Configuring, Managing, and Troubleshooting Users and Groups
When you grant rights to domain users, the best practice is to use the AGDLP method. This means that you place Accounts in Global groups. Then you place the Global groups into Domain Local groups, to which you grant (or deny) Permissions.When a permission is explicitly denied to a user or group, even if the user is a member of another group where the same permission is explicitly granted, the Deny permission overrides all others and the user is not allowed access.Whenever a user requests authorization to use a prohibited object or resource, the user sees an Access Is Denied message.Table 26 lists Windows XP local groups, and includes their default access, default local members, and default domain members.
Table 26. Default Local Groups in Windows XP Professional
Local GroupDefault AccessDefault Members LocallyDefault Domain Members When Joined to a DomainAdministratorsUnrestricted access to the computerAdministratorDomain Admins Global GroupBackup OperatorsAccess to run Windows Backup and sufficient access rights that override other rights when performing backupN/AN/AGuestsLimited only to explicitly granted rights and restricted usage of computerGuestDomain Guests Global group IUSR_machinePower UsersCreate\modify local user accounts, share resourcesN/AN/ARemote Desktop UsersLimited to accessing the computer via a remote desktop connection plus any explicitly granted rights and restricted usage of computerN/AN/AUsersLimited to use of the computer, personal files and folders, and explicitly granted rightsAll newly created users NT Authority\Authenticated Users special built-in group NT Authority\ Interactive special built-in groupDomain Users Global groupTable 27 lists Windows XP built-in special groups, and includes their default access, default local members, and default domain members.
Table 27. Built-in Special Groups in Windows XP Professional
Built-in GroupDefault AccessDefault Members LocallyDefault Domain Members When Joined to a DomainAnonymous LogonNot provided any default access rightsUser accounts that Windows XP cannot authenticate locallyN/AAuthenticated UsersNot given any default access rightsAll users with valid local user accounts on this computerAll Active Directory users in the computer's domain or any trusted domainCreator OwnerDesignated full control over resources created or taken over by a member of the Administrators groupAdministrators groupN/ADialupNo specific rights; this group is not shown on systems without configured modems and dial-up connectionsAll users who have connected to the computer with a dial-up connectionN/AEveryoneFull Control is the default permission granted for all files and folders on NTFS volumes; you must remove this permission to implicitly deny accessAll users who access the computerN/AInteractiveNo specific rightsAll users who have logged on locally to the computerN/ANetworkNo specific rightsAll users who have established a connection to this computer's shared resource from a remote network computerN/AWatch out for Audit policy questions that embed the FAT32-formatted disk into the question. FAT file systems do not support auditing. You can audit only an NTFS-formatted volume.You cannot select Fast User Switching when your computer is a member of a domain or if you have enabled Offline Files.You can add a .NET Passport only in the Control Panel User Accounts applet.To configure the Local Group Policy, open the MMC console, click the File menu, click Add/Remove Snap-Ins, click Add, and select the Group Policy Editor snap-in. When asked to select the location of the GPO, select Local Computer.You can display a user's actual rights to use a file by looking at the Effective Permissions tab of the Advanced Security options.Cached credentials enable faster logons and single signons.You can disable cached credentials in Group Policy by setting the Interactive Logon: Number of Previous Logons to Cache (in Case Domain Controller Is Not Available) policy to 0 logons.
لطفا منتظر باشید ...
