Windows NT Groups

Primary groups are used by NT to be sure that users are members of at least one group. The users default primary group is "Domain Users". The user must first be added to another group to remove them from the domain users group. Groups must be managed from the PDC although it can be done remotely.

Main Group Types

Groups cannot be renamed.

Local Groups - Are only used on the local computer. The windows server's local administration can only be managed by local administrators. They may contain o Local user accounts o This domain user accounts o Trusted domain user accounts o This Domain Global Groups o Trusted Domains' global groups They may not contain other local groups.

Global Groups - It can be used across domains. They may contain: o Domain user accounts, they may not contain user accounts from trusted domains.

Computers and Groups

Local groups can exist on workstations, member servers, and domain controllers (PDC and BDC). Local groups reside on NT systems only (servers and workstations). NT workstations and Member servers only contain local groups. Domain controllers contain local and global groups. Global Groups - Are used on the domain across the network and applies to all computers in the domain. Global groups can only reside on PDCs and BDCs. Adding users/global groups to local groups on a domain PDC gives rights to perform that group's rights (such as backup operators local group) on BDCs also.

Therefore any global groups must be added to the local groups on domain controllers for access. These machines come initially configured with some global groups as members of local groups such as GLOBAL ADMINS is a member of the local ADMINISTRATORS group. Only PDCs or BDCs can be

used to create global groups unless domain client software is installed on the workstation or server. May contain:

Local domain user accounts (IE: Accounts from this domain)

Special Groups created at installation time

These are special groups that are not on the group menu. 1. System - Used to manage accounts that provide system services such as the webserver. 2. Everyone - All on the local machine, in the domain and trusted domains. 3. Interactive - A user at the local machine. 4. Network - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network. 5. Creator/Owner - The owner of the resource.

NT Domain Global Groups

Domain Admins - It is automatically a member of the administrators local group on all machines that are a member of the domain. This way global administrators may remotely administer any machine in the domain. It initially contains the Administrator user account. Domain Users - Contains all created domain user accounts. On the domain controller, this group is a member of the users local group. It initially contains all users in the domain except for guests. Domain Guests - Contains the domain Guest account.

Domain Controller Local Groups

Domain controllers share the same local groups.

Account Operators - This group has privileges to to create and manage local and global users and groups in the domain. This group can also shut down the domain controller. This group is only on domain controllers. Administrators - Those who administer the domain and the server. It initially contains the DOMAIN ADMINS global group. Backup Operators - Those who can save file to tape backup media. This group is on all NT servers. Print Operators - This local group can control the sharing of printers, along with shutting down the domain controller. Replicator - Used to perform directory replication. This group is on all NT servers. Server Operators - Basically this group can do anything on the NT server. They can format the hard drive, restore or backup files or

directories, create and control shared directories, control the sharing of printers, lock/unlock the server, shut down the domain controller locally or remotely, and modify the system time. Users - Those who use the server. Guests - Should be empty

Administrators and server operators can create network shares. A password can't be specified for a network share.

Special Groups
Special groups are managed by the operating system.

Everyone Guests - Anonomous users that don't have an account. This group is part of the everyone group, do be sure not to give the everyone group access to sensitive data.

Other Special Groups

These are special groups that are not on the group menu. 1. System - Used to manage accounts that provide system services such as the webserver. 2. Interactive - A user at the local machine. 3. Network - Anyone who accesses information on this computer over the network (remotely). It can be used to restrict users from getting to specific resources over the network. 4. Creator/Owner - The owner of the resource.

Adding a global group to a local group from another domain

1. Establish the appropriate trust relationship. 2. Add the required local group at the resource(s) in the trusting domain. 3. Add the appropriate global group in the trusted domain and add appropriate users to that group. 4. In the trusting domain, double click on the created local group in step 2, select the domain and the group name from step 3 and add the group to the local group.

Administrator Rights

Access the security log. Backup and restore files and directories. Change time. Control user rights.

Create and remove network shares. Create and remove printer shares. Create local groups and manage them. Create global groups and manage them. Create user accounts and manage them. Format the hard drive on the server. Keep a local profile on the server. Log on locally. Lock the server and bypass the lock. Manage auditing. Shutdown the system locally or remotely. Take ownership of files. Use the network to access servers.

Server Operator Rights

Backup and restore files and directories. Change time. Create and remove network shares. Create and remove printer shares? Create local groups and manage them. Keep a local profile on the server. Log on locally. Lock the server and bypass the lock. Shutdown the system locally or remotely.

Account Operator Rights

Add computer accounts to a domain. Create local groups and manage them. Create global groups and manage them. Create user accounts and manage them. Keep a local profile on the server. Log on locally. Shutdown the system locally. Cannot manage Administrator accounts, or Administrators, backup operators, server operators, print operators, account operators local groups or any members of these groups or any global groups in these groups. They cannot administer security policies.

Print Operator Rights

Create and remove printer shares. Keep a local profile on the server. Log on locally. Shutdown the system locally.

Backup Operator Rights

Backup and restore files and directories. Keep a local profile on the server. Log on locally. Shutdown the system locally.

Replicator Groups
Actual users are not placed in this group, only a user for the replicator service.

Local Group Rights

Add computers to the domain - Administrators and Server Operators. Use the "Add workstations and member servers to domain" right to give users this right exclusively. Audit log and security log viewing - Administrators Back up and restore files and directories - Administrators, Server Operators, Backup Operators Change time - Administrators, Server Operators. Load and unload device drivers - Administrators. Local log on - Administrators, Server Operators, Account Operators, Print Operators, Backup Operators Shut the system down - Administrators, Server Operators, Account Operators, Print Operators, Backup Operators Shut the system down remotely - Administrators, Server Operators. Take ownership of files and folders - Administrators