لطفا منتظر باشید ...
Lesson 4: Understanding Default Groups
Windows 2000 has four categories of default groups: predefined, built-in, built-in local, and special identity. Default groups have a predetermined set of user rights or group membership. User rights determine the system tasks that a user or member of a default group can perform. This lesson explains how default groups are used.
After this lesson, you will be able to
Describe the Windows 2000 default groups
Estimated lesson time: 15 minutes
Predefined Groups
Windows 2000 creates predefined groups with a global scope to group common types of user accounts. By default, Windows 2000 automatically adds members to some predefined global groups. You can add user accounts to these predefined groups to provide additional users with the privileges and permissions that you assign to the group.
When you create a domain, Windows 2000 creates predefined global groups in the Users folder in Active Directory. By default, these predefined groups do not have any inherent rights. You assign rights by either adding the global groups to domain local groups or explicitly assigning user rights or permissions to the predefined global groups.
The Users container contains the predefined global groups in a domain. Table 8.6 describes the default membership of the most commonly used predefined global groups.
Table 8.6 Default Membership of Commonly Used Predefined Global Groups
| Predefined Global Group | Description |
|---|---|
| Domain Admins | Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group so that members of Domain Admins can perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member. |
| Domain Guests | Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member. |
| Domain Users | Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest IUSR_computername, IWAM_ computername, Krbtgt, and TsInternetUser accounts are initially members, and each new domain user account is automatically a member. |
| Enterprise Admins | You can add user accounts to Enterprise Admins for users who should have administrative control for the entire network. Then, add Enterprise Admins to the Administrators domain local group in each domain. By default, the Administrator account is a member. |
Built-In Groups
Windows 2000 creates built-in groups with a domain local scope in the Builtin folder in Active Directory. These groups provide users with user rights and permissions to perform tasks on domain controllers and in Active Directory. Built-in domain local groups give predefined rights and permissions to user accounts when you add user accounts or global groups as members.
The Builtin container holds the built-in domain local groups in a domain. Table 8.7 describes the most commonly used built-in domain local groups and the capabilities that the members have.
Table 8.7 Commonly Used Built-In Domain Local Global Groups
| Built-In Domain Local Group | Description |
|---|---|
| Account Operators | Members can create, delete, and modify user accounts and groups; members cannot modify the Administrators group or any of the operators groups. |
| Administrators | Members can perform all administrative tasks on all domain controllers and the domain itself. By default, the Administrator user account and the Domain Admins and Enterprise Admins predefined global groups are members. |
| Backup Operators | Members can back up and restore all domain controllers by using Windows Backup. |
| Guests | Members can perform only tasks for which you have granted rights; members can gain access only to resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members. |
| Pre-Windows 2000 Compatible Access | A backward compatibility group that allows read access for all users and groups in the domain. By default, only the Everyone pre-Windows 2000 system group is a member. |
| Print Operators | Members can set up and manage network printers on domain controllers. |
| Replicator | Supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group. |
| Server Operators | Members can share disk resources and back up and restore files on a domain controller. |
| Users | Members can perform only tasks for which you have granted rights, and gain access only to resources for which you have assigned permissions. By default, the Authenticated Users and INTERACTIVE pre-Windows 2000 groups and the Domain Users pre-defined global group are members. Use this group to assign permissions and rights that every user with a user account in your domain should have. |
Built-In Local Groups
All stand-alone servers, member servers, and computers running Windows 2000 Professional have built-in local groups. Built-in local groups give users the rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows 2000 places the built-in local groups into the Groups folder in the Local User Manager snap-in.
Table 8.8 describes the capabilities that members of the most commonly used built-in local groups have. Except where noted, there are no initial members in these groups.
Table 8.8 Commonly Used Built-In Local Groups
| Built-In Local Group | Description |
|---|---|
| Administrators | Members can perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Admins predefined global group to the local Administrators group. |
| Backup Operators | Members can use Windows Backup to back up and restore the computer. |
| Guests | Members can perform only tasks for which you have specifically granted rights, and can gain access only to resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. When a member server or a computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Guests predefined global group to the local guests group. |
| Power Users | Members can create and modify local user accounts on the computer and share resources. |
| Replicator | Supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group. |
| Users | Members can perform only tasks for which you have specifically granted rights, and can gain access only to resources for which you have assigned permissions. By default, Windows 2000 adds local user accounts that you create on the computer to the Users group. When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users predefined global group to the local Users group. |
Special Identity Groups
Special identity groups exist on all computers running Windows 2000. These groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource. You do not see special identity groups when you administer groups, but they are available for use when you assign rights and permissions to resources. Windows 2000 bases special identity group membership on how the computer is accessed, not on who uses the computer. Table 8.9 describes the most commonly used special identity groups.
Table 8.9 Commonly Used Special Identity Groups
| Special Identity Group | Description |
|---|---|
| Anonymous Logon | Includes any user account that Windows 2000 did not authenticate. |
| Authenticated Users | Includes all users with a valid user account on the computer or in Active Directory. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource. |
| CREATOR OWNER | Includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource. |
| Dialup | Includes any user who currently has a dial-up connection. |
| Everyone | Includes all users who access the computer. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 will authenticate a user who does not have a valid user account as Guest. The user automatically gets all rights and permissions that you have assigned to the Everyone group. The Everyone group is assigned full control to many resources by default. |
| Interactive | Includes the user account for the user who is logged on at the computer. Members of the Interactive group gain access to resources on the computer at which they are physically located. They log on and gain access to resources by "interacting" with the computer. |
| Network | Includes any user with a current connection from another computer on the network to a shared resource on the computer. |
Lesson Summary
In this lesson you learned that Windows 2000 has four categories of default groups: predefined, built-in, built-in local, and special identity. You also learned that default groups have a predetermined set of user rights or group membership. Windows 2000 creates these groups for you so you don''t have to create groups and assign rights and permissions for commonly used functions.
