Chapter 7 Managing Groups MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER  Implement, configure, manage, and troubleshoot local user accounts.  Implement, configure, manage, and troubleshoot account settings.  Create and manage local users and groups.  Implement, configure, manage, and troubleshoot local Group Policy. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com G roups are an important part of network management. Many administrators are able to accomplish the majority of their manage- ment tasks through the use of groups; they rarely assign permissions to indi- vidual users. Windows 2000 Professional includes built-in local groups, such as Administrators and Backup Operators. These groups already have all of the permissions needed to accomplish specific tasks. Windows 2000 Profes- sional also uses default special groups, which are managed by the system. Users become members of special groups based on computer and network access. You create and manage local groups through the Local Users and Groups utility. Through this utility, you can add groups, change group membership, rename groups, and delete groups. Local group policies allow you to set computer configuration and user configuration options that apply to every user of the computer. Group pol- icies are typically used with the Active Directory. Local group policies may be useful for computers that are not part of a network or in networks that don’t have a domain controller. In this chapter, you will learn about all the built-in groups. Then you will learn how to create and manage groups. The final sections in this chapter cover local group policies. Using Built-In Groups O n a Windows 2000 Professional computer, default local groups have already been created and assigned all of the permissions to accomplish basic tasks. There are also built-in special groups that the Windows 2000 system handles automatically. These groups are described in the following sections. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Using Built-In Groups 309 Windows 2000 Professional and Windows 2000 Servers that are installed as member servers have the same default groups. Default Local Groups A local group is a group that is stored on the local computer’s accounts data- base. These are the groups that you can add users to and manage directly on a Windows 2000 Professional computer. By default, the following local groups are created on Windows 2000 Pro- fessional computers:  Administrators  Backup Operators  Guests  Power Users  Replicator  Users The following sections briefly describe each group, its default permis- sions, and the users assigned to the group by default. If possible, you should add users to the built-in local groups rather than creating new groups from scratch. This makes your job easier, because the built-in groups already have the appropriate permissions. All you need to do is add the users you want to be members of the group. The Administrators Group The Administrators group has full permissions and privileges. Its members can grant themselves any permissions they do not have by default, to manage all the objects on the computer. (Objects include the file system, printers, and account management.) You should assign users to the Administrators group with caution. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 310 Chapter 7  Managing Groups Members of the Administrators group can perform the following tasks:  Install the operating system.  Install and configure hardware device drivers.  Install system services.  Install service packs, hot fixes, and Windows updates.  Upgrade the operating system.  Repair the operating system.  Install applications that modify the Windows system files.  Configure password policies.  Configure audit policies.  Manage security logs.  Create administrative shares.  Create administrative accounts.  Modify groups and accounts that have been created by other users.  Remotely access the Registry.  Stop or start any service.  Configure services.  Increase and manage disk quotas.  Increase and manage execution priorities.  Remotely shut down the system.  Assign and manage user rights.  Reenable locked-out and disabled accounts.  Manage disk properties, including formatting hard drives.  Modify system-wide environment variables.  Access any data on the computer.  Back up and restore all data. By default, the Administrator and initial user account are members of the Administrators local group. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Using Built-In Groups 311 The Backup Operators Group The members of the Backup Operators group have permissions to back up and restore the file system, even if the file system is NTFS and they have not been assigned permissions to the file system. However, the members of Backup Operators can only access the file system through the Backup utility. To be able to access the file system directly, they must have explicit permis- sions assigned. By default, there are no members of the Backup Operators local group. The Guests Group The Guests group has limited access to the computer. This group is provided so that you can let people who are not regular users access specific network resources. As a general rule, most administrators do not allow Guest access because it poses a potential security risk. By default, the Guest user account is a member of the Guests local group. The Power Users Group The Power Users group has fewer rights than the Administrators group, but more rights than the Users group. You should assign users to the Power Users group with caution. Members of the Power Users group can perform the following tasks:  Create local users and groups.  Modify the users and groups that they have created.  Create and delete network shares (except administrative shares).  Create, manage, and delete local printers.  Modify the system clock.  Stop or start services (except services that are configured to start automatically).  Modify the program files directory. By default, there are no members of the Power Users local group. Members of the Power Users group cannot access any NTFS resources that they have not been given permission to. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 312 Chapter 7  Managing Groups The Replicator Group The Replicator group is intended to support directory replication, which is a feature used by domain servers. Only domain users who will start the rep- lication service should be assigned to this group. By default, there are no members of the Replicator local group. The Users Group The Users group is used by end users who should have very limited system access. If you have installed a fresh copy of Windows 2000 Professional, the default settings for this group prohibit users from compromising the operat- ing system or program files. By default, all users who have been created on the computer, except Guest, are members of the Users local group. An efficient use of the Users group is to allow users to run but not modify installed applications. Users should not be allowed general access to the file system. Special Groups Special groups are used by the system. Membership in these groups is auto- matic if certain criteria are met. You cannot manage special groups through the Local Users and Groups utility. The special groups that are built into Windows 2000 Professional are described in Table 7.1. TABLE 7.1 Windows 2000 Professional Special Groups Group Description Creator Owner The account that created or took ownership of the object. This is usually a user account. Each object (such as files, folders, printers, and print jobs) has an owner. Members of the Creator Owner group are able to have special per- missions to resources. For example, if you are a regular user who has submitted 12 print jobs to a printer, you can manipulate your print jobs as Creator Owner, but you can’t manage any print jobs submitted by other users. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Using Built-In Groups 313 Creator Group The group that created or took ownership of the object (rather than an individual user). When a regular user cre- ates an object or takes ownership of an object, the user- name becomes the Creator Owner. When a member of the Administrators group creates or takes ownership of an object, the group Administrators becomes the Creator Group . Everyone The group that includes anyone who could possibly ac- cess the computer. Everyone includes all of the users who have been defined on the computer (including Guest), and if your computer is a part of a domain, all of the users within the domain. If the domain has trust rela- tionships with other domains, all of the users in the trusted domains are part of the Everyone group. Interactive The group that includes all the users who use the com- puter’s resources locally. Local users belong to the Inter- active group . Network The group that includes the users who access the com- puter’s resources over a network connection. Network users belong to the Network group . Authenticated Users The group that includes users who access the Win- dows 2000 operating system through a valid username and password. Users who can log on belong to the Authenticated Users group . Anonymous Logon The group that includes users who access the computer through anonymous logons. When users gain ac- cess through special accounts created for anonymous access to Windows 2000 services, they become mem- bers of the Anonymous Logon group . Batch The group that includes users who log on as a user ac- count that is only used to run a batch job. Batch job ac- counts are members of the Batch group . TABLE 7.1 Windows 2000 Professional Special Groups (continued) Group Description Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 314 Chapter 7  Managing Groups You can learn more about domains and trust relationships in MCSE: Win- dows 2000 Directory Services Administration Study Guide , by Anil Desai with James Chellis (Sybex, 2000). Terminal Services are covered in MCSE: Windows 2000 Server Study Guide, by Lisa Donald with James Chellis (Sybex, 2000). Working with Groups Groups are used to logically organize users with similar rights require- ments. Groups simplify administration because you can manage a few groups rather than many user accounts. For the same reason, groups simplify troubleshooting. Users can belong to as many groups as needed, so it’s not difficult put users into groups that make sense for your organization. Dialup The group that includes users who log on to the net- work from a dial-up connection. Dial-up users are mem- bers of the Dialup group. (Dialup connections are covered in Chapter 13, “Dial-Up Networking and Inter- net Productivity.”) Service The group that includes users who log on as a user ac- count that is only used to run a service. You can configure the use of user accounts for log on through the Services program (discussed in Chapter 4, “Configuring the Win- dows 2000 Environment”), and these accounts become members of the Service group. System When the system accesses specific functions as a user, that process becomes a member of the System group. Terminal Server User The group that includes users who log on through Termi- nal Services. These users become members of the Termi- nal Server User group. TABLE 7.1 Windows 2000 Professional Special Groups (continued) Group Description Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Working with Groups 315 For example, suppose that Jane is hired as a data analyst, to join the four other data analysts that work for your company. You sit down with Jane and create an account for her and assign her the network permissions for the access you think she needs. But then you later find that the four other data analysts, who have similar job functions, sometimes have network access Jane doesn’t have, and sometimes she has access they don’t have. This hap- pened because all of their permissions were assigned individually, months apart. To avoid such problems and reduce your workload, you can assign all the data analysts to a group and then assign the group the appropriate per- missions. Then, as users join or leave the department, you can simply add them to or remove them from the group. This chapter covers the group-related material for the “Implement, configure, and troubleshoot local user accounts” objective. All of the subobjectives for this objective are covered in Chapter 6, “Managing Users.” You can create new groups for your users, as well as use the Windows 2000 Professional default local built-in groups, which were described in the pre- vious section. When you plan your groups, you should check to see if an existing local group meets your requirements before you decide to create a new group. For example, if all of the users need to access a particular appli- cation, it makes sense to use the default Users group instead of creating a new group and adding all of the users to that group. To work with groups, you use the Local Users and Groups utility. In Chapter 6, “Managing Users,” you learned how to load and use the Local Users and Groups MMC snap-in to create and manage users. In the follow- ing sections, you will learn how to use this snap-in to create and manage groups.  