Windows 2000 User Groups continue…

Built-In Groups

There are several kinds of built-in groups, depending on where you look in the directory structure. The domain local scope built-in groups can include the following:

• Account Operators—Users placed into this group can perform account management duties, such as creating new users.

• Administrators—This is the most powerful group. Members of this group can do just about anything they want in the domain, including taking ownership of files and creating user accounts.

• Backup Operators—Members of this group get the access rights needed to perform backups on computers in the domain.

• Guests—A guest group, which can be used to grant very limited access to users from other domains.

• Incoming Forest Trust Builders—Users in this group can create incoming trust relationships from other forests. Keep in mind that trust relations in the Active Directory are transitive but must be established manually between Active Directory trees in the forest.

• Network Configuration Operators—This group allows users to manage some aspects of network configuration.

• Performance Log Users—Members of this group can schedule logging of performance monitors on this computer, from a remote computer.

• Performance Monitor Users—This user group can monitor performance on this computer from a remote computer.

• Pre-Windows 2000 Compatible Access—This group is meant for pre-Windows 2000 users to enable them to have read access for users and groups in the domain stored in the Active Directory.

• Print Operators—Youguessed it: Members of this group can control printers and print jobs.

• Remote Desktop Users—Users in this group can log in to this computer from a remote computer.

• Replicator—Used by services responsible for replication.

• Server Operators—Members of this group can perform tasks on specific servers.

• Users—A built-in group for ordinary users in the domain, which can run applications, but not make systemwide configuration changes.

In addition to these built-in groups, you can click on the Users folder and see a list of predefined groups, which also can be used to organize users. These are global scope groups, so you can use them to organize users and computers, and then place them in domain scope groups in the current domain or in other domains. If none of the following group names fits your needs, you can create your own groups, which we'll look at next.

The Predefined groups found in the Users folder are listed here:

• Cert Publishers—Users can publish certificates to the Active Directory.
• DHCP Administrator—Members can administer the DHCP service.
• DHCP Users—Members of this group have view-only access to the DHCP service.
• DnsAdmins—The DNS Administrators group who can manage the DNS service.
• DnsUpdateProxy—This group allows members to update the Domain Name System (DNS) service for other clients, such as a DHCP server.
• Domain Admins—Users who administer the domain.
• Domain Computers—All workstations and servers joined to the domain.
• Domain Controllers—Every domain controller in this domain is a member of this group.
• Domain Guests—Members are guests in the domain, with limited access.
• Domain Users—All members of the domain.
• Enterprise Admins—Members can administer the entire enterprise.
• Group Policy Creator Owners—These users can modify the group policy for a domain.
• HelpServicesGroup—Users that provide help via the Help and Support Center.
• IIS_WPG—Members who manage the Internet Information Server.
• PasswordPropDeny—Members of this group should not have their password synchronized.
• RAS and LAS Servers—Servers that are members of this group can access the remote access properties of users.
• Schema Admins—Administrators of the Active Directory schema.
• Terminal Server Computers—Computers that can communicate with the Terminal Services License server.
• WINS Users—Members of this group have view-only access to the WINS server.

In general, the groups you'll use most in the list will probably be the Domain Computers and Domain Users groups. By default, when you create a user account, the new account is placed automatically into the Domain Users group. Likewise, when you add a computer to the domain, the computer is automatically placed into the Domain Computers group. Looking at the domain from an overall picture, you can use these two groups when you want to make changes that apply to all users or all computers in a domain. The Domain Admins group can be used to give selected individuals administrator-level rights in a domain. It is always a good idea to not use the actual built-in Administrator account for a domain. Instead, create individual accounts for each user, and then place the user into one or more groups that give him the access he needs. If you need to grant a user administrator-level rights, just place him into the Domain Admins groups.

The other groups will depend on the services you have installed. Some may not appear if you have not installed that service (such as DHCP).

A few notes about these predefined groups in the Users folder:

The Domain Users group is a member of the domain's Users group (the one located in the Builtin folder).

The Domain Admins group is automatically a member of the Administrator's group in the Builtin folder.

The Domain Guests group is automatically placed into the Guests group in the Builtin folder.