Thông tin tài liệu
Chapter
7
Managing Groups
MICROSOFT EXAM OBJECTIVES COVERED IN
THIS CHAPTER
Implement, configure, manage, and troubleshoot local user
accounts.
Implement, configure, manage, and troubleshoot account
settings.
Create and manage local users and groups.
Implement, configure, manage, and troubleshoot local Group
Policy.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
G
roups are an important part of network management.
Many administrators are able to accomplish the majority of their manage-
ment tasks through the use of groups; they rarely assign permissions to indi-
vidual users.
Windows 2000 Professional includes built-in local groups, such as
Administrators and Backup Operators. These groups already have all of the
permissions needed to accomplish specific tasks. Windows 2000 Profes-
sional also uses default special groups, which are managed by the system.
Users become members of special groups based on computer and network
access.
You create and manage local groups through the Local Users and Groups
utility. Through this utility, you can add groups, change group membership,
rename groups, and delete groups.
Local group policies allow you to set computer configuration and user
configuration options that apply to every user of the computer. Group pol-
icies are typically used with the Active Directory. Local group policies may
be useful for computers that are not part of a network or in networks that
don’t have a domain controller.
In this chapter, you will learn about all the built-in groups. Then you will
learn how to create and manage groups. The final sections in this chapter
cover local group policies.
Using Built-In Groups
O
n a Windows 2000 Professional computer, default local groups
have already been created and assigned all of the permissions to accomplish
basic tasks. There are also built-in special groups that the Windows 2000
system handles automatically. These groups are described in the following
sections.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
Using Built-In Groups
309
Windows 2000 Professional and Windows 2000 Servers that are installed as
member servers have the same default groups.
Default Local Groups
A
local group
is a group that is stored on the local computer’s accounts data-
base. These are the groups that you can add users to and manage directly on
a Windows 2000 Professional computer.
By default, the following local groups are created on Windows 2000 Pro-
fessional computers:
Administrators
Backup Operators
Guests
Power Users
Replicator
Users
The following sections briefly describe each group, its default permis-
sions, and the users assigned to the group by default.
If possible, you should add users to the built-in local groups rather than creating
new groups from scratch. This makes your job easier, because the built-in
groups already have the appropriate permissions. All you need to do is add the
users you want to be members of the group.
The Administrators Group
The
Administrators group
has full permissions and privileges. Its members
can grant themselves any permissions they do not have by default, to manage
all the objects on the computer. (Objects include the file system, printers, and
account management.)
You should assign users to the Administrators group with caution.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
310
Chapter 7
Managing Groups
Members of the Administrators group can perform the following tasks:
Install the operating system.
Install and configure hardware device drivers.
Install system services.
Install service packs, hot fixes, and Windows updates.
Upgrade the operating system.
Repair the operating system.
Install applications that modify the Windows system files.
Configure password policies.
Configure audit policies.
Manage security logs.
Create administrative shares.
Create administrative accounts.
Modify groups and accounts that have been created by other users.
Remotely access the Registry.
Stop or start any service.
Configure services.
Increase and manage disk quotas.
Increase and manage execution priorities.
Remotely shut down the system.
Assign and manage user rights.
Reenable locked-out and disabled accounts.
Manage disk properties, including formatting hard drives.
Modify system-wide environment variables.
Access any data on the computer.
Back up and restore all data.
By default, the Administrator and
initial user
account are members of the
Administrators local group.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
Using Built-In Groups
311
The Backup Operators Group
The members of the
Backup Operators group
have permissions to back up
and restore the file system, even if the file system is NTFS and they have not
been assigned permissions to the file system. However, the members of
Backup Operators can only access the file system through the Backup utility.
To be able to access the file system directly, they must have explicit permis-
sions assigned. By default, there are no members of the Backup Operators
local group.
The Guests Group
The
Guests group
has limited access to the computer. This group is provided
so that you can let people who are not regular users access specific network
resources. As a general rule, most administrators do not allow Guest access
because it poses a potential security risk. By default, the Guest user account
is a member of the Guests local group.
The Power Users Group
The
Power Users group
has fewer rights than the Administrators group, but
more rights than the Users group.
You should assign users to the Power Users group with caution.
Members of the Power Users group can perform the following tasks:
Create local users and groups.
Modify the users and groups that they have created.
Create and delete network shares (except administrative shares).
Create, manage, and delete local printers.
Modify the system clock.
Stop or start services (except services that are configured to start
automatically).
Modify the program files directory.
By default, there are no members of the Power Users local group.
Members of the Power Users group cannot access any NTFS resources that
they have not been given permission to.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
312
Chapter 7
Managing Groups
The Replicator Group
The
Replicator group
is intended to support directory replication, which is
a feature used by domain servers. Only domain users who will start the rep-
lication service should be assigned to this group. By default, there are no
members of the Replicator local group.
The Users Group
The
Users group
is used by end users who should have very limited system
access. If you have installed a fresh copy of Windows 2000 Professional, the
default settings for this group prohibit users from compromising the operat-
ing system or program files. By default, all users who have been created on
the computer, except Guest, are members of the Users local group.
