|
Previous | Table of Contents | Next |
Groups
Groups are collections of users that administrators create to make their job of managing user rights and permissions easier. For example, assigning group access to a directory is easier than assigning access to individual users.
Windows NT Server includes the following predefined groups:
A special group called Everyone includes everybody that is currently logged on in the domain. The Users group is the typical group that you assign normal non-administrative users to. You then grant the group permissions to files in public directories. You also create custom groups. For example, if a team of specialists is working on a project that requires access to a directory called Project-X, you could create a group called Project-X, add the appropriate users, and then grant the group permissions to access the Project-X directory.
The groups previously listed are called the local groups. Members of these groups have rights in the local domain. If your network consists of multiple domains, you can use what are called global groups to assign users in one domain access to resources in another domain. The procedure to give a user in one domain access to resources in another domain goes like this:
This may sound odd at first, but remember that groups are collections of users that you want to assign rights or permissions to as a whole. In this case, you create a global group of users that you will grant access to another domain. There are three global groups by default: Domain Admins (administrators); Domain Users (normal users); and Domain Guests (contains the guest account for a domain).
Rights
Users and groups have rights that define what they can do on the system, such as log on to a local workstation, log on from another station on the network, manage user accounts, manage printers, perform backups, and perform a number of other tasks.
Rights should not be confused with permissions. Common rights for users and groups are listed below. Note that rights are usually assigned to groups and then users are added to groups.
Note: Note that most of these rights are designed for administrative users only. The right to log on from the network may seem odd since that is probably what you want every user to do, but for security reasons, you can revoke this right for the Administrator account. Then administrators can only manage a server while working at the physical system itself. This action prevents an attacker from successfully logging on to the Administrator account from the network.
Permissions
Users and groups need permissions to work with objects. For files, they need permissions to open, read, write, and delete for example. Permissions are granted to users by administrators or the owner of objects like directories and files. For directories, the procedure is to go to the directory, open the permissions list for the directory, and grant a user or group one or more of the following permissions.
File permissions are similar to the directory permissions listed above, except that there is no Add or Add and Read permission. This is because directories are containers where files can be added. In this sense, a file is not a container where you can add another file, so the Add or Add and Read permission is not necessary.
Now that basic user account and access permissions have been discussed, it is useful to go over the process of logging in and authenticating users.
Previous | Table of Contents | Next |