Managing Group Accounts

Group accounts are collections of user accounts. Giving a user account membership in a group gives that user all the rights and permissions granted to the group. Group membership provides an easy way to grant common capabilities to sets of users.

Using Groups to Assign User Capabilities

Because maintaining permissions for a group is easier than maintaining permissions for many user accounts, you generally will want to use groups to manage access to resources such as directories, files, or printers. To assign permissions or rights to a set of users, assign the permissions or rights to a group and then grant membership in the group to each of the users.




	NOTE: When assigning user capabilities, remember to take advantage of the built-in groups provided with Advanced Server/9000 which have been granted useful collections of rights and capabilities. For example, members of the Administrators group have administrative capabilities in the domain and over the servers of the domain.

Two types of groups can be maintained in an Advanced Server domain: local groups and global groups.

Global Groups

A global group contains a number of user accounts from one domain that are grouped together under one group account name. A global group can contain only user accounts from the domain in which the global group is created. After a global group is created, it can be granted permissions and rights in its own domain, on workstations or member servers, or in trusting domains. However, it is best to grant rights and permissions to local groups and use the global group as the method for adding users to local groups.

Global groups can be added to local groups in the same domain, to domains that trust that domain, or to member servers or computers running Windows NT Workstation in the same or a trusting domain. Global groups only contain domain user accounts. You cannot create a global group on a computer running Windows NT Workstation or on computers running Windows NT Server as a member server.

The "global" in "global group" indicates that the group is available to receive rights and permissions in multiple (global) domains.

A global group can contain only user accounts; it cannot contain local groups or other global groups.

Local Groups

A local group contains user accounts and global group accounts from one or more domains, grouped together under one group account name. Users and global groups from outside the local domain can be added to the local group only if they belong to a trusted domain. Local groups make it possible to quickly assign rights and permissions for the resources on one domain (that is, the local domain) to users and groups from that domain and other domains that it trusts.

Local groups also exist on member servers and computers running Windows NT Workstation, and can contain user accounts and global groups.

The "local" in "local groups" indicates that the group is available to receive permissions and rights in only a single (local) domain.

A local group cannot contain other local groups.

The following table summarizes how the two types of groups are used.

If	Need to be used in	You can put them in
User accounts from this domain	The domain controllers, member servers, and workstations of this domain, or of other domains	A global group
User accounts from this domain or other domains	The domain controllers of this domain	A local group
Global groups from this domain or other domains	The domain controllers of this domain	A local group

Strategies for Using Groups

A local group is a single security entity that can be granted access to many objects in a single location (a domain, or a workstation or member server).

With global groups you can group user accounts which might be granted permissions to use objects on multiple domains and workstations.

For example, in a multiple-domain setting, you can think of global groups as a means of adding users to the local groups of trusting domains. To extend users' rights and permissions to resources on other domains, add their accounts to a global group in your domain and then add the global group to a local group in a trusting domain.

Even if you maintain a single domain, keep in mind that additional domains may be added in the future. You can use global groups added to local groups for granting all rights and permissions. Later, if another domain is created, the rights and permissions assigned to your local groups can be extended to a new domain's users by creating a trust relationship and adding global groups from the new domain to your local groups. Likewise, if the new domain trusts your domain, your global groups can be added to the new domain local groups.

Domain global groups also can be used for administrative purpose on computers running Windows NT Workstation or on member servers running Windows NT Server. For example, the Domain Admins global group is added by default to the Administrators built-in local group on each workstation or member server that joins the existing domain. Membership in the workstation or member server local Administrators group enables the network administrator to manage the computer remotely by creating program groups, installing software, and troubleshooting computer problems.

The following table provides some guidelines for using global and local groups:

Purpose of group	Use	Comments
Group users of this domain into a single unit for use in other domains or user workstations	Global	The global group can be put into local groups or given permissions and rights directly in other domains.
Need permissions and rights only in one domain	Local	The local group can contain users and global groups from this and other domains.
Need permissions on computers running Windows NT Workstation or on member servers	Global	A domain's global groups can be given permissions on these computers, but a domain's local groups cannot.
Contain other groups	Local	The local group can contain global groups and users; however, no group can contain other local groups.
Include users from multiple domains	Local	The local group can be used in only the domain in which it is created. If you need to be able to grant this local group permissions in multiple domains, you must create the local group manually in every domain in which you need it.

For information about trust relationships, see Chapter 2, "Managing Advanced Server Domains."

Built-in Local Groups—Controlling What Users Can Do

Being a member of one of the built-in local groups of a domain gives a user rights and capabilities to perform various tasks on the domain controllers in the domain. Similarly, being a member of a built-in local group on a member server or workstation gives the user rights and capabilities on that computer.

