A group is a collection of user accounts that can be used to give permissions or rights. Permissions control what users can do with a resource like a file, folder or printer. Rights allow users to perform system tasks like changing the system time, backup file files, log on locally, etc.
Within a group you can add other groups (nesting), users and computers. Try to minimize the amount of nesting for easily permission tracking.
Within Windows 2000 there are two types of groups :
Applications can use distribution groups for non-security related issues. (Exchange 2000) Distribution groups cannot be used to set permissions and do not have a SID. Universal distribution groups are even available in mixed-mode but can only be converted to universal groups in native mode.
Security groups are used to assign permissions (e.g files and Exchange 2000 public folders) or to filter group policy settings but can also be used for non security purposes like sending email (mail-enabled group). A security group can contain users, computers or other security groups. A security group has all the capabilities of a distribution group.
You can change a security group to a distribution group and the other way around in native mode.
Microsoft recommends not to put more than 5000 accounts in a group. If you need to add more accounts, nest other groups.
To determine where in the network you can use the group, you have to set a group scope :
The local groups are available on stand alone servers, member servers or Windows 2000 Professional installations. The group can contain local accounts and is used to set rights and permissions. When the machine is part of a domain it can contain accounts and groups from anywhere in the forest or from trusted domains. Local groups are managed via the Local users and groups console (lusrmgr.msc). They are also called machine local groups.
A domain local group is used to assign permissions or to set rights within
the domain of the domain local group. In native mode, a domain local group can contain user accounts,
computer accounts, global groups and universal groups from every domain in the
forest or from trusted domains. It can also contain domain
local groups of it's own domain and can be switched to a universal group when
there are no nested domain local groups.
In mixed mode a domain local group can only contain user accounts and global
groups from any domain, the domain local groups are than only available on
domain controllers.
Domain
local groups are managed via the Active
Directory Users and Computers console. (dsa.msc) The groups are stored in
the global catalogue but the catalogue does not store the group members.
You can move domain local groups within a domain.
The global catalogue does store Domain local groups but not the members in
it. Outlook users in another domain cannot view the members of the group.
Windows NT 4.0 shared local groups on domain controllers are migrated to domain
local groups during an upgrade.
A global group is used to organize members with the same needs. The global
group can contain users accounts and computer accounts from the domain of the
global group. In native mode it can also contain other global groups from the
same domain and it can be converted to a universal group.
A global group can be used to set permissions or the make it part of a
domain local group everywhere in the forest or within trusted domains. (Recommended)
Global groups are managed via the Active
Directory Users and Computers console. (dsa.msc)
You can move global groups within a domain.
The global catalogue does store global groups but not the members in it. Outlook users
in another domain cannot view the members of the group.
Universal groups appear in the global catalogue server. They can contain user
accounts, computer accounts, global groups and universal groups from every domain in the forest
and trusted domains and
can be used to assign permissions to resources within every domain. Universal groups
are only available in native mode. (Universal distribution groups are available
in mixed mode)
Universal groups can be moved to other domains but lose all their privileges
when moved. They can be moved normally within a domain. Universal groups are managed via the Active
Directory Users and Computers console. (dsa.msc)
As global catalogue stores universal groups and the members within the group, it
is recommended to use nested groups to reduce the replication traffic between
the
global catalogue servers. Outlook users can view the full membership of
universal groups. (security issue !)
Depending on the network environment, there are two types of group strategies :
If you use a single domain, the best strategy is to use global groups and domain local groups.
| Add users with common job responsibilities to a global group, e.g accountants. |
| Identify the resource they need to access and create a domain local group, e.g the color printers. |
| Identify all global groups that need access to that resource, e.g accountants and management, and add them to the local domain group. |
| Assign the permissions to the local domain group. |
If you store the accounts in a domain local group, you cannot assign permissions
to resources outside the domain by using this group if the network grows.
If you assign permissions to the global group, you have to assign permissions to
each global group if the network grows.
