USER
ACCOUNT MANAGEMENT
The system administrator utility USER MANAGER FOR DOMAINS creates and manages
user accounts. It is also possible to specify system wide policies for all
users.
In a Windows NT Domain, the PDC keeps the master accounts database, and this
database is replicated to the BDC’s at regular intervals [actually, only the
changes are replicated].
USER ACCOUNTS
A user account consists of the following information [the list is deliberately
incomplete]
| username
| password
| group memberships
| rights for using a particular system
| full name
| account description
| list of logon workstations
| allowed logon hours |
| | | | | | |
As can be seen from the window above, it is split into two parts, users and
groups.
Windows NT
Server Groups
Microsoft looked at what users do, and created a number of default groups with
special permissions that suit these tasks.
Groups
| contain users or other groups
| give members the permissions that belong to the group
| provide easier management of users |
| |
There are THREE main groups used in Windows NT Server
- Local Groups
Are used to assign permissions in the local domain. Can contain users and
Global groups, including Global groups from other trusted domains.
- Global Groups
Contains user accounts only. Used to export user accounts to other domains,
where they can be imported into Local Groups on trusting domains
- Special Groups
Used by Windows NT Server for system access, and do not contain user or
group accounts
Local Groups
Local groups are limited to the domain [or computer] they are created on. They
are created using User Manager, and a number of pre-existing Local groups have
been provided.
Local groups created on a Windows NT Server [non BDC or PDC] or Windows NT
workstation are limited to that computer only. In contrast, a Local group
created on a domain controller can be used on any server which is a member of
that domain, but cannot be used outside the domain.
The Built-In Local Groups
Microsoft recommends that you use the existing Local groups where possible. The
following table lists the Local groups built-in to Windows NT Server.
Available on |
Local Group Name |
Members |
Who can modify? |
Rights |
DC |
Account Operators |
None |
Administrators
Account Operators
Server Operators
|
Create, Delete, Modify user accounts and groups.
Cannot modify the Administrator or Server Operator groups
|
W+S+DC |
Administrators |
Domain Admins
Administrator
|
Administrators |
Create, Delete, Manage user accounts and groups.
Share directories and printers.
Grant resource permissions.
Install OS files and programs.
|
W+S+DC |
Backup Operators |
None |
Administrators |
Backup and Restore servers.
Logon locally.
Shut down the server.
|
W+S+DC |
Guests |
Guest |
Administrators
Account Operators
|
|
W+S |
Power Users |
|
|
|
DC |
Print Operators |
None |
Administrators |
Share and remove sharing printers.
Manage printers.
Logon locally.
Shut down servers.
|
W+S+DC |
Replicator |
None |
Administrators
Account Operators
Server Operators
|
Used with the Directory Replication Service. |
DC |
Server Operators |
None |
Administrators |
Share and remove sharing resources.
Format the server disks.
Logon locally.
Backup and restore servers.
Shut down servers.
Lock and unlock servers.
|
W+S+DC |
Users |
Domain Users |
Administrators
Account Operators
|
|
W=NT Workstation
S=Windows NT Server
DC=Domain Controller
Default Rights
for Built-in Local Groups on Windows NT Server
The following rights are visible in User Manager for Domains.
Rights |
AD |
AO |
BO |
E |
G |
PO |
SO |
U |
Access this computer from the network |
Yes |
|
|
Yes |
|
|
|
|
Backup Files and directories |
Yes |
|
Yes |
|
|
|
Yes |
|
Change the system time |
Yes |
|
|
|
|
|
Yes |
|
Force shutdown from remote location |
Yes |
|
|
|
|
|
Yes |
|
Logon locally |
Yes |
Yes |
Yes |
|
|
Yes |
Yes |
|
Manage auditing and security log |
Yes |
|
|
|
|
|
|
|
Shut down the system |
Yes |
Yes |
Yes |
|
|
Yes |
Yes |
|
Restore files and directories |
Yes |
|
Yes |
|
|
|
Yes |
|
Take ownership of files |
Yes |
|
|
|
|
|
|
|
The following rights are NOT visible in User Manager for Domains [defaults
which you cannot change].
Rights |
AD |
AO |
BO |
E |
G |
PO |
SO |
U |
Assign user rights |
Yes |
|
|
|
|
|
|
|
Create and manage user accounts |
Yes |
Yes |
|
|
|
|
|
|
Create and manage global groups |
Yes |
Yes |
|
|
|
|
|
|
Create and manage local groups |
Yes |
Yes |
|
|
|
|
|
Yes |
Create common groups |
Yes |
|
|
|
|
|
Yes |
|
Format the servers hard disk |
Yes |
|
|
|
|
|
Yes |
|
Keep local profile |
Yes |
Yes |
Yes |
|
|
Yes |
Yes |
|
Lock the server |
Yes |
|
|
Yes |
|
|
Yes |
|
Share and stop sharing directories |
Yes |
|
|
|
|
|
Yes |
|
Share and stop sharing printers |
Yes |
|
|
|
|
Yes |
Yes |
|
Unlock the server lock |
Yes |
|
|
|
|
|
Yes |
|
If you unlock a server that has been locked by another user, any work in
progress will be lost.
Users will only be able to add local groups if they have access to User
manager for Domains.
Everyone has the right to lock a NT Server, but does not have the right to
logon locally.
Global Groups
Global groups contain users from the local domain. They are also used to export
users to another trusting domain. Global groups do not have rights to
perform any administrative tasks. For instance, the built-in global group Domain
Admins can only perform administrative tasks if it is made a member of the local
group Administrators.
The Built-In Global Groups
The following table lists the Global groups built-in to Windows NT Server.
Global Group Name |
Members |
Who can modify? |
Initially member of |
Domain Admins |
Administrator |
Administrators |
Administrators |
Domain Guests |
Guest |
Administrators
Account Operators
|
Guests |
Domain Users |
Administrator |
Administrators
Account Operators
|
Users |
How to Use Groups In Domains
Let's consider some recommendations concerning the use of Global and Local group
memberships as outlined by Microsoft.
Function |
Group to use |
Export users to another domain |
Global |
Assign permissions and rights to local domain resources |
Local |
Give rights to users from another domain |
Local |
Combine groups |
Local |
users need access to Windows NT Workstations or NT servers
in a domain |
Global |
- Create users and add them to a global group
- Add the global group to a local group
- Assign permission rights to the local group
Salam Saif Said AL-Riyami Sultanate
of Oman
Copyright © 2001 www.donya.8m.net
All rights reserved.
Revised: ãÇíæ 09, 2001
.
|