An efficient use of the Users group is to allow users to run but not modify
installed applications. Users should not be allowed general access to the file
system.
Special Groups
Special groups
are used by the system. Membership in these groups is auto-
matic if certain criteria are met. You cannot manage special groups through
the Local Users and Groups utility. The special groups that are built into
Windows 2000 Professional are described in Table 7.1.
TABLE 7.1
Windows 2000 Professional Special Groups
Group Description
Creator
Owner
The account that created or took ownership of the object.
This is usually a user account. Each object (such as files,
folders, printers, and print jobs) has an owner. Members
of the
Creator Owner group
are able to have special per-
missions to resources. For example, if you are a regular
user who has submitted 12 print jobs to a printer, you can
manipulate your print jobs as Creator Owner, but you
can’t manage any print jobs submitted by other users.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
Using Built-In Groups
313
Creator
Group
The group that created or took ownership of the object
(rather than an individual user). When a regular user cre-
ates an object or takes ownership of an object, the user-
name becomes the Creator Owner. When a member of
the Administrators group creates or takes ownership of
an object, the group Administrators becomes the
Creator
Group
.
Everyone The group that includes anyone who could possibly ac-
cess the computer.
Everyone
includes all of the users
who have been defined on the computer (including
Guest), and if your computer is a part of a domain, all of
the users within the domain. If the domain has trust rela-
tionships with other domains, all of the users in the trusted
domains are part of the Everyone group.
Interactive The group that includes all the users who use the com-
puter’s resources locally. Local users belong to the
Inter-
active group
.
Network The group that includes the users who access the com-
puter’s resources over a network connection. Network
users belong to the
Network group
.
Authenticated
Users
The group that includes users who access the Win-
dows 2000 operating system through a valid username
and password. Users who can log on belong to the
Authenticated Users group
.
Anonymous
Logon
The group that includes users who access the computer
through anonymous logons. When users gain ac-
cess through special accounts created for anonymous
access to Windows 2000 services, they become mem-
bers of the
Anonymous Logon group
.
Batch The group that includes users who log on as a user ac-
count that is only used to run a batch job. Batch job ac-
counts are members of the
Batch group
.
TABLE 7.1
Windows 2000 Professional Special Groups
(continued)
Group Description
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
314
Chapter 7
Managing Groups
You can learn more about domains and trust relationships in
MCSE: Win-
dows 2000 Directory Services Administration Study Guide
, by Anil Desai
with James Chellis (Sybex, 2000). Terminal Services are covered in MCSE:
Windows 2000 Server Study Guide, by Lisa Donald with James Chellis
(Sybex, 2000).
Working with Groups
Groups are used to logically organize users with similar rights require-
ments. Groups simplify administration because you can manage a few
groups rather than many user accounts. For the same reason, groups simplify
troubleshooting. Users can belong to as many groups as needed, so it’s not
difficult put users into groups that make sense for your organization.
Dialup The group that includes users who log on to the net-
work from a dial-up connection. Dial-up users are mem-
bers of the Dialup group. (Dialup connections are
covered in Chapter 13, “Dial-Up Networking and Inter-
net Productivity.”)
Service The group that includes users who log on as a user ac-
count that is only used to run a service. You can configure
the use of user accounts for log on through the Services
program (discussed in Chapter 4, “Configuring the Win-
dows 2000 Environment”), and these accounts become
members of the Service group.
System When the system accesses specific functions as a user,
that process becomes a member of the System group.
Terminal
Server User
The group that includes users who log on through Termi-
nal Services. These users become members of the Termi-
nal Server User group.
TABLE 7.1 Windows 2000 Professional Special Groups (continued)
Group Description
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
Working with Groups 315
For example, suppose that Jane is hired as a data analyst, to join the four
other data analysts that work for your company. You sit down with Jane and
create an account for her and assign her the network permissions for the
access you think she needs. But then you later find that the four other data
analysts, who have similar job functions, sometimes have network access
Jane doesn’t have, and sometimes she has access they don’t have. This hap-
pened because all of their permissions were assigned individually, months
apart. To avoid such problems and reduce your workload, you can assign all
the data analysts to a group and then assign the group the appropriate per-
missions. Then, as users join or leave the department, you can simply add
them to or remove them from the group.
This chapter covers the group-related material for the “Implement, configure,
and troubleshoot local user accounts” objective. All of the subobjectives for
this objective are covered in Chapter 6, “Managing Users.”
You can create new groups for your users, as well as use the Windows 2000
Professional default local built-in groups, which were described in the pre-
vious section. When you plan your groups, you should check to see if an
existing local group meets your requirements before you decide to create a
new group. For example, if all of the users need to access a particular appli-
cation, it makes sense to use the default Users group instead of creating a new
group and adding all of the users to that group.
To work with groups, you use the Local Users and Groups utility. In
Chapter 6, “Managing Users,” you learned how to load and use the Local
Users and Groups MMC snap-in to create and manage users. In the follow-
ing sections, you will learn how to use this snap-in to create and manage
groups.
Microsoft
Exam
Objective
Implement, configure, manage, and troubleshoot local user
accounts.
Implement, configure, manage, and troubleshoot account
settings.
