Groups

Groups are collections of users that administrators create to make their job of managing user rights and permissions easier. For example, assigning group access to a directory is easier than assigning access to individual users.

Windows NT Server includes the following predefined groups:

•  Administrators group. Members can manage the entire domain.

•  Backup Operators group. Members can perform backups and restores.

•  Guests group. Members can access the server from the network but cannot log on locally.

•  Print Operators group. Members can manage printers.

•  Replicators group. Members can manage replication services.

•  Server Operators group. Members can manage servers.

•  Users group. Members can access the server from the network but cannot log on locally.

A special group called Everyone includes everybody that is currently logged on in the domain. The Users group is the typical group that you assign normal non-administrative users to. You then grant the group permissions to files in public directories. You also create custom groups. For example, if a team of specialists is working on a project that requires access to a directory called Project-X, you could create a group called Project-X, add the appropriate users, and then grant the group permissions to access the Project-X directory.

The groups previously listed are called the local groups. Members of these groups have rights in the local domain. If your network consists of multiple domains, you can use what are called global groups to assign users in one domain access to resources in another domain. The procedure to give a user in one domain access to resources in another domain goes like this:

1.  Add a user to a global group.

2.  Add the global group to a local group in another domain.

This may sound odd at first, but remember that groups are collections of users that you want to assign rights or permissions to as a whole. In this case, you create a global group of users that you will grant access to another domain. There are three global groups by default: Domain Admins (administrators); Domain Users (normal users); and Domain Guests (contains the guest account for a domain).

Rights

Users and groups have rights that define what they can do on the system, such as log on to a local workstation, log on from another station on the network, manage user accounts, manage printers, perform backups, and perform a number of other tasks.

Rights should not be confused with permissions. Common rights for users and groups are listed below. Note that rights are usually assigned to groups and then users are added to groups.

•  Access this computer from network (the alternative is local logon or no logon)

•  Add workstations and member servers to domain

•  Back up files and directories

•  Change the system time

•  Force shutdown from a remote system

•  Load and unload device drivers

•  Log on locally (log on at the computer’s keyboard)

•  Manage auditing and security logs

•  Restore files and directories

•  Shut down the system

•  Take ownership of files or other objects

---

Note:  Note that most of these rights are designed for administrative users only. The right to log on from the network may seem odd since that is probably what you want every user to do, but for security reasons, you can revoke this right for the Administrator account. Then administrators can only manage a server while working at the physical system itself. This action prevents an attacker from successfully logging on to the Administrator account from the network.

---

Permissions

Users and groups need permissions to work with objects. For files, they need permissions to open, read, write, and delete for example. Permissions are granted to users by administrators or the owner of objects like directories and files. For directories, the procedure is to go to the directory, open the permissions list for the directory, and grant a user or group one or more of the following permissions.

•  No Access. Does not allow any kind of access by the user or group.

•  List. Allows the user or group to list files in a directory and “climb” the directory structure.

•  Read. Allows the user or group the same permissions as list and to open files and display their attributes, and to run programs.

•  Add. Allows the user or group to add files to a folder but not read or change files that have been placed in the folder. Such a folder is called a drop box.

•  Add and Read. Allows all the permissions of Add along with the ability to read but not change files in a folder.

•  Change. Allows all the permissions of Read, along with the ability to create new folders, add files, change data in and append data to files, change file attributes, and delete files and folders.

•  Full Control. Allows the same permissions as Change, along with the ability to change permissions of a folder and its files. Users have this permission in their home directory. The Administrator has this permissions for the entire volume.

File permissions are similar to the directory permissions listed above, except that there is no Add or Add and Read permission. This is because directories are containers where files can be added. In this sense, a file is not a container where you can add another file, so the Add or Add and Read permission is not necessary.

Now that basic user account and access permissions have been discussed, it is useful to go over the process of logging in and authenticating users.