You can add a user to more than one built-in group. For example, a user in both the Print Operators and Backup Operators groups has all the rights granted to print operators and all the rights granted to backup operators.

However, not all built-in local groups exist on Advanced Server and Windows NT Server domain controllers, and on Windows NT Workstation and member server computers. The following table shows which built-in local groups exist on domain controllers and on individual computers.

Advanced Server and Windows NT Server domain controllers	Windows NT Workstations and member servers
Administrators	Administrators
Backup Operators	Backup Operators
Server Operators	Power Users
Account Operators	Users
Print Operators	Guests
Users	Replicator
Guests
Replicator

By default, every new domain user (global or local) is a member of the Domain Users global group, which is a member of the Users built-in local group. Each new workstation or member server user is a member of the Users built-in local group on the computer.

In general, you will want to add administrator users for a domain to the Domain Admins global group rather than adding them directly to the Administrators local group. By adding users to Domain Admins, they are also administrators on workstations and member servers.

The following table presents the built-in rights with comments about the specific actions the rights allow, as well as which local groups have the rights by default on both domain controllers and on workstations and member servers.

User rights	Comments	Granted to Domain controllers	Granted to Workstations and member servers
Manage auditing and security log	Specify what types of file and object access are to be audited. View and clear the security log.	Administrators	Administrators
Back up files and directories		Administrators, Server Operators , Backup Operators	Administrators, Backup Operators
Restore files and directories	This right supersedes file permissions; a user with the Restore right can overwrite files for which he or she has no permissions, when performing a restore.	Administrators, Server Operators, Backup Operators	Administrators, Backup Operators
Change the system time		Administrators, Server Operators	Administrators, Power Users
Access this computer from network	Access the computer from another computer on the network.	Administrators, Everyone	Administrators, Power Users, Everyone
Log on locally	Ability to log on at the computer itself on the computer's keyboard.	Administrators, Server Operators, Account Operators, Print Operators, Backup Operators	Administrators, Backup Operators, Power Users, Users, Guests
Shut down the system		Administrators, Server Operators, Account Operators, Print Operators, Backup Operators	Administrators, Backup Operators, Power Users, Users
Add workstations to the domain	Allows a user who is not a member of the domain's Administrators group to add computers running Windows NT Workstation or computers running Advanced Server or Windows NT Server as member servers to the domain.	None1	N/A
Take ownership of files or other objects	Take ownership of files and directories on the computer.	Administrators	Administrators
Load and unload device drivers		Administrators	Administrators
Force shutdown from a remote system	This right gives a user no capabilities in this version of Windows NT but will be supported in future upgrades of the operating system.	Administrators, Server Operators	Administrators, Power Users

1 Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain.

The following sections describe the purpose and capabilities of each built-in local group:

Administrators

The Administrators local group in a domain, on a computer running Windows NT Workstation, or on a member server has full control over its computer. The Administrators local group is the only group that automatically is granted every built-in right and ability. Administrators manage the overall configuration of the domain and the domain's controllers.

By default, the Domain Admins global group is also a member of the Administrators local group, but it can be removed.

In Advanced Server, the "Access this computer from network" user right cannot be revoked from the Administrators local group.

Users

Users logged on as members of the Users local group cannot log on locally at servers running Windows NT Server. However, they do possess certain rights at their local workstations and can perform most necessary tasks.

By default the Domain Users global group is a member of the Users local group, but it can be removed.

Guests

The Guests local group allows occasional or one-time users to log on to a workstation's built-in Guest account interactively (local guest logon) or to a domain's built-in Guest account remotely (network guest logon), and be granted limited capabilities. Users logged on as members of the Guests local group have no rights at domain servers. However, they do have certain rights at their individual workstations. By default, the Domain Guests global group is a member of the Guests local group, but it can be removed.

For information about the Guest account, see "Built-in Guest User Account" earlier in this chapter.

Account Operators

Members of the Account Operators local group can use User Manager for Domains to create user accounts and groups for the domain and to modify or delete most user accounts and groups of the domain. Account Operators can also log on to domain servers, can shut down Windows NT domain servers, and can use Server Manager to add computers to a domain.

However, an account operator cannot modify or delete the Domain Admins global group, nor the Administrators, Account Operators, Backup Operators, Print Operators, or Server Operators local groups or any global groups belonging to these local groups. Account operators cannot modify the accounts of members of any of these groups and cannot administer security policies.

Backup Operators

Members of the Backup Operators local group can back up and restore files on Advanced Server/9000 and Windows NT primary and backup domain controllers.

