CHAPTER 3
SETTING UP GROUP ACCOUNTS
Lesson 1: Introduction to Groups …………………….. 81
Lesson 2: Planning a Group Strategy ………………… 90
Lesson 3: Creating Local and Global Groups ………... 96
Lesson 4: Implementing Built-in Groups ……………… 106
Group Accounts:
Group Accounts are collections of user accounts that share similar needs. By organizing accounts
into groups, you can greatly simplify administration tasks.
Group memberships govern much of what one can do on the network and on a particular computer.
Adding a user account to a group makes the user a member and gives the user all the rights and
permissions granted to the group. For example, if several users need to read a file, the user
accounts are added to a group. Permission to read the file is assigned just once to the group, rather than to each user.
Permission and User Rights
Permissions are rules that regulate which users can use a resource, such as a folder, file or printer.
User Rights are rules that regulate which users can perform certain tasks on the system, such as
creating a user account, logging on to the local computer, or shutting down a server.
A User can be a member of one or more groups. A user who has multiple groups possesses
all user rights and permissions of all groups of which they belong.
Lesson 2:
Planning a Group Strategy
Have a strategy for implementing groups will simplify administration. This lesson present the guidelines
for implementing local and global groups. For better control over user and resource management, first
organize users into global groups, and then add global groups to local groups. Follow these guidelines:
Logically organize domain users base on the common needs for your users, For example, if all sales
personnel need access to a color printer and all managers need access to all employee records file,
organize users by sales personnel and managers.
In each domain where user accounts reside, create a global group for each local group of users.
Then add the appropriate user accounts to the appropriate global group.
Create local groups based on resource access needs. For example, if managers need full control of files
in the Employee Handbook folder and sales personnel only need to read the files, create one local group
for the managers and another local group for the sales personnel.
If the resource is on a member server or a computer running Windows NT Workstation, create the
local group where the resource is located.
If the resource is on a PDC or BDC create the local group on the PDC.
Assign the appropriate permissions to the local groups.
Add the global groups to the local groups.
NOTE: To add global groups from one domain to local groups of another domain you must establish
the proper trusts.
Planning Group Accounts:
As the Administrator you must determine the following:
The global groups and global group memberships for each domain
The local groups for each resource, and the computer and domain where they need to be created.
Which global group to add to each local group to give members access to a resource.
Lesson 3: Creating
Local and Global Groups
You create local groups to give sets of users permissions to access a resource. You create global
groups to logically organize domain user accounts.
In a domain, local and global groups are created using User Manager for Domains. In a workgroup,
local groups are created using User Manager. Global groups cannot be created in a workgroup.
Rules for Creating Groups:
You must be a member of the built-in Administrators or built-in Account Operators group on the
computer where the group is being created.
A local group can be created on any computer running Windows NT
Group names must be unique to the domain. They cannot be identical to other user names or
group names.
A global group must be created on the PDC, but can be created from any computer running User
Manager for domains. This includes:
BDC
A member server that is part of the domain
A computer running Windows NT Workstations or Microsoft Windows 95 with the client-based
administration tools installed.
Local and Global Groups:
Local Groups cannot have any other local groups within. There is a certain hierarchy. AGLP:
A = Accounts
G = Global
L = Local
P = Permissions
=====================================================================
wntadm3.html
PAGE 2
2001/10/23
User Manager, if on
the BDC, you are really on the PDC. Global groups can be created on PDC
only. True!
Remember that the PDC is the guy in charge.
Local Groups gets permissions, names unique to that domain. Administrator and the Power
Server are the only full rights users. The power user is not on the same level as the Administrator.
Local groups are also used to provide users with rights to perform system tasks, such as changing
the system time on the computer, or backing up and restoring files. Windows NT includes several
built-in local groups with per-assigned user rights.
For example, the built-in Administrator group gives members the rights to perform tasks such as
creating user and group accounts, backing up data, and making changes to a Window NT
configuration.
Local groups can contain user accounts and global groups
from any domain. However, local
groups cannot contain
other local groups.
Global Groups
Global groups are used to organize domain user accounts, typically by function or geographical location.
Global groups can contain only user accounts from the domain where the global group is created.
They cannot contain local groups or other global groups.
Windows NT includes several built-in global groups, for example, the Domain Users Group. By
efault, all domain user accounts are added to the Domain Users group. Unlike built-in local groups,
built-in global groups do not have an inherent user rights.
Where Local Groups are Created
If a resource resides on a member server or computer running Windows NT Workstation, the local
group for the resource must be created on that computer.
