Active Directory Groups

Active Directory Groups


There are two main groups in Active Directory: Distribution Groups and Security Groups.

• Distribution Groups are used to gather a specific set of users for non-security-related functions. Sending e-mail messages to a distribution group is the primary example of this. You cannot use distribution groups to assign rights and permissions. That is the function of a Security Group.

• Security Groups are used to gather a specific set of users for the specific reason of assigning access rights and permissions via the group rather than individually to each user object.

Active Directory uses a subset of both of these groups, as outlined below.

• Security Domain local groups are where permissions are set to grant user access to network resources, such as files, folders, or printers in a single domain.

• Distribution Domain local groups allow the non-security-related function (e.g., e-mail) for group members of the single domain.

Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.

Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.

Security Global Groups organize domain user objects across domains. Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.

Global Groups in a Mixed Mode Domain can contain user accounts from the group's local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.

Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.

Security Global Groups can be assigned permissions for all of the domains in the forest.

Security Universal Groups are used to group users and grant permissions across an entire forest.

Distribution Universal Groups allow the non-security-related function (e.g., e-mail) for group members across the entire forest.

A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution Groups are available.

Universal Groups can contain user accounts, global groups and universal groups from any domain in the forest and can be a member of Domain local groups and other universal groups in any domain in the forest.

Universal Groups can be assigned permissions for all domains in the forest and should be used to nest global groups so that permissions can be more easily assigned to related resources in multiple domains. Individual users should not be added singly to universal groups, and you should keep membership changes in Universal Groups to a minimum, as these changes must be replicated throughout the forest.

When setting up access to any server it is important to remember that:

• Authentication determines the identity of a user

• Permissions determine what a valid user can access once authenticated

here are predefined global groups created to group common types of user accounts on Windows 2000 domain controllers.

By default, Windows 2000 automatically adds specific members to some predefined global groups. System administrators can add user objects to these predefined groups to provide additional users with the privileges and permissions assigned to the group.

Domain Admins: Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group so that members of Domain Admins can perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member. Also, any computer that joins the domain automatically places the Domain Admins group in the Administrators local group.

Domain Guests: Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member.

Domain Users: Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest, IUSR_computername, IWAM_ computername, Krbtgt, and TsInternetUser accounts are initially members, and each new domain user account is automatically made a member.

Enterprise Admins: Windows 2000 allows you to add user accounts to Enterprise Admins for users who require administrative control for the entire network, and then adds Enterprise Admins to the Administrators domain local group in each domain. By default, the Administrator account is a member.

Windows 2000 also creates built-in domain local groups in each Active Directory domain. These groups provide all included users with specific user rights and permissions to perform tasks and are set up with predefined rights and permissions.

The most commonly used built-in domain local groups and their default properties are as follows:

• Account Operators: Members of the built-in Account Operators domain local group are allowed by default to create, delete, and modify user and group objects; members cannot modify the Administrators group or any of the operators groups.

• Administrators: Members of the built-in Administrators domain local group are allowed by default to perform all administrative tasks on all domain controllers and on the domain itself. By default, the Administrator user object and the Domain Admins and Enterprise Admins predefined global groups are members.

• Backup Operators: Members of the built-in Backup Operators domain local group are allowed by default to backup and restore all domain controllers using Windows Backup.

• Guests: Members of the built-in Guest domain local group can by default perform only tasks for which you have granted rights; members can gain access only to resources for which you have assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.

• Pre-Windows 2000 Compatible Access: This built-in domain local group is a backward-compatibility group that provides read access for all users and groups in the domain. When you select the Permissions Compatible With Pre-Windows 2000 Servers option in the Active Directory Installation Wizard, the Everyone pre-Windows 2000 system group is made a member.

• Print Operators: Members of the built-in Print Operators domain local group are allowed by default to set up and manage network printers on domain controllers.

• Replicator: This built-in domain local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group.

• Server Operators: Members of the built-in Server Operators domain local group are allowed by default to share disk resources and back up and restore files on a domain controller.

• Users: Mmbers of the built-in Users domain local group are allowed by default to perform only tasks for which you have granted rights, and they can access only the resources for which you have assigned permissions. By default, the Authenticated Users and Interactive pre-Windows 2000 groups, and the Domain Users predefined global group are members. Use this group to assign permissions and rights that every user with an account in your domain should have.

Windows 2000 stand-alone servers, member servers, and computers running the Windows 2000 Professional and Windows XP Professional desktop operating systems all have built-in local groups that give users the rights to perform specific preconfigured system tasks on the local system. Built-in local groups are located in the \Groups folder in the Local Users and Groups snap-in by default as part of the Computer Management console on every computer running Windows 2000 and Windows XP, and all Windows 2000 stand-alone and member servers.

The most commonly used built-in local groups and their default properties are as follows:

• Administrators: Members of the built-in Administrators local group are allowed by default to perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Microsoft Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Admins predefined global group to the local Administrators group.

• Backup Operators: Members of the built-in Backup Operators local group are allowed by default to use Windows Backup to backup and restore the local system.

• Guests: Members of the built-in Guests local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. When a member server or a computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Guests predefined global group to the local guests group.

• Power Users: Members of the built-in Power Users local group are allowed by default to create and modify user accounts on the local system and share resources on the local system.

• Replicator: This built-in local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users t

o this group.

• Users: Members of the built-in Users local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions. By default, Windows 2000 adds to the Users group local user accounts that you create on the computer. When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users predefined global group to the local Users group.

Special identity groups do not have specific memberships that Administrators directly modify, but they represent different users at different times, depending on how a user accesses a given system or resource on that system. Special identity groups are not found in the Local Computers and Users or Active Directory Users and Computers MMC (Microsoft Management Console) snap-ins for direct administration, but these groups are available for use when you assign rights and permissions to resources.

The most commonly used special identity groups and their default properties are as follows:

• Anonymous Logon special identity group includes any user account that Windows 2000 did not authenticate to the local system, such as an anonymous FTP user.

• Authenticated Users special identity group includes all users with a valid user account on the computer or in Active Directory service. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.

• Creator Owner special identity group includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource.

• Dialup special identity group includes any user who currently has a dial-up connection to the local system.

• Everyone special identity group includes all users who access the computer. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 authenticates as Guest a user who does not have a valid user account. The user automatically gets all rights and permissions that you have assigned to the Everyone group. The Everyone group is assigned full control to many resources by default.

• Interactive special identity group includes the user account for the user who is logged on at the local system console. Members of the Interactive group gain access to resources on the computer at which they are physically located.

• Network special identity group includes any user with a current connection from another computer on the network to a shared resource on the computer.