Print Operators

Members of the Print Operators local group can create, delete, and manage printer shares on the domain's primary and backup domain controllers. They can also log on at these servers, and shut them down.

Server Operators

Members of the Server Operators local group can manage the domain's primary and backup domain controllers. For example, they can create, delete, and manage printer shares at these servers; create, delete and manage network shares, and change the system time.

Members of the Server Operators local group cannot manage domain security.

Replicator

The Replicator local group supports directory replication functions. The only member of the domain's Replicator local group should be a domain user account used to log on the Directory Replicator services of the primary domain controller and the backup domain controllers in the domain. Do not add the user accounts of actual users to this group.

For information about directory replication, see Chapter 5, "Managing Shared Resources and Resource Security."

Special Groups

In addition to the built-in groups mentioned, other groups are created by the system and are used for special purposes. Because the memberships of these groups cannot be altered, the groups are not listed in User Manager for Domains.

However, when you administer a computer and Advanced Server/9000 presents lists of groups, these special groups sometimes appear in the list. For example, they can appear when assigning permissions to directories, files, shared network directories, or printers.

Group	Refers to
Everyone	Anyone using the computer. This includes all local and remote users (that is, the Interactive and Network groups combined). In a domain, members of Everyone can by default access the network, connect to a server's shared network directories, and print to a server's printers.
Interactive	Anyone using the computer locally.
Network	All users connected over the network to the computer.
System	The operating system.
Creator Owner	Transfer of permissions to creators of subdirectories, files, and print jobs. For a directory, if permissions are granted to the Creator Owner group, the creator of a subdirectory or file will be granted those permissions for that subdirectory or file. For a printer, if permissions are granted to the Creator Owner group, the creator of a print job will be granted those permissions for that print job.

Using Administrators and Operators — An Example

Suppose a medium-sized group is deciding how to assign its technical staff to the various administrator and operator groups. (It is recommended that at least one member of either the Administrators or Server Operators group is present during all hours that people are using the network.)

At least one person must have an administrator account. Members of the Administrators group are ultimately responsible for planning and maintaining network security for the department. If desired, members of the domain's Administrators group can administer users' Windows NT Workstation computers.
People responsible for hiring new or temporary employees, or for helping newly hired people get started would be good candidates for the Account Operators group. They can create domain accounts for the new employees and put these accounts in the appropriate groups.
If the domain's Administrators group has few members, assign at least one additional person to the Server Operators group. This group keeps the domain servers running. Accordingly, members of this group can shut down servers, set the system time on servers, lock and override the lock of servers, share directories and printers on the server, and format its hard disks.
If printing documents quickly is important, add several capable people to the Print Operators group to ensure that printer problems can always be addressed quickly.

Built-in Global Groups: Automatic Memberships in Local Groups

On a domain's primary and backup domain controllers, three global groups are built in: Domain Admins, Domain Users, and Domain Guests. None of these groups can be deleted.

Domain Admins

The Domain Admins global group is initially a member of the Administrators local group for the domain and of the Administrators local group for every computer in the domain running Windows NT Server or Windows NT Workstation.

The built-in Administrator user account is a member of the Domain Admins global group. It also is a member of the Administrators local group and cannot be removed.

Because of these memberships, a user logged on as an administrator can administer the domain, the primary and backup domain controllers, and every computer running Windows NT Server or Windows NT Workstation in the domain. (However, to prevent Domain Admins from administering a particular workstation or a server that is not a domain controller, remove the Domain Admins global group from that computer's Administrators group.)

To provide administrative-level capabilities to a new account, add the account to the Domain Admins global group. Members of this group can administer the domain, the servers and workstations of the domain, and a trusting domain that has added the Domain Admins global group from this domain to the Administrators local group in the trusting domain.

For information about using global groups, see "Strategies for Using Groups" earlier in this chapter.

Domain Users

The Domain Users global group initially contains the domain's built-in Administrator account. By default, all new accounts created thereafter in the domain are added to the Domain Users group, unless you specifically remove them.

The Domain Users global group is, by default, a member of the Users local group for the domain and of the Users local group for every computer in the domain running Windows NT Workstation or member servers running Windows NT Server.

Because of these memberships, users of the domain have normal user access to and capabilities for the domain and the computers in the domain running Windows NT Workstation and Windows NT Server as a member server. (However, you can prevent Domain Users from being granted this access on a particular workstation or on a server that is not a domain controller by removing the Domain Users global group from that computer's Users group.)

Domain Guests

The Domain Guests global group initially contains the domain's built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you might want to add those accounts to the Domain Guests group and remove them from the Domain Users group.

The Domain Guests global group is a member of the domain's Guests local group.

