Active Directory Groups And Group Scopes


Group Types:

1. Distribution Groups

Distribution groups have only one function—to create e-mail distribution lists. You use distribution groups with e-mail applications (such as Microsoft Exchange) to send e-mail to the members of the group. As with a security group, you can add a contact to a distribution group so that the contact receives e-mail sent to the group.

Distribution groups play no role in security (you do not assign permissions to distribution groups), and you cannot use them to filter Group Policy settings.

2. Security Groups

Security groups have two functions:

· To manage user and computer access to shared resources

· To filter Group Policy settings

You collect users, computers, and other groups into a security group and then assign appropriate permissions to specific resources (such as file shares and printers) to the security group. This simplifies administration by letting you assign permissions once to the group instead of multiple times to each individual user. When you add a user to an existing group, the user automatically gains the rights and permissions already assigned to that group.

Integral to understanding security groups is the concept of an access token. As explained in the Introduction, an access token is an object containing the security information for a logon session. Windows 2000 creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. (A process is software that is currently running.) The token identifies the user, the security groups to which the user belongs, and the privileges granted to the user and to the user’s security groups. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer.

If you use an e-mail client that can use Active Directory for address book lookup, or an e-mail system that uses Active Directory as its directory (such as Exchange 2000), you can also use security groups to send e-mail to all members of the group. You can add a contact to a security group, and that contact is sent e-mail along with the other members of the group. However, you cannot assign rights and permissions to a contact.

Group Scopes:

Default AD Local Groups:

Group Description Default user rights
Administrators Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users with caution. For more information, see Default local groups and Default groups. Access this computer from the network; Adjust memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
Backup Operators Members of this group can back up and restore files on the server, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. They cannot change security settings. Access this computer from the network; Allow log on locally; Back up files and directories; Bypass traverse checking; Restore files and directories; Shut down the system.
DHCP Administrators (installed with the DHCP Server service) Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able to perform other administrative actions on the server. No default user rights.
DHCP Users (installed with the DHCP Server service) Members of this group have read-only access to the DHCP Server service. This allows members to view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports. No default user rights.
Guests In a computer joined to the domain, members of this group have a temporary profile created at log on, and when the member logs off, the profile is deleted. Profiles in workgroup environments are not deleted. The Guest account (which is disabled by default) is also a default member of this group.

Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group.

No default user rights.
HelpServicesGroup This group allows administrators to set rights common to all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group. No default user rights.
Network Configuration Operators Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members. No default user rights.
Performance Monitor Users Members of this group can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups. No default user rights.
Performance Log Users Members of this group can manage performance counters, logs and alerts on the server locally and from remote clients without being a member of the Administrators group. No default user rights.
Power Users Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs. Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; Shut down the system.
Print Operators Members of this group can manage printers and print queues. No default user rights.
Remote Desktop Users Members of this group can remotely log on to a server.

For more information, see Enabling users to connect remotely to the server.

Allow log on through Terminal Services.
Replicator The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group. No default user rights.
Terminal Server Users This group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run with Windows NT 4.0 will run for a member of the Terminal Server User group. The default permissions assigned to this group enable its members to run most earlier programs. No default user rights
Users Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group. Access this computer from the network; Allow log on locally; Bypass traverse checking.
WINS Users (installed with WINS service) Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members to view information and properties stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports. No default user rights.

Mailgate Notification