As we saw when we discussed user objects, a number of built-in accounts are automatically created when you install Active Directory. This not only applies to user accounts, but group accounts as well. Many of these groups have preconfigured rights, which allow members to perform specific tasks. When users are added to these groups, they are given these rights in addition to any assigned permissions to access resources.
The groups that are created when Active Directory is installed can be accessed through Active Directory Users and Computers, and are located in two containers: Builtin and Users. Although they are stored in these containers, they can be moved to other OUs within the domain. Those in the Built-in container have a domain local scope, while those in the Users container have either a domain local, global, or universal scope. In the paragraphs that follow, we will look at the individual groups located in each of these containers, and see what rights they have to perform network-related tasks.
Default Groups in Builtin Container
Up to 14 different built-in groups that might be located by default in the Builtin container, including:
■ Account Operators, which allows members to manage accounts
■ Administrators, which gives members full control
■ Backup Operators, which allows members to back up and restore files
■ Guests, which gives members minimal access
■ Incoming Forest Trust Builders, which is only available in forest root domains, and gives members permission to Create Inbound Forest Trusts
■ Network Configuration Operators, which allows members to manage network settings
■ Performance Monitor Users, which allows users to manage performance counters and use System Monitor
■ Performance Log Users, which allows users to manage performance counters and use Performance Logs and Alerts
■ Pre-Windows 2000 Compatible Access, which is used for backward compatibility
■ Print Operators, which allows members to manage printers
■ Remote Desktop Users, which allows members to connect to servers using Remote Desktop
■ Replicator, which is used for replication purposes
■ Server Operators, which allows members to manage servers
■ Users, which contains every user account created in the domain
The Account Operators group is used to allow members to perform group management. Users who are part of its membership have the ability to create, modify, and delete many of the accounts that are stored in Active Directory. They can manage accounts in any OU except the Domain Controllers OU, or those located in the Users or Computers containers. To prevent members of this group from affecting administrator accounts, members of the Account Operators group cannot modify the Administrators and Domain Admins groups, or any accounts that are members of these groups.
Members of the Account Operators group also have certain abilities when dealing with DCs in the domain in which this group is located.They can log on locally to a DC, which means that they can physically sit at a DC and log on to it. In doing so, they could then make modifications to the DC.They also have the ability to shut down the DC, which is useful if there is a problem with the DC and no one else is available to restart the system.
The Administrators group is the most powerful of the groups in the Builtin container, and has full control over the domain.This account can access DCs over the network, back up files and directories, change system time, adjust memory quotes, create page files, load and unload device drivers, delegate responsibility to users and computers, shut down the system, and perform other tasks relating to accounts and DCs. By default, Domain Admins and Enterprise Admins groups and the Administrator account are members of the Administrators group.
The Backup Operators group is used to give members the ability to back up and restore files on DCs. It doesn't matter what the member's permissions on different files are, as they can back up and restore any file on the system. In addition, they have the ability to log on locally to DCs and shut down the system. Due to the level of abilities attributed to members of this group, by default there are no members when it is first created.
The Guests group is the least powerful group in the Builtin container, and has a membership that consists of accounts and groups for people who require minimal access, or haven't logged on using their own accounts. The Guest account and Domains Guests group are members of this group. As you'll recall, the Guest account is disabled by default, meaning that when this group is initially created it has no active users.
Because of its purpose, the Incoming Forest Trust Builders group is only available in forest root domains. Members of this group have the permission to Create Inbound Forest Trust.This permission gives them the ability to create one-way, incoming forest trusts, which can only be made between the root domains of two forests. A one-way trust means that users from one forest can access resources in another forest, but not vice versa. Because of the ability to create trusts between two domains, there are no default members in this group when it is initially created.
As its name states, the Network Configuration Operators group is used to manage changes to the network settings. The members in this group have the ability to renew and release IP addresses on servers in the domain, and modify TCP/IP settings. Because this can possibly make the server inaccessible if done incorrectly, this group has no default members, and new members should be added with caution.
Members of the Performance Monitor Users and Performance Log Users groups are used for managing performance counters on servers within the domain. Performance counters are used to monitor and measure elements of the DC, such as memory, hard disk, processor, network activity, and so on. These utilities are used by two related utilities in Windows 2000 and Windows Server 2003: System Monitor, and Performance Logs and Alerts. Both of these utilities can be accessed through the Performance console that is available under Administrative Tools in the Windows Start menu.
Members of the Performance Monitor Users group can use System Monitor to monitor performance counters. They can view counters locally or remotely, viewing them in a graphical or textual format. By doing so, they can determine if performance issues exist on servers within a domain.
Members of the Performance Log Users group also have the ability to manage performance counters, but can use the Performance Logs and Alerts utility to create and view logs, and configure alerts that will notify specific users (such as administrators) if a problem exists. For example, if the amount of free hard disk space drops below a certain level, a message can be sent to a network administrator advising of the potential problem. Members of this group can also configure certain programs to run if the values of performance counters exceed or fall below a specific setting.
The Pre-Windows 2000 Compatible Access group is used for backward compatibility for older versions ofWindows. Members of this group have Read access for viewing all users and groups within the domain. Depending on the security settings chosen during the installation of Active Directory, the Everyone group might be a member of this group; however, additional members can be added that are running Windows NT 4.0 or earlier if needed.
The Print Operators group allows members to perform tasks that are necessary in the administration of printers. Users who are members of this group can manage printer objects in Active Directory, and create, share, manage, and delete printers that are connected to DCs within the domain. Because adding new printers to a server might require performing certain actions like rebooting the computer, this group also has the ability to load and unload device drivers, and shut down the system. As with other groups discussed in this section, the Printer Operators group has no members added to it when initially created.
The Remote Desktop Users group allows members to connect remotely to servers in the domain. Being able to remotely log on to the DC allows them to perform actions as if they were physically sitting at the server and working on it. Because of the power this group gives members, it has no default members.
The Replicator group is one that should never have users added to it. This group is used by the File Replication Service (FRS) and provides support for replicating data; therefore, it isn't meant to have users as members.
The Server Operators group provides a great deal of power to its membership, which is why there are no default members when it is initially created. Members of this group can perform a number of administrative tasks on servers within the domain, including creating and deleting shared resources, backing up and restoring files, starting and stopping services, shutting down the system, and even formatting hard drives. Because members have the potential to cause significant damage to a DC, users should be added with caution to this group.
The Users group includes every user account that's created in the domain as part of its membership. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. By being part of this group, members are able to run applications, access local and network printers, and perform other common tasks that are necessary for normal job functions.
Default Groups in Users Container
In addition to the groups we've discussed, up to 13 built-in groups can be located by default in the Users container, including:
■ Cert Publishers, which gives members the ability to publish certificates
■ DnsAdmins, which provides administrative access to the DNS Server service
■ DnsUpdateProxy, which provides members with the ability to perform dynamic updates for other clients
■ Domain Admins, which gives members full control of the domain
■ Domain Computers, which includes computers that are part of the domain
■ Domain Controllers, which includes DCs
■ Domain Guests, which includes guests of the domain
■ Domain Users, which includes users of the domain
■ Enterprise Admins, which gives full control over every domain in the forest
■ Group Policy Creator Owners, which allows members to manage group policies in the domain
■ IIS_WPG, which is used by Internet Information Service (IIS)
■ RAS and IAS Servers, which allows members to manage remote access
■ Schema Admins, which allows members to modify the schema
■ Telnet Clients, which is used for clients to connect using Telnet
The Cert Publishers group is used for digital certificates, which we discussed in Chapter 1. Although this group has no default members, when members are added to it they have the ability to publish certificates for users and computers. This allows data to be encrypted and decrypted when sent across the network.
The DnsAdmins and DnsUpdateProxy groups are installed when DNS is installed. Both of these groups have no default members, but when members are added they have abilities relating to the DNS Server service. The DnsAdmins group allows members to have administrative access to the DNS Server service. The DnsUpdateProxy group allows members to perform dynamic DNS updates on behalf of other clients, and circumvent the DACLs that typically accompany Secure Dynamic Updates.
The Domain Admins group has full control in a domain. This group becomes a member of the Administrators group on each DC, workstation, and member server when they join a domain. Because of this membership, group members have all of the rights associated with the Administrators group, including the ability to back up and restore files, change the system time, create page files, enable accounts for delegation, shut down a computer remotely, load and unload device drivers, and perform other takes relating to administration of Active Directory and servers.
The Domain Computers and Domain Controllers groups have memberships consisting of computers in the domain.The Domain Computers group contains all workstations and servers that have joined a domain, except for DCs. When a computer account is created, the computer object automatically becomes a part of this group. Similarly, the Domain Controllers group contains all DCs that are part of the domain. Using these groups, you can set permissions and rights that apply to the computer accounts that exist within a domain.
The next two groups we'll discuss are for users who have their own accounts, or log on using a guest account. The Domain Guests group has a membership consisting of any domain guests, while the Domain Users group consists of all domain users, by default. Any user account that is created in a domain automatically becomes a member of the Domain Users group.
Enterprise Admins is a group that appears in the forest root domain, and allows members to have full control over every domain in the forest. Members of this group are automatically added to the Administrators group on every DC in every domain of the forest. As discussed earlier in this chapter, the Administrator account is a member of this group. Because of the power it gives a user, additional members should be added with caution.
The Group Policy Creator Owners group is used to manage group policy within a domain. Group policies allow you to control a user's environment. Using policies, you can control such things as the appearance and behavior of a user's desktop, and limit the user's control over his or her computer. Members of the Group Policy Creator Owners group can modify these policies. Due to the power these members have over users within a domain, the Administrator account is the only default member of this group.
The IIS_WPG group is installed when IIS is installed. IIS version 6.0 uses worker processes to serve individual DNS namespaces, and allow them to run under other identities. For example, a worker process might serve the namespace www.syngress.com, but could also run under another identity in the IIS_WPG group called Syngress. Because these identities need configuration to apply them to a particular namespace, there are no default members in this group.
The RAS and IAS Servers group is used for the Remote Access Service (RAS) and Internet Authentication Service (IAS), which provide remote access to a network.The members of this group have the ability to access the remote access properties of users in a domain. This allows them to assist in the management of accounts that need this access.
The Schema Admins group is another group that only appears in the forest root domain. This group allows members to modify the schema. The schema is used to define the user classes and attributes that form the backbone of the Active Directory database. As mentioned previously, the Administrator account is a default member of this group. Additional users should be added with caution, due to the widespread effect this group can have on a forest.
Was this article helpful?