Module 3: Setting up Group Accounts


NT Administration Notes
Introduction	Users	Groups	Admin
Shares	NTFS	Printing 1	Printing 2
Auditing	Monitoring	Backup

Module 3: Setting up Group Accounts

A group is a collection of user accounts. Assigning a user to a group, will give that user all the rights and permissions of that group.

To types of groups are:

Local groups: to give users permissions to one or more network resources.

Note:

If you create a local group on a member server, you can only assign resources located on that member server

If you create local groups on a PDC or BDC, you can grant domain wide permissions to all accessible resources within the domain.

Global groups: to organize domain user accounts, typically by function or geographical location.

Note:

Global groups are always created on the PDC in the domain where the account resides.

It cannot contain user accounts from a different domain. To give members from a global group access to a resource, add the global group to the local group where the resource is located.

The local group can be found in any domain with the appropriate trust relationship.

Local Groups	Global Groups
Provide users with permissions or rights	Organize domain users
Can include (from any domain): User accounts Global groups	Can only include user accounts in the domain where it resides
Cannot include other local groups	Cannot contain local or global groups
Are assigned permissions and rights in the local domain	Are added to a local group to give its members rights
Can only be assigned to local resources on an computer running Windows NT Workstation or on a member server	Are not assigned to resources
On a PDC, can be assigned resources on any domain controller in the domain	Must be created in the domain where the accounts reside.

Global groups can be created on a PDC from any Windows NT platform running user manager for domains.
To be able to create groups, you must be a member of the Administrators or Account Operators group.
Group names must be unique. Not identical to other; users or group names.

Note again:

To give users access to a resource on a member server, you HAVE to create the local group on the member server

Implementing Built-In Groups

Built-in groups are predefined groups that have a predetermined set of user rights. These rights determine the tasks a user of member of a group can perform.

Built-in Local Groups

give the rights to perform tasks such as backup or restore, change system time, etc.
are on ALL NT computers

Built-in Global Groups

are on Domain Controllers only (PDC/ BDC)

System Group

automatically organize users for system use
there is no assigning for a human to do here
users are members by default during network activity

Computers running Windows NT have these types of built-in groups:

Built-in local groups, that are on all NT machines.

Users: Perform tasks for which they have granted rights and access resources to which they have permissions.

Administrators: Can perform all administrative tasks on the local computer. If the computer is a DC, they can fully administer the full domain.

Guests: Perform tasks for which they have granted rights and access resources to which they have permissions. Members cannot make permanent changes to their environment.

Backup Operators: Use the NT backup program to backup and restore all computers running Windows NT.

Replicators: Used by the directory Replicator service. The group is not used for administration.

Power Users: This group only resides on computers running Windows NT /WS and Member Servers, they can create and modify accounts, and they can share resources.

Built-in Groups - Domain Controller Only

Built-in local groups, that are on NT Domain Controllers only, there are no initial members in these groups.

Group Name	What they can do
Account Operators	Can create, delete, modify users, global groups and local groups Cannot: modify the Administrators or Server Operators group.
Server Operators	Share disk resources, and backup and restore the server.
Print Operators	Setup and manage network printers

Built-in Global Groups

Built-in global groups. Are on Domain Controllers only, and there are no initial members in these groups.

This Group	Is automatically added to the…
Domain Users	Local users group. When a domain user account is created it is automatically made a member of this group. The Administrator is a member by default
Domain Admins	Local Administrators group. Members of the domain Admins group can then perform administrative tasks on the local computer. The Administrators account is member by default.
Domain Guests	Local guests group. The Guest account is a member by default.

Built-in System Groups

System groups. Are on all NT machines. Automatically organizes users for system use. Built-in system groups reside on all computers running Windows NT. Users become members by default during network activity. Membership cannot be modified.

System groups	Description
Key system groups used for network administration.
Everyone	Includes all local and remote users who access the computer. Unlike the Domain Users group, this group contains user accounts other than those created by the administrator in the domain. Administrators can assign permissions and rights to this group.
Creator Owner	Includes the users that created or took ownership of a resource.
System groups that are not used for network administration.
Network		Any user who is currently connected to a shared resource via network.
Interactive		Members access resources on computer at which they physically sitting.

In order to effectively implement local and global groups use the following steps:

Organize users into global groups.
Assign permissions to local groups.
Add global groups to local groups.

Use the global group Domain Users instead of Everyone, it contains only accounts you've created, not all that have connected to the network.

To enable Administrators to perform administrative tasks in other domains, add the Global group Domain Admins to the local Administrators group on the computer in the remote domain.

Top of page

Comments and suggestions? E-mail me at grantwilson21@yahoo.com I'm sorry, but I can't answer specific network-related, or exam-related questions.
Last Updated: August 6, 2001	Grant Wilson, Edmonton, AB Canada