Naming Convension: 256 Naming Convention
22 displays 22 characters
20 NT only uses this many characters
Where Global Groups are Created
Global groups are always created on the PDC in the domain where the user accounts reside. For
example, global groups in Domain1 are created on the PDC in Domain1. Global groups in Domain2
are created on the PDC Domain2. Global groups can be
created on the PDC from any computer running User Manager for Domains.
Global groups are created geographically or function within the group.
=====================================================================
wntadm3.html PAGE
3
2001/10/23
Rules for Creating Groups:
computer where the group is being created.
names.
Manager for domains this includes:
client-based administration tools installed.
Local and Global Groups:
Local Groups cannot have any other local groups within. There is a certain hierarchy. AGLP:
A = Accounts
G = Global
L = Local
P = Permissions
User Manager, if on the BDC, you are really on the PDC. Global groups can be created on PDC
only. True! Remember that the PDC is the guy in charge.
Local Groups gets permissions, names unique to that domain. Administrator and the Power Server
are the only full rights users. The power user is not on the same level as the Administrator.
Local groups are also used to provide users with rights to perform system tasks, such as changing
the system time on the computer, or backing up and restoring files. Windows NT includes several
built-in local groups with per-assigned user rights.
For example, the built-in Administrator group gives members the rights to perform tasks such as
creating user and group accounts, backing up data, and making changes to a Window NT configuration.
Local groups can contain user accounts and global groups from
any domain. However, local
groups cannot contain
other local groups.
Global Groups
Global groups are used to organize domain user accounts, typically by function or geographical
location. Global groups can contain only user accounts from the domain where the global group
is created. They cannot contain local groups or other global groups.
=====================================================================
wntadm3.html PAGE 4
2001/10/23
Windows NT includes several built-in global groups, for example, the Domain Users Group. By
default, all domain user accounts are added to the Domain Users group. Unlike built-in local groups,
built-in global groups do not have an inherent user rights.
Where Local Groups are Created
If a resource resides on a member server or computer running Windows NT Workstation, the local
group for the resource must be created on that computer.
Naming Convension: 256 Naming Convention
22 displays 22 characters
20 NT only uses this many characters
Where Global Groups are Created
Global groups are always created on the PDC in the domain where the user accounts reside. For
example, global groups in Domain1 are created on the PDC in Domain1. Global groups in Domain2
are created on the PDC Domain2. Global groups can be
created on the PDC from any computer running User Manager for Domains.
Global groups are created geographically or function within the group.
Deleting Groups
When you delete a group, you will delete the group and keep the users, but not the permissions.
SID is also gone once you delete a group.
Groups only have rights. If you assign one person to be the Back-up Operator, they can only back-up.
You can assign another person to have restore privileges.
This is a good way to spread out the responsibility, and not giving any one person other than the
Administrator full control of something very important as the Back-up/Restore.
Lesson 4:
Implementing Built-in Groups
Built-in groups are predefined groups that have a predetermined set of user rights. User rights
determine the system tasks that a user or member of a built-in group can perform. Even though
individual user rights can be assigned directly to a user, in most cases it is not recommended.
Computer running Windows NT have three types of built-in groups:
=====================================================================
wntadm3.html
PAGE 5
2001/10/23
Built-in local groups. These groups give users rights to perform system tasks, such as backing
up and restoring files, changing system time, and administering system resources.
Built-in global groups. These groups give administrators and easy way to controlling all users
in a domain.
System groups. These groups automatically organize user for system use. Administrators do
not assign them. Rather, users are either members by default or become members during network
activity.
NOTE: Built-in groups cannot be deleted or renamed.
IMPORTANT – The group Everyone does not have the Log on locally right by default on Windows
NT Server domain controllers. This user right was assigned to the Everyone group when you
completed the Setup procedures located in “About this book.”
