove only the group and its associated permissions and rights. Deleting a group does not delete the user accounts that are members of the group. To delete a group, right-click the group name in the Computer Management snap-in and then click Delete.
In this practice, you create two local groups, add members to the local groups when you create them, and then add a member to one of the groups after it has been created. You delete a member from one of the groups, and then delete one of the local groups that you created.
Run the LocalGroups file in the Demos folder on the CD-ROM accompanying this book for a demonstration of creating and managing local groups.
In this exercise, you create two local groups, Accounting and Marketing, and add members to both groups. You add a member to the existing Marketing group, and then remove a member from the Marketing group.
Windows XP Professional starts Computer Management.
MMC displays the New Group dialog box.
MMC displays the Select Users dialog box.
User1, User2, and User4 appear in the Members list in the New Group dialog box.
Windows XP Professional creates the group and adds it to the list of groups in the details pane. Note that the New Group dialog box is still open and might block your view of the list of groups.
The Accounting and the Marketing groups now appear in the details pane.
The Marketing Properties dialog box displays the properties of the group. Notice that User2 and User4 are in the Members list.
Computer Management displays the Select Users dialog box.
The Marketing Properties dialog box now displays User1, User2, and User4 in the Members list.
Notice that User4 is no longer in the Members list. User4 still exists as a local user account, but it is no longer a member of the Marketing group.
In this exercise, you delete the Marketing local group.
Computer Management displays a Local Users And Groups dialog box asking if you are sure that you want to delete the group.
Marketing is no longer listed in the details pane indicating that the Marketing group was successfully deleted.
User1 and User2 are still listed in the details pane indicating that the group was deleted, but the members of the group were not deleted from the Users folder.
All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups. These groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows XP Professional places the built-in local groups in the Groups folder in Computer Management.
Table 3.5 lists the most commonly used built-in local groups and describes their capabilities. Except where noted, these groups do not include initial members.
Table 3.5 Built-In Local Group Capabilities
Local group | Description |
---|---|
Administrators | Members can perform all administrative tasks on the computer. By default, the built-in Administrator account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Admins group to the local Administrators group. |
Backup Operators | Members can use Windows Backup to back up and restore the computer. |
Guests | Members can do the following:
Members cannot make permanent changes to their desktop environment. By default, the built-in Guest account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Guests group to the local Guests group. |
Power Users | Members can create and modify local user accounts on the computer and share resources. |
Replicator | Supports file replication in a domain. |
Users | Members can do the following:
By default, Windows XP Professional adds to the Users group all local user accounts that an administrator creates on the computer. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Users group to the local Users group. |
Built-in system groups exist on all computers running Windows XP Professional. System groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource. You do not see system groups when you administer groups, but they are available when you assign rights and permissions to resources. Windows XP Professional bases system group membership on how the computer is accessed, not on who uses the computer. Table 3.6 lists the most commonly used built-in system groups and describes their capabilities.
Table 3.6 Built-In System Group Capabilities
System group | Description |
---|---|
Everyone | All users who access the computer. By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. This presented a problem in earlier versions of Windows, including Microsoft Windows 2000. In Windows XP Professional, the Anonymous Logon is no longer included in the Everyone group. When a Windows 2000 Professional system is upgraded to a Windows XP Professional system, resources with permission entries for the Everyone group and not explicitly for the Anonymous Logon group are no longer available to the Anonymous Logon group. |
Authenticated Users | All users with valid user accounts on the computer. (If your computer is part of a domain, it includes all users in Active Directory.) Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource. |
Creator Owner | The user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group owns the resource. |
Network | Any user with a current connection from another computer on the network to a shared resource on the computer. |
Interactive | The user account for the user who is logged on at the computer. Members of the Interactive group can access resources on the computer at which they are physically located. They log on and access resources by "interacting" with the computer. |
Anonymous Logon | Any user account that Windows XP Professional cannot authenticate. |
Dialup | Any user who currently has a dial-up connection. |
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."