Microsoft Exam Objective Implement, configure, manage, and troubleshoot local user accounts.  Implement, configure, manage, and troubleshoot account settings.  Create and manage local users and groups. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 316 Chapter 7  Managing Groups The procedures for many basic group management tasks—creating, deleting, and renaming groups—are the same for both Windows 2000 Professional and Server. Creating Groups In order to create a group, you must be logged on as a member of the Admin- istrators group or the Power Users group. The Administrators group has full permissions to manage users and groups. The members of the Power Users group can manage only the users and groups that they create. When you create a local group, you should use the following guidelines:  The group name should be descriptive (for example, Accounting Data Users).  The group name must be unique to the computer, different from all of the other group names and usernames that exist on that computer.  Group names can be up to 256 characters. It is best to use alpha- numeric characters for ease of administration. The backslash (\) char- acter is not allowed. As when you choose usernames, you should consider your naming con- ventions when assigning names to groups. Creating groups is similar to creating users, and it is a fairly easy process. After you’ve added the Local Users and Groups snap-in to the MMC, you expand it to see the Users and Groups folders. Right-click the Groups folder and select New Group from the pop-up menu. This brings up the New Group dialog box, as shown in Figure 7.1. If your computer doesn’t have MMC configured, you can access the Local Users and Groups utility through the Computer Management utility. Right- click My Computer and select Manage from the pop-up menu to open the Computer Management utility. In the System Tools folder, you will see the Local Users and Groups folder. Expand that folder to access the Users and Groups folders in the utility. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com [...]... Professional built-in groups, which include default local groups, like Administrators and Power Users, and default special groups, like Everyone and Network You can manage the default local groups, but the special groups are managed by the system The procedure for creating groups You create groups through Local Users and Groups utility The procedure for adding users to groups and removing users from groups You... 7 Managing Groups Review Questions 1 Which built-in group would you add a user to if you wanted the user to be able to create users and groups, but not manage properties of users and groups that user did not create? A Administrators B Power Users C Server Operators D Power Operators 2 Which of the following groups are default built-in local groups that can be managed through the Local Users and Groups. .. Alameda, CA www.sybex.com 318 Chapter 7 Managing Groups Managing Group Membership After you’ve created a group, you can add members to it As mentioned earlier, you can put the same user in multiple groups You can easily add and remove users through the group Properties dialog box, shown in Figure 7.2 To access this dialog box from the Groups folder in the Local Users and Groups utility, double-click the group... CA www.sybex.com 338 Chapter 7 Managing Groups 9 Which of following statements regarding local groups is true? A You cannot rename a group B You can add users and other local groups to an existing local group C The local group’s properties can contain a description D You manage groups through the User Manager utility 10 Which of the following are considered to be special groups in Win- dows 2000 Professional?... one of the groups you created in Exercise 7.1 EXERCISE 7.3 Renaming a Local Group 1 Open the MMC and expand the Local Users and Groups snap-in 2 Expand the Groups folder 3 Right-click the Application Users group (created in Exercise 7.1) and select Rename 4 Rename the group to App Users and press Enter Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com Working with Groups 321 Deleting Groups If... .inf files D .cfg files Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 342 Chapter 7 Managing Groups Answers to Review Questions 1 B Members of the Power Users group can create users and groups, but can only manage the users and groups that they have created Administrators can manage all users and groups The Server Operators group only exists on Windows 2000 domain controllers The Power Operators... Groups snap-in to the MMC (see Exercise 6.2 in Chapter 6) EXERCISE 7.1 Creating Local Groups 1 Open the MMC and expand the Local Users and Groups snap-in 2 Right-click the Groups folder and select New Group 3 In the New Group dialog box, type Data Users in the Group Name text box Click the Create button 4 Right-click the Groups folder and select New Group 5 In the New Group dialog box, type Application... menu and Taskbar options For example, you can specify whether or not users see common program groups and whether or not Logoff is an option on the Start menu (The Start menu and Taskbar are covered in Chapter 5, Managing the Desktop.”) Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 332 Chapter 7 Managing Groups Desktop Desktop policies allow you to configure options for the Active Desktop For... controllers The Power Operators group does not exist by default on Windows 2000 computers 2 A, C You can manage the Backup Operators and Replicator local groups through the Local Users and Groups utility The Everyone and Dialup groups are considered special groups, and their membership is determined by computer and network access 3 B There are no members of the Backup Operators group by default Members of... then add these users to one of the groups you created in Exercise 7.1 EXERCISE 7.2 Adding Users to a Local Group 1 Open the MMC and expand the Local Users and Groups snap-in 2 Create four new users: Bent, Claire, Patrick, and Trina (See Chapter 6 for details on creating user accounts.) Deselect the User Must Change Password at Next Logon option for each user 3 Expand the Groups folder 4 Double-click the . Special Groups Special groups are used by the system. Membership in these groups is auto- matic if certain criteria are met. You cannot manage special groups. with Groups Groups are used to logically organize users with similar rights require- ments. Groups simplify administration because you can manage a few groups