The six basic built-in local groups and their functions are as follows:. Skip to main content. Windows Administration in a Nutshell by. Start your free trial. Name built-in group. Synopsis A special group that is created during installation of Windows Server. Another built-in account that you may see is TSInternetUser. This account is used by Terminal Services.
Two predefined user accounts are installed with Windows —Administrator and Guest. With workstations and member servers, predefined accounts are local to the individual system they're installed on. Predefined accounts have counterparts in Active Directory. These accounts have domain-wide access and are completely separate from the local accounts on individual systems. Administrator is a predefined account that provides complete access to files, directories, services, and other facilities.
You can't delete or disable this account. In Active Directory, the Administrator account has domain-wide access and privileges. Otherwise, the Administrator account generally has access only to the local system. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
Tip To prevent unauthorized access to the system or domain, be sure to give the account an especially secure password. Also, because this is a known Windows account, you may want to rename the account as an extra security precaution.
In most instances you won't need to change the basic settings for this account. However, you may need to change its advanced settings, such as membership in particular groups. You'll find more information on these groups in the next section. Real World In a domain environment, you'll use the local Administrator account primarily to manage the system when you first install it. This allows you to set up the system without getting locked out.
You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group.
This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts. For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties.
Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer. Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account. Whenever you use this account, you open the system to potential security problems. The potential is so great that the account is initially disabled when you install Windows Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly.
As with the Administrator account, you may want to rename the account as an added security precaution. Built-in groups are installed with all Windows workstations and servers. Use the built-in groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group. For example, you give a user administrative access to the system by making a user a member of the local Administrators group.
You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory. The availability of a specific built-in group depends on the current system configuration. Use Table to determine the availability of the various built-in groups. Each of these groups is discussed later in the chapter. Predefined groups are installed with Active Directory domains.
Use these groups to assign additional permissions to users, computers, and other groups. Predefined groups include domain local, global, and universal groups. The availability of a specific built-in group depends on the domain configuration. Use Table to determine the availability of the various predefined groups. Key predefined groups are discussed later in this chapter. Note: The group scope for Enterprise Admins and Schema Admins can be either universal or global, depending on the operations mode.
In mixed mode, these are global groups. In native mode, these are universal groups. In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource. For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive.
In Windows , the object-based approach to the directory structure changes the original rules for implicit groups. While you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers. To reflect the new role, implicit groups are also referred to as special identities. A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions. As with other default groups, the availability of a specific implicit group depends on the current configuration.
Cannot be nested. Not Available. It is called Builtin. The Built-in groups are groups that Windows creates for you. They have a predetermined set of user rights and group membership, and can be used to assign permissions to network resources. You can find Built-in groups in the Builtin folder and in the Users folder.
A Take the user Account and place it in a G Global group, then take the global group and place it into a DL Domain Local group, after which you assign P Permissions to the domain local group. Of course, always following this method is not practical.
You have to use common sense and judgment when assigning groups to permissions. The above is just an official Microsoft guideline. Special Identities There are also some special groups, referred to as Identities, because they are managed by the system and not by administrators. They are also automatically installed on all Windows computers. Here are the special identities: Everyone: Represents all current network users, including guests and users from other domains.
Whenever a user logs on to the network, they are automatically added to the Everyone group. Network: Represents users currently accessing a given resource over the network as opposed to users who access a resource by logging on locally at the computer where the resource is located.
Whenever a user accesses a given resource over the network, they are automatically added to the Network group. Interactive: Represents all users currently logged on to a particular computer and accessing a given resource located on that computer as opposed to users who access the resource over the network. Whenever a user accesses a given resource on the computer to which they are currently logged on, they are automatically added to the Interactive group.
Authenticated User: The Authenticated User group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated User group in place of the Everyone group to prevent anonymous access to resources. For example, if the User Jack created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator.
These groups can be assigned permissions to network resources, although caution should be used when assigning some of these groups to permissions. Members of these groups are not necessarily users who have been authenticated to the domain. For instance, if you assign full permissions to a share for the Everyone Group, users connecting from other domains will have access to the share.
Computer accounts, users, global groups and universal groups from any domain. Only users, computers and global groups from same domain. Universal groups, global groups, users and computers from any domain in the forest. Computer accounts, users, global groups from any domain. Only users and computers from same domain.
0コメント