70-282 Exam Cram: Built-in groups [Microsoft Small Business Specialist Primer book excerpt]

Built-in Groups

The Built-In container (located in Active Directory Users and Computers) houses the following groups, which are all domain local groups and cannot be moved to another container or OU. They are created by default in Windows Server 2003 with the following rights:

Account Operators – Members of this group can administer domain user and group accounts, log on locally, and can shut down domain controllers. Account Operators cannot modify the Administrators or Domain Admins groups and accounts.


Administrators – Members of this group have full access to the domain or computer. By default, this group contains the Domain Admins and Enterprise Admins groups and the Administrator user account.

Backup Operators – Members of this group can back up or restore files without being limited by file permissions. Back-Up Operators can also log on locally and shut down domain systems.

Guests – Members of this group have the same permissions and rights as the Users group by default. The Guests user account is disabled by default. This Guests group contains the Domain Guests group as a member.

Incoming Forest Trust Builders – Members of this group can create incoming, one-way trust relationships to this forest. This group appears only in the root domain of the forest.

Network Configuration Operators – Members of this group can change the TCP/IP settings on domain controllers in the domain.

Performance Monitor Users – Members of this group can monitor performance counters on domain controllers in the domain.

Performance Log Users – Members of this group can manage performance counters, logs, and alerts on domain controllers in the domain.

Pre-Windows 2000 Compatible Access – Members of this group have read access to all users and groups in the domain. This group provides backward compatibility for computers running Windows version pre-Windows 2000, such as Windows NT 4. The Everyone group is a member of this group by default.

Print Operators – Members of this group have the appropriate rights to administer printers connected to domain controllers and shared printer objects in the Active Directory. Print Operators can also log on locally and shutdown domain systems.

Remote Desktop Users – Members in this group are granted the right to log on remotely using a terminal session.


Chapter 6Securing Windows Small Business Server 2003

Replicator – A system group account used for file replication in a domain, this group has no members—and you should not add them, either.

Server Operators – Members of this group can administer shared resources on domain servers, start and stop certain services, and format hard disks. Additionally, members of this group have the same rights Backup Operators have.

Users – Members of this group have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes. The Users container includes domain local, global, and universal groups that can be moved to other OUs if needed. A list of the groups and their rights follows:

Cert Publishers – Members of this group can publish digital certificates for users and computers.

Dns Admins – Members of this group have permission to administer DNS.

DnsUpdateProxy – Members of this group can act as a DNS proxy for clients. A DHCP server that handles dynamic updates for DCHP clients should be a member of this group.

Domain Admins – Members of this group have full control of the domain.

This group is a member of the Administrators group on all domain members including domain controller. The Administrator user account is a member of this group by default.

Domain Computers – This group contains all the computer accounts of the client and servers joined to the domain.

Domain Controllers – This group contains all domain controllers in the domain. Domain Guests – This group contains all domain guests.

Domain Users – This group contains all domain users. When you create a new user account in the domain, it will automatically become a member of the Domain Users group.


Enterprise Admins – Members of this group have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator user account is a member of this group by default.

Group Policy Creator Owners – Members of this group can modify Group Policy settings in the domain. The Administrator user account is a member of this group by default.

IIS_WPG – A system group account used by Internet Information Services (IIS) 6.0.

RAS and IAS Servers – Servers in this group have access to the remote access properties of users. This group is used for IAS servers that perform authentication for a collection of RRAS servers.

Schema Admins – Members of this group can modify the Active Directory schema. The Administrator user account is a member of this group by default. Then there are some special groups that do not belong to either container but allow you to assign permissions to users, which are:

Everyone – Includes everyone with a user account.

Anonymous Logon – Includes everyone without a user account.

Network – Includes users who are currently logged on to a computer over the network. This is the opposite of the Interactive group.

Interactive – Includes users who are currently logged on to the local computer. This is the opposite of the Network group. Domain groups are only created on domain controller. They enable centralized administration within a domain and are used to grant users permissions to resources and rights for system tasks on any computer in the domain.

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s