| < Day Day Up > |
|
Because Microsoft Windows Server 2003 is the underlying operating system for Windows Small Business Server 2003, all the built-in security groups integral to Windows Server 2003 still exist. However, many of these groups are focused on a much larger, multidomain network, so the designers of Windows Small Business Server created a subset of organizational units to simplify administration.
To view a list of groups (Figure 9-1), select Server Management from the Start menu and then click Security Groups in the console tree.
Figure 9-1: The security groups built in to Windows Small Business Server.
Note | Some groups, such as DHCP Administrators and DHCP Users, are listed in Active Directory Users and Computers. |
All the built-in universal groups, which are described in Table 9-1, are specific to Windows Small Business Server. With few exceptions, these are the groups that all users belong to and that are used to make templates. Templates are discussed in more detail later in the chapter.
Universal Group | Description |
---|---|
Administrator Templates | Members of this group are the templates that an Administrator can use to create new user accounts. The built-in user templates are default members. |
Domain Power Users | Members can create and modify user accounts and install programs on the local computer but cannot view other users’ files. This group is a default member of Fax Operators, Folder Operators, Mail Operators, Remote Operators, and SharePoint Administrators—all other built-in universal groups. Domain Power Users is also a member of Account Operators and Print Operators, which are built-in local groups. |
Fax Operators | Members of this group can manage fax cover pages and queues. The Domain Power Users group is a member by default. |
Folder Operators | Members can manage shared folders in the domain. The Domain Power Users group is a member by default. |
Mail Operators | Members can create and manage Microsoft Exchange Server mailboxes. The Domain Power Users group is a member by default. |
Mobile Users | Members can connect to the server remotely. Default members are the Administrator account, Administrator Template, Mobile User Template, and Power User Template. |
Power User Templates | Members of this group are the templates that power users utilize to create new user accounts. Default members are the built-in Mobile User Template and the User Template. |
Remote Operators | Members can log on to the server remotely but not locally. The Domain Power Users group is a member by default. |
Remote Web Workplace Users | Members can access the Remote Web Workplace from the Internet. The built-in templates are default members. |
SharePoint Administrators | Members can administer the SharePoint Web site. Default members are the Domain Power Users group and the STS Worker account (used by the Windows Small Business Server to route faxes). |
Usage Report Users | Members can view server usage reports. The Domain Admins group is a member by default. |
Built-in local groups are created when Windows Small Business Server is installed. These groups can’t be members of other groups and their group scope can’t be changed. Table 9-2 shows the built-in local groups.
Group | Description |
---|---|
Account Operators | Members can add, change, or delete user and group accounts. The Domain Power Users group is a member of this group. |
Administrators | Members can perform all administrative tasks on the computer. The built-in Administrator account that’s created when the operating system is installed is a member of the group. When a member server or a client running Microsoft Windows XP Professional or Microsoft Windows 2000 Professional joins a domain, the Domain Admins group (see Table 9-4) is made part of this group. |
Backup Operators | Members can log on to the computer, back up and restore the computer’s data, and shut down the computer. Members cannot change security settings but can override them for purposes of backup and restore. |
Guests | Members have the same access as members of the Users group. The Guest account has fewer rights and is a default member of this group. |
Print Operators | Members can manage printers and print queues on domain printers. The Domain Power Users group is an automatic member. |
Server Operators | Members can administer servers. No default members. |
Users | Members of this group can log on to the computer, access the network, save documents, and shut down the computer. Members cannot install programs or make system changes. When a member server, Windows 2000 Professional, or Windows XP Professional machine joins a domain, the Domain Users group is added to this group. |
If you don’t want members of the Domain Users group to have access to a particular workstation or member server, remove Domain Users from that computer’s local Users group. Similarly, if you don’t want the members of Domain Admins to administer a particular workstation or member server, remove Domain Admins from the local Administrators group.
The built-in domain local groups provide users with rights and permissions to perform tasks on domain controllers and in Active Directory. The domain local groups have predefined rights and permissions that are granted to users and global groups that you add as members. DHCP Users and DHCP Administrators groups are listed in Active Directory Users and Computers. Table 9-3 shows the built-in domain local groups used in Windows Small Business Server.
Domain Local Group | Description |
---|---|
DHCP Users (installed with DHCP Server service) | Members of this group can read DHCP information stored at a specific server for troubleshooting purposes. No default members. |
DHCP Administrators | Members of this group can administer DHCP Server service but do not have access to other parts of the server. |
Security Alert | On Microsoft Windows NT Server networks, all domain users are members of the Everyone group. This group is controlled by the operating system and appears on any network with Windows NT servers. In Windows Small Business Server 2003, all domain users are members of the Authenticated Users group. Unlike Everyone, Authenticated Users contains no anonymous users or guests. The Everyone group survives as a special identity. You don’t see it when you administer groups, and it cannot be placed in a group. When a user logs on to the network, the user is automatically added to Everyone. You can’t see or change the membership of the special identities, which also includes the Network and Interactive groups. |
Built-in global groups are created to encompass common types of accounts. By default, these groups do not have inherent rights; an administrator must assign all rights to the group. However, some members are added to these groups automatically, and you can add more members based on the rights and permissions you assign to the groups. Rights can be assigned directly to the groups or by adding the built-in global groups to domain local groups. Table 9-4 describes the built-in global groups that are commonly used.
Global Group | Description |
---|---|
Domain Admins | This group is automatically a member of the built-in local Administrators group, so members of Domain Admins can perform administrative tasks on any computer in the domain. The Administrator account is a member of this group by default. |
Domain Computers | All servers and workstations in the domain are members. |
Domain Controllers | The Windows Small Business Server. |
Domain Users | All domain users are members. The Domain Users group is automatically a member of the built-in local Users group. |
| < Day Day Up > |
|