Create and manage local users and groups.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
316 Chapter 7
Managing Groups
The procedures for many basic group management tasks—creating, deleting,
and renaming groups—are the same for both Windows 2000 Professional and
Server.
Creating Groups
In order to create a group, you must be logged on as a member of the Admin-
istrators group or the Power Users group. The Administrators group has full
permissions to manage users and groups. The members of the Power Users
group can manage only the users and groups that they create.
When you create a local group, you should use the following guidelines:
The group name should be descriptive (for example, Accounting Data
Users).
The group name must be unique to the computer, different from all of
the other group names and usernames that exist on that computer.
Group names can be up to 256 characters. It is best to use alpha-
numeric characters for ease of administration. The backslash (\) char-
acter is not allowed.
As when you choose usernames, you should consider your naming con-
ventions when assigning names to groups.
Creating groups is similar to creating users, and it is a fairly easy process.
After you’ve added the Local Users and Groups snap-in to the MMC, you
expand it to see the Users and Groups folders. Right-click the Groups folder
and select New Group from the pop-up menu. This brings up the New
Group dialog box, as shown in Figure 7.1.
If your computer doesn’t have MMC configured, you can access the Local
Users and Groups utility through the Computer Management utility. Right-
click My Computer and select Manage from the pop-up menu to open the
Computer Management utility. In the System Tools folder, you will see the
Local Users and Groups folder. Expand that folder to access the Users and
Groups folders in the utility.
Copyright © 2000 SYBEX Inc., Alameda, CA.
www.sybex.com
[...]... Professional built-in groups, which include default local groups, like Administrators and Power Users, and default special groups, like Everyone and Network You can manage the default local groups, but the special groups are managed by the system The procedure for creating groups You create groups through Local Users and Groups utility The procedure for adding users to groups and removing users from groups You... 7 Managing Groups Review Questions 1 Which built-in group would you add a user to if you wanted the user to be able to create users and groups, but not manage properties of users and groups that user did not create? A Administrators B Power Users C Server Operators D Power Operators 2 Which of the following groups are default built-in local groups that can be managed through the Local Users and Groups. .. Alameda, CA www.sybex.com 318 Chapter 7 Managing Groups Managing Group Membership After you’ve created a group, you can add members to it As mentioned earlier, you can put the same user in multiple groups You can easily add and remove users through the group Properties dialog box, shown in Figure 7.2 To access this dialog box from the Groups folder in the Local Users and Groups utility, double-click the group... CA www.sybex.com 338 Chapter 7 Managing Groups 9 Which of following statements regarding local groups is true? A You cannot rename a group B You can add users and other local groups to an existing local group C The local group’s properties can contain a description D You manage groups through the User Manager utility 10 Which of the following are considered to be special groups in Win- dows 2000 Professional?... one of the groups you created in Exercise 7.1 EXERCISE 7.3 Renaming a Local Group 1 Open the MMC and expand the Local Users and Groups snap-in 2 Expand the Groups folder 3 Right-click the Application Users group (created in Exercise 7.1) and select Rename 4 Rename the group to App Users and press Enter Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com Working with Groups 321 Deleting Groups If... .inf files D .cfg files Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 342 Chapter 7 Managing Groups Answers to Review Questions 1 B Members of the Power Users group can create users and groups, but can only manage the users and groups that they have created Administrators can manage all users and groups The Server Operators group only exists on Windows 2000 domain controllers The Power Operators... Groups snap-in to the MMC (see Exercise 6.2 in Chapter 6) EXERCISE 7.1 Creating Local Groups 1 Open the MMC and expand the Local Users and Groups snap-in 2 Right-click the Groups folder and select New Group 3 In the New Group dialog box, type Data Users in the Group Name text box Click the Create button 4 Right-click the Groups folder and select New Group 5 In the New Group dialog box, type Application... menu and Taskbar options For example, you can specify whether or not users see common program groups and whether or not Logoff is an option on the Start menu (The Start menu and Taskbar are covered in Chapter 5, Managing the Desktop.”) Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 332 Chapter 7 Managing Groups Desktop Desktop policies allow you to configure options for the Active Desktop For... controllers The Power Operators group does not exist by default on Windows 2000 computers 2 A, C You can manage the Backup Operators and Replicator local groups through the Local Users and Groups utility The Everyone and Dialup groups are considered special groups, and their membership is determined by computer and network access 3 B There are no members of the Backup Operators group by default Members of... then add these users to one of the groups you created in Exercise 7.1 EXERCISE 7.2 Adding Users to a Local Group 1 Open the MMC and expand the Local Users and Groups snap-in 2 Create four new users: Bent, Claire, Patrick, and Trina (See Chapter 6 for details on creating user accounts.) Deselect the User Must Change Password at Next Logon option for each user 3 Expand the Groups folder 4 Double-click the .
Special Groups
Special groups
are used by the system. Membership in these groups is auto-
matic if certain criteria are met. You cannot manage special groups. with Groups
Groups are used to logically organize users with similar rights require-
ments. Groups simplify administration because you can manage a few
groups
Ngày đăng: 24/01/2014, 09:20
Xem thêm: Tài liệu Managing Groups doc