Built-in Groups on all Windows NT Computers:
|
BUILT-IN GROUPS ON WINDOWS NT |
|||
|
|
Windows
NT Server |
Windows
NT Server |
Windows
NT |
|
Type of
Account |
Domain
Controller |
Member
Server |
Workstation |
|
|
|
|
|
|
Users |
|
|
|
|
(ordinary
users) |
|
|
|
|
|
|
|
|
|
Administrators |
|
|
|
|
(administrator) |
|
|
|
|
|
|
|
|
|
Guests |
|
|
|
|
(guest) |
|
|
|
|
|
|
|
|
|
Backup
Operator |
|
|
|
|
(No
members) |
|
|
|
|
|
|
|
|
|
Power
Users |
|
|
|
|
(No
members) |
|
|
|
=====================================================================
wntadm3.html
PAGE 6
2001/10/23
|
ADDITIONAL BUILT-IN GROUPS ON THE DOMAIN CONTROLLER
ONLY |
|
||
|
|
|
|
|
|
LOCAL GROUPS |
DOMAIN CONTROLLER |
|
|
|
|
|
|
|
|
ACCOUNT |
|
|
|
|
OPERATORS |
|
|
|
|
|
|
|
|
|
SERVER |
|
|
|
|
OPERATORS |
|
|
|
|
|
|
|
|
|
PRINT |
|
|
|
|
OPERATORS |
|
|
|
|
GLOBAL GROUPS |
|
|
|
|
|
|
|
|
|
DOMAIN
USERS |
|
|
|
|
|
|
|
|
|
DOMAIN
ADMINS |
|
|
|
|
|
|
|
|
|
DOMAIN
GUESTS |
|
|
|
BEST PRACTICES
1. Apply the following strategy when using local and global groups:
2. For increased security, use the global group Domain Users instead of the
Everyone group. The Domain Users group contains only accounts in the
Domain, and not the Guest account.
3. To enable administrators to perform administration tasks in other domains,
Add the global group domain admins to the local administrator groups on the
Computer you want to administer.
4. If the rights of the built-in meets your needs, add a user account to the
Group.
5. Always add users to built-in groups that are the most restrictive, yet still
Allow them to accomplish all necessary tasks.
=====================================================================
wntadm3.html
PAGE 7 2001/10/23
CHAPTER
2 & 3 REVIEW
Chapter 2:
Name the three types of user accounts in Windows NT? (page 36)
Where in Windows do you create the accounts? (page 37)
Manager is
User Manager for Domains is used.
How often is the BDC synced with the PDC? (p37)
How about password length?
(p42)
What are the five key planning elements you need to consider
before
Implementing user accounts?
(p46)
workstation restrictions.
Describe SID? (p61)
created. A SID is a unique number that identifies the account. Internal processes in Windows NT
refer to an account’s SID rather that the account’s user or group name.
What two accounts cannot be deleted? (p62)
=====================================================================
wntadm3.html
PAGE 8 2001/10/23
How can you assign a home folder to a user? (p64)
the server name, and the share name. In place of the username, use %Username% to
automatically name the home folder after the user name.
What does the user profile include? (page 65)
The user profile contains all user-definable settings for the work environment of a computer running
Windows NT, including display, regional, mouse, and sounds settings and network and printer
connections.
What is a roaming profile?
(p67)
no matter which Windows NT based computer a user logs on to. Roaming user profiles are stored
centrally on a network server rather than on the user’s local computer.
What is the file name used for a roaming profile? (p67)
What is a mandatory user profile, and what is the file
name? (p67)
This a preconfigured user profile that users cannot change. You can sort of make a template of the
mandatory profile and assign it to several users. You can use this type of profile for assigning
common settings for all users who require identical desktop configurations, for example, bank tellers.
A mandatory user profile require a .man extension. You can make a personal profile mandatory by
renaming it, for example Ntuser.man.
What is the different between a domain user account and a
local user account? (page 75)
When a user is set-up as a domain, they can access the resources on that local domain and access
also the database.
When local user logs on they only can access the database on the individual computer. If they
want to access data on another computer, they must log on to that separate computer.
=====================================================================
wntadm3.html PAGE 9
2001/10/23
What is the difference between a local and roaming
profile? (p75)
A local profile logs onto the computer where the profile was created. A roaming profile can log
onto any computer to access the domain. The roaming profile is stored on the network server
in a shared folder.
Chapter 3:
What are group accounts?
(p81)
Group accounts are collections of user accounts that share similar needs. By organizing accounts
into groups, you can greatly simplify administration tasks.
Group memberships govern much of what one can do on the network and on a particular computer.
Adding a user account to a group makes the user a member and gives the user all the rights and
permissions granted to the group. Group membership provides an easy way to assign permissions
and user rights to sets of user at one time.
What are permissions?
(p81)
Permissions are rules that regulate which user can use a resource such as a folder, file or printer.
Maintaining permissions for a group is easier than maintaining permissions for many user accounts,
you generally want to use groups to manage access to resources.
What are User Rights?
(p81)
Are rules that regulate which users can perform certain tasks on the system, such as creating a user
account, logging on to the local computer, or shutting down a server. A user can be a member of
one or more groups. A user who is a member of more than one group possesses all user rights
and permissions of all groups of which he or she is a member.
Name the two types of groups, and describe. (p82)
Local and Global
=====================================================================
wntadm3.html PAGE 10
2001/10/23
Local groups are used to provide users with permissions to access a network resource on the local
computer. You must assign permissions to a local group, and then add user accounts or global groups
to the local group from one or more domains. There are several built-in local groups with pre-assigned
user rights. For example, the built-in Administrator group gives members the rights to perform tasks
such as creating user and group accounts, backing up data, and making changes to a Windows NT
configuration. Local groups can contain user accounts and global groups from any domain. However,
local groups cannot contain other local groups.
Global groups are used to organize domain users accounts, typically by function for geographical
location. Global groups can contain only user accounts from the domain where the global group is
created. They cannot contain local groups or other global groups. By default all domain user accounts
are added to the Domain Users group. Unlike built-in local groups, built-in global groups do not have
inherent user rights they must be assigned.
Where can you create a Local Group? (p84)
If a resource resides on a member server or computer running Windows NT Workstation, the local
group for the resource must be created on that computer. If the resource resides on any domain
controller, the local group is created on the PDC. The PDC will then provide its user account and
security information to all other domain controllers in the domain.
Where are Global Groups Created? (85)
Global Groups are always created on the PDC in the domain where the user account reside. For
example, global groups in Domain 1 are created on the PDC in Domain1. Global groups in Domain2
are created on the PDC in Domain2.
Determine some group combinations. (p102)
Add a global group to a global group.
Add a global group to a local group.
Add a local group to a local group.
Add a local group to a global group.
The only answer is b. Add a global group to a local group.
=====================================================================
wntadm3.html
PAGE 11 2001/10/23
What happens when you delete a group? (103)
When you delete a group you delete the name of the group, its description, and the rights or permissions
associated with it. It does not delete the users accounts that it contains.
A deleted group cannot be recovered, so be sure that you want to delete a group before you do so.
When you delete a group, the SID for the group account is deleted, and the SIDs are used only once.
For this reason, resource permissions associated with group cannot be reestablished by creating a new
group using the same account name.
Computers running Windows NT have three types of built-in
groups, what are they? (p106)
Built-in local groups, Built-in global groups, and system groups. Built-in groups cannot be deleted or
renamed.
What right does the Everyone group not have. (p107)
The group Everyone does not have the Log on locally right by default on Windows NT Server domain
controllers. This user right was assigned to the Everyone group when you completed the Setup
procedures located in About this book.
Which groups can change the system time? Built-in user rights? (p108)
Windows NT Workstation and Member servers = Administrator & Power user.
Domain Controllers = Administrator and Server Operator.
Which groups can shut down the system? (p108)
Windows NT workstation and Member Servers = Administrator, Back-up Operator, Everyone,
Power Users and Users.
Which Group can back up files and directories, built-in groups
have granted rights? (108)
Windows NT Workstation = Administrator and Backup Operator
Domain Controller = Administrator, Back-up Operator, and Server Operator
What are the built-in group rights for restore files and
directories?
=====================================================================
wntadm3.html
PAGE 12
2001/10/23
List the default rights assigned to the Administrator or
inherent? (108)
List the built-in local groups assigned on Windows NT? (p109)
Windows NT Server Member Server and Windows NT Workstation
have the built-in groups
of Users, Administrators, and Back-up Operators, and Guests,
but they also has 1 other built-in
group. What are
they? (page 109)
Print Operators.
Domain Guests.
What are the built-in system groups for NT? (p113)
System groups are installed on all computers running Windows NT. Unlike other built-in groups users
become members of system groups during network activity. Membership cannot be altered. The users
become members by default. They are Everyone, and Creator Owner.
System groups can only be viewed on an NTFS volume. They do not appear in User Manager.
=====================================================================
wntadm3.html
PAGE 13
2001/10/23
======================================================================
System Group Description
======================================================================
Network Includes any user who is currently connected from
another computer on the network to a shared
resource on your computer.
on your computer.
Interactive Automatically includes a user who logs on to the
computer locally. Interactive members access
resources on the computer at which they are
physically sitting. They log on and access resources
by “interacting” with the computer.
=======================================================================
Which of the following describe a local group? (circle all that apply) (p120)
perform system tasks.
domain controller. If the resource resides on a domain controller, the local group is created
on the PDC.
1,3,4,5,7
Which of the following describe a global group? (circle all that apply).
rights to perform system tasks.
domain controller. If the resources reside on a domain controller, the local group is created on the PDC.
1,6,8
Which of the
following tasks will work? (circle all
that apply).
Workstation, add the user account to the built-in Administrators group.
Domain2, add the Domain Admins group from Domain1 to the Administrators group on the
PDC of Domain2.
the Domain Admins group from Domain1 to the Administrators group on the PDC of Domain2.
Windows NT Workstation and member servers, add the Domain Admins group from Domain1
to the Administrators group to those computer in Domain2.
1,2,4