In a domain tree you can us universal groups to assign permissions.
| Add all users with the same needs to global groups. |
| Add the global groups to universal groups. |
| Assign permissions to the universal groups. |
| Use only universal groups if their membership is static. This to prevent loads of replication data. |
When creating a group, you have to add the following items :
| Name of new group. This name must be unique in domain. |
| Downlevel name of new group. Filled in automatically. |
| Group scope. Global group, domain local or universal group. |
| Group type. Security or distribution group |
| Groupmembers. |
Group scopes can be changed :
| A domain local group can be converted to a universal group if the group does not contain another domain local group. |
| A global group can be changed to a universal group if the group is not part of another global group. |
| Windows 2000 must be in native mode to support universal groups. |
| If Windows 2000 is in mixed mode only global groups can be added to domain local groups. If Windows 2000 is in native mode you have more nesting options and you can use multiple levels of nesting. |
When you create a domain, Windows 2000 also adds the following domain local groups :
| Account operators. Members can add, delete and modify user accounts and
groups. They cannot modify the administrators-, server operators-, account
operators-, print operators- and backup operator group. (log on locally, shut down the system, keep a local profile) By default the group has no members. The fqdn is domain/Builtin/Account Operators. |
| Server operators. Members can share disk resources and backup and restore files on a domain controller. (log on locally, change system time, shut down, force remote shutdown, backup/restore, lock server, override lock, format server, create common groups, keep a local profile, share/stop sharing directories, share/stop sharing printers) By default the group has no members. The fqdn is domain/Builtin/Server Operators. |
| Print operators. Member can setup and manage network printers on domain controllers. (log on locally, shut down to server, keep a local profile, share/stop sharing printers) By default the group has no members. The fqdn is domain/Builtin/Print Operators. |
| Administrators. Member can perform all administrative tasks. Default the administrator account and the Domain admins global group are member of this group. By default the group contains the administrator account, the Domain Admins group and the Enterprise admins group. The fqdn is domain/Builtin/Administrators. |
| Guest. Members can only perform tasks for which you have granted rights. They cannot make permanent changes to their desktop. Default the guest account, the global group Guests, the IUSR_machine account, the IWAN_machine account and TSInternetUsers account are member of the group. The fqdn is domain/Builtin/Guests. |
| Backup operators. Member can backup and restore all domain controllers by
using Windows backup. (log on locally, shut down a system, backup/restore files
and directories, keep a local profile) By default the group has no members. The fqdn is domain/Builtin/Backup Operators. |
| Users. Member can only perform tasks for which you have granted rights. Default the global group Domain users is member of this group and the Authenticated Users and Interactive system accounts. The fqdn is domain/Builtin/Users. |
| Pre-Windows 2000 Compatibility Access. Members of this group have read access on all user and group information in the domain. By default the group has no members. The fqdn is domain/Builtin/Pre-Windows 2000 Compatibility Access. |
| DHCP administrators. The members of this group can manage the DHCP administration. By default the group has no members. The fqdn is domain/Users/DHCP administrators. |
| DHCP users. Users of this group read-only access to the DHCP service. By default the group has no members. The fqdn is domain/Users/DHCP users. |
| DNSAdmins. The members of this group can manage the DNS administration. By default the group has no members. The fqdn is domain/Users/DNSAdmins. |
| Replicator. This group is used to start Directory replications. Only accounts who start these replications should be in this group. By default it has no members. The fqdn is domain/Builtin/Replicators. |
| RAS and IAS server. This group contains the Remote Access Servers and the Internet Authentication Service servers of the domain. It provides access to the remote access properties of users. By default it has no members. The fqdn is domain/Users/RAS and IAS servers. |
| WINS users. The users of this group have the ability to view WINS information. By default it has no members. The fqdn is domain/Users/Wins users. |
When you create a domain, Windows 2000 creates the following built-in global groups :
| Domain users. Default the administrator account is in this group. All new account will be added to this group automatically. The group is by default part of the built in domain local group Users. The fqdn is domain/Users/Domain users. |
| Domain admins. By default the administrator account is part of this group. The group is added to the built in domain local group Administrators. The fqdn is domain/Users/Domain admins. |
| Domain guest. By default the Guest account is part of this group. The group is added to the domain local group Guest and provides limited access to the users within the group. The fqdn is domain/Users/Domain guests. |
| Cert publishers. The members of this group can manage enterprise certification and renewal agents. By default the group has no members. The fqdn is domain/Users/Cert Publishers. |
| DNSUpdateProxy. Members of this group have the right to do dynamic DNS updates on behalf of other clients. E.g. DHCP servers. By default the group has no members. The fqdn is domain/Users/DNSUpdateProxy. |
| Domain Computers. This group contains all workstations and servers that are part of the domain. The fqdn is domain/Users/Domain computers. |
| Domain Controllers. This group contains all domain controllers of the domain. The fqdn is domain/Users/Domain controllers. |
| Group Policy Creator Owners. The members of this group have permissions to modify group policy for the domain. By default it only contains the administrator account. The fqdn is domain/Users/Group Policy Creator Owners. |
| Enterprise admin. By default the administrator account is part of this group. You can add accounts to this group to give administrative rights for the whole network. The fqdn is domain/Users/Wins users. |
| Schema admins. The members of this group have the rights to modify the Active Directory schema. By default it only contains the administrator account. The fqdn is domain/Users/Schema Admins. |
On stand-alone servers, member servers and Windows 2000 Professional computers, the following local groups are created by default :
| Users. Member can only perform tasks for which you have granted rights. When the computers joins the domain, the global group Domain users becomes member of this group. By default it contains all local accounts on the machine, the authenticated users and the interactive users. |
| Administrators. Members can perform all administrative tasks on the computer. When the machine becomes part of a domain, the Domain Admins group is add to the group. By default only the administrator account is part of the group. |
| Guests. Members can only perform tasks for which you have granted rights. They cannot make permanent changes to their desktop. By default the Guest account, the IUSR_machine account, the IWAM_machine account and the TSInternetUser account is part of this group. When added to the domain, the Domain Guests group is added to this group. |
| Backup operators. Members can backup and restore the computer. By default it contains no users. |
| Power users. Members can create and modify local user account and share resources. They can only modify the accounts created with their own account. By default it contains no users. |
| Replicator. Used for file replication within a domain. |
These are the most used built-in system groups in Windows 2000 :
| Everyone. This include all users who access the computer. In Windows 2000 the group contains the anonymous users, authenticated users and the guest account. In Windows XP these group does not contain the anonymous users. (This can be changed via the local security policy Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network access: Let Everyone Permissions Apply To Anonymous Users) |
| Authenticated users. All users with a valid user account on the computer or in the active directory. Use this group instead of the everyone group. |
| Creator-Owner. The user account who created or took ownership of a resource. If a member of the Administrator group created the resource, the administrator group is the owner of the resource. |
| Interactive. The user account of the user who is logged on to the computer. |
| Anonymous logon. Any user account that Windows 2000 did not authenticate. (e.g FTP) |
| Dialup. Any user who has currently a dial up connection. |
| Network. All users connected over the network to a computer. |
| System. The operating system. |
| Batch. An account that logged on as a batch job. |
| Service. An account that logged on as a service. |
| TSInternetUser. Used by the Internet Connector license for Terminal server. The account is member of the local Guests group. The password of the account is automatically changed on daily basis. |
Within the Active Directory Users and Computers you can do the following things :
Send mail to the members of the distribution or security group.
Move the group to another OU or domain.
You can view or modify information at the following tabs :
| General tab. Enter the group name (pre-windows 2000), description, e-mail address, the type of group (domain local, global, universal, security or distribution) and notes. |
| Members tab. Enter of view the members of the group. |
| Member of tab. Displays the groups in which this group is nested. You can also nest the group in other groups. |
| Managed by tab. Shows the information of the person who is selected to manage the group. The person mentioned in this tab does not get any extra administrative privileges when entered. |
| Object tab. Shows the fully qualified domain name, the object class, the creation and modification date, the original USN and the current USN. |
| Security tab. Set the access permissions for the group. By default full control have Domain admins, Enterprise admins, Account operators and the system. The administrator has read and write permissions. The Self group, the Pre-Windows 2000 compatible access group, and the authenticated users have read access. |
| Default access control settings |
| Single sign-on for Windows Networks |
| The security support provider interface |
| Windows 2000 security technical overview |
Last update : 15 February 2003