CHAPTER 11
SETTING UP AND MANAGING GROUPS
*** THERE ARE NO GLOBAL GROUPS IN WINDOWS 2000 PROFESSIONAL ****
Understanding Groups
A group is a collection of user accounts. Groups simplify administration by allowing you to assign
permissions and rights to a group of users rather than having to assign permissions to each individual
user account.
Permissions control what users can do with a resource, such as a folder, file or printer.
When you assign permissions, you give users the capability to gain access to a resource, and you
define the type of access that they have. For example, if several users need to read the same file,
you would add their user accounts to a group. Then you would give the group permission to read
the file.
Rights allow users to perform system tasks, such as changing the time on a computer, backing up or
restoring files, or logging on locally.
When adding members to a group, remember that users can be members of multiple groups. A group
contains a list of members with reference to the actual user account. Therefore, users can be members
of more than one group.
Understanding Local Groups
A local group is a collection of user accounts on a computer. Use local groups to assign permissions to
resources residing on the computer on which the local group is created.
=====================================================================
winpro11.html PAGE
2 2001/12/07
Preparing to Use Local Groups
Guidelines for using Local Groups include the following:
Use local groups on computers that don’t belong to a domain.
You can use local groups only on the computer where you create the local groups.
Although local groups are available on member servers and domain computers running
Windows 2000 Professional, don’t use local groups on computers that are part of a domain.
Local groups don’t appear in directory services based on Active Directory technology,
and you have to administer local groups separately for each computer.
You can assign permissions to local groups for access to only the resources on the computer
where you create the local groups.
NOTE: You can’t create local groups on domain controllers because domain controllers cannot
have a security database that is independent of the database in Active Directory directory services.
Membership rules for local groups include the following:
local groups.
Creating Local Groups
Use the Computer Management snap-in to create local groups.
You can create a local group by doing the following:
NOTE: The Group name must be unique, and can contain up to 256 characters, however a long
name may not be displayed in the window.
=====================================================================
winpro11.html PAGE
3 2001/12/07
Deleting Local Groups
Use the Computer Management snap-in to delete local groups. Each group that you create has a
unique, nonreusable identifier. Windows 2000 uses this value to identify the group and the
permissions that are assigned to it. When you delete a group, Windows 2000 doesn’t use the
identifier again, even if you create a new group with the same name as the group that you deleted.
When you delete a group, you delete only the group and remove the permissions and rights that are
associated with it. Deleting
a group doesn’t delete the user accounts that are members of the group.
Adding Members to a Group
To add members to a group that has already been created, start the Computer Management snap-in
and expand Local Users and Groups. Click Groups, and right-click Properties.
IMPORTANT:
The Shift key allows you to select a consecutive range of accounts, while the Ctrl key allows you to
pick some accounts and skip others.
Lesson Summary:
of users rather than having to assign permissions to each individual user account.
Lesson 2:
Implementing Built-in Local Groups
Windows 2000 has two categories of built-in groups: local and system. Built-in groups have a
predetermined set of user rights or group membership. Windows 2000 creates these groups for you
so you don’t have to create groups and assign rights and permissions for commonly used function.
All stand-alone
servers, member servers and computers running Windows 2000 Professional have
built-in local groups.
=====================================================================
winpro11.html PAGE
4 2001/12/07
Built-in Local Groups **IMPORTANT **
Local Group Description
======================================================================
Administrators Members can perform all administrative tasks on the
computer. By default, the built-in Administrator user
Account for the computer is a member.
Backup Operators Members can use Windows Backup to back up and
Restore the computer.
Guests Members can perform only tasks for which you have
Specifically granted rights and can gain access only
To resources for which you have assigned permissions.
By default, the built-in Guest account for the computer
Is a member. The Guest account is disabled by default.
Power Users Members can create and modify local user accounts on
The computer and share resources, they can also share
Folders.
Replicator Supports file replication in a domain.
Users Members can perform only tasks for which you have
Specifically granted rights and can gain access only
To resources for which you have assigned permissions.
By Default, Windows 2000 adds local user accounts
That you create on the computer to the Users group.
Similar to the Everyone Group in Windows NT.
=====================================================================
winpro11.html PAGE
5 2001/12/07
Built-in System Groups:
Built-in system groups exist on all computers running Windows 2000. System groups don’t have
specific memberships that you can modify, but they can represent different users at different times,
depending on how a user gains access to a computer or resource.
Commonly Used Built-in System Groups
======================================================================
System Group Description
======================================================================
Everyone Includes all users who access the computer. The everyone
Groups usually get Full Control.
Authenticated Users Includes all users with a valid user account on the computer
(or if your computer is part of a domain, it includes all users
in Active Directory directory services). Use the Authenticated
Users groups instead of the Everyone Group to prevent
Anonymous access to a resource.
Creator Owner Includes the user account of the user who created or took
Ownership of a resource. If a member of the Administrators
Group creates a resource, the Administrator is owner of the
Resource.
Network (remote) Includes any user with a current connection from another
Computer on the network to a shared resource on the computer.
Interactive (local) Includes the user account for the user who is logged on at the
Computer. They can gain access to resources on the computer
At which they are physically located. They log on and gain
Access to resources by “interacting” with the computer.
The logon locally parameter must be set.
Anonymous Logon Includes any user account that Windows 2000 didn’t
Authenticate. Using guest account, \\computer1\net.
Dial-up Includes any user who currently has a dial-up connection.
=====================================================================
winpro11.html PAGE
6 2001/12/07
Lesson Summary:
1) Windows 2000 has two categories of built-in groups: local and system.
2) Windows 2000 has these built-in groups so you don’t have to create the groups and assign rights
and permissions for commonly used functions.
3) No global groups in Windows 2000 Professional
4) System Groups (Network, remote), if they are logged on remotely, you can restrict permissions.
Network = Read only.
5) System Groups (Interactive, local), if you are logged on locally, you can have Full Control.