Global group	Initial contents	Who can modify1
Domain Admins	Administrator	Administrators
Domain Users.	Administrator	Administrators, Account Operators
Domain Guests	Guest	Administrators, Account Operators

1 None of these groups can be deleted.

Creating New Groups

To create and define additional groups, use User Manager for Domains:

Create new local groups for granting permissions to resources.
Create new global groups to organize users based on the type of work they do.

For example, suppose you have a color printer in your domain, and you want to restrict access to it:

Create a local group that has permission to print on the color printer.
Create a global group consisting of users who are allowed to use the color printer.
Add the global group to the local group.
Add or remove people who can use the printer by changing the membership of the global group.

If you want members of this group to be able to use a printer connected to a particular workstation or member server, add the global group to the local group that governs printing on that computer. Likewise, if a color printer is available on a trusting domain, you can place your global group into a local group in that domain.

For information about managing resource permissions, see Chapter 5, "Managing Shared Resources and Resource Security."

When adding a group you will be asked to provide a group name. It must be unique to the domain or to the computer being administered. A global group name can contain up to 20 characters. It can also contain any uppercase or lowercase characters except the following:

" / \ [ ] : ; | = , + * ? < >

A local group name can contain up to 256 characters. It can also contain any uppercase or lowercase characters except the backslash character (\). A global group name cannot consist solely of periods (.) and spaces.




	NOTE: When a group name is displayed and when the distinction is necessary, Advanced Server identifies the domain or workstation the group is from by presenting the name in the form DOMAINNAME\groupname or COMPUTERNAME\groupname. For example, a group named Managers from a domain named Engineering would be displayed as ENGINEERING\Managers.

To create a new group, either copy an existing group or create a completely new one. By copying, you ensure that the new group has the same members as the original group. However, the permissions and rights of the original group are not copied to the new group.

Creating a New Global Group

To create a new global group, give the group a name and then add members (user accounts in the local domain) to it.




	NOTE: When Low Speed Connection is chosen on the Options menu in User Manager for Domains, global groups cannot be created, modified, or copied.

For information about managing global groups, see "Creating a New Global Group," "Copying a Global Group," and "Managing Global Group Properties" in User Manager for Domains Help.

Creating a New Local Group

To create a new local group, give the group a name and then add members (user accounts and global groups from the local domain or a trusted domain) to it.

For information about managing local groups, see "Creating a New Local Group," "Copying a Local Group," and "Managing Local Group Properties" in User Manager for Domains Help.

Changing a Group's Membership or Description

You can add new members or remove members or change the description of a local group or a global group by selecting a group in User Manager for Domains and clicking Properties on the User menu.

For information about adding, removing, or changing group members, see "Managing Global Group Properties" and "Managing Local Group Properties" in User Manager for Domains Help.

Granting Rights to a Local Group

You can grant or revoke rights to and from users and groups. You cannot control other capabilities directly. They are granted to some built-in local groups when Advanced Server/9000, Windows NT Server, or Windows NT Workstation is installed. The only way for you to grant a user one of these built-in capabilities is to make that user a member of the appropriate local group. For example, the only way to allow a person to create user accounts on a domain is to add that person's account to either the Administrators or Account Operators local group on the domain.

The built-in capabilities of local groups for workstations and member servers, as well as for domain controllers, are listed in "Built-in Local Groups — Controlling What Users Can Do" earlier in this chapter. On Advanced Server domains, rights are granted and restricted on the domain level; if a group has a right in a domain, its members have that right on all primary and backup domain controllers in the domain. On each Windows NT Workstation computer and on each Windows NT Server computer that is not a domain controller, rights granted apply only to that single computer.

When you create new local groups in a domain, User Manager for Domains is used to grant rights to the group.
When you create new local groups on a workstation or member server, User Manager (or User Manager for Domains remotely) is used to grant rights to the group.

The User Rights command on the Policies menu lets you grant user rights to local groups. The User Rights Policy dialog box lists each right selected and the groups that have it. You can add or remove groups from the Grant To list.

For information about granting user rights, see "Managing the User Rights Policy" in User Manager for Domains Help.

Deleting a Group

Groups created with User Manager for Domains can be deleted, but the built-in groups provided with Advanced Server/9000, Windows NT Server, and Windows NT Workstation cannot. Deleting a group removes only that group; it does not delete the user accounts or global groups that are members of the deleted group

A deleted group cannot be recovered, so be sure you want to delete a group before you do so. When you delete a group, the SID for the group account is deleted, and SIDs are used only once. For this reason, resource permissions associated with the group cannot be reestablished by creating a new group using the same account name.

For information about deleting groups, see "Deleting a Local Group" and "Deleting a Global Group" in User Manager for Domains Help.