Saturday, April 19, 2008

Windows 2000 User Groups continue…

Built-In Groups

There are several kinds of built-in groups, depending on where you look in the directory structure. The domain local scope built-in groups can include the following:

  • Administrators—This is the most powerful group. Members of this group can do just about anything they want in the domain, including taking ownership of files and creating user accounts.
  • Incoming Forest Trust Builders—Users in this group can create incoming trust relationships from other forests. Keep in mind that trust relations in the Active Directory are transitive but must be established manually between Active Directory trees in the forest.
  • Network Configuration Operators—This group allows users to manage some aspects of network configuration.
  • Replicator—Used by services responsible for replication.

In addition to these built-in groups, you can click on the Users folder and see a list of predefined groups, which also can be used to organize users. These are global scope groups, so you can use them to organize users and computers, and then place them in domain scope groups in the current domain or in other domains. If none of the following group names fits your needs, you can create your own groups, which we'll look at next.

Internet 2010

The Predefined groups found in the Users folder are listed here:

In general, the groups you'll use most in the list will probably be the Domain Computers and Domain Users groups. By default, when you create a user account, the new account is placed automatically into the Domain Users group. Likewise, when you add a computer to the domain, the computer is automatically placed into the Domain Computers group. Looking at the domain from an overall picture, you can use these two groups when you want to make changes that apply to all users or all computers in a domain. The Domain Admins group can be used to give selected individuals administrator-level rights in a domain. It is always a good idea to not use the actual built-in Administrator account for a domain. Instead, create individual accounts for each user, and then place the user into one or more groups that give him the access he needs. If you need to grant a user administrator-level rights, just place him into the Domain Admins groups.

The other groups will depend on the services you have installed. Some may not appear if you have not installed that service (such as DHCP).

A few notes about these predefined groups in the Users folder:

The Domain Users group is a member of the domain's Users group (the one located in the Builtin folder).

The Domain Admins group is automatically a member of the Administrator's group in the Builtin folder.

The Domain Guests group is automatically placed into the Guests group in the Builtin folder.

No comments:

Internet Blogosphere