User Account

 

Home
Nizwa
Islamic
Hot News
e commerce
AL Jabal AL Akhdar
Don't Be SAD
Who is me
Network NT
Love & Romance
Unix

View Year's Feedback

Send to me.. Salam AL-Riyami

USER ACCOUNT MANAGEMENT
The system administrator utility USER MANAGER FOR DOMAINS creates and manages user accounts. It is also possible to specify system wide policies for all users.

In a Windows NT Domain, the PDC keeps the master accounts database, and this database is replicated to the BDC’s at regular intervals [actually, only the changes are replicated].

USER ACCOUNTS
A user account consists of the following information [the list is deliberately incomplete]
username
password
group memberships
rights for using a particular system
full name
account description
list of logon workstations
allowed logon hours

As can be seen from the window above, it is split into two parts, users and groups.

Windows NT Server Groups
Microsoft looked at what users do, and created a number of default groups with special permissions that suit these tasks.

Groups
contain users or other groups
give members the permissions that belong to the group
provide easier management of users

There are THREE main groups used in Windows NT Server

  1. Local Groups
    Are used to assign permissions in the local domain. Can contain users and Global groups, including Global groups from other trusted domains.
  2. Global Groups
    Contains user accounts only. Used to export user accounts to other domains, where they can be imported into Local Groups on trusting domains
  3. Special Groups
    Used by Windows NT Server for system access, and do not contain user or group accounts

Local Groups
Local groups are limited to the domain [or computer] they are created on. They are created using User Manager, and a number of pre-existing Local groups have been provided.

Local groups created on a Windows NT Server [non BDC or PDC] or Windows NT workstation are limited to that computer only. In contrast, a Local group created on a domain controller can be used on any server which is a member of that domain, but cannot be used outside the domain.

The Built-In Local Groups
Microsoft recommends that you use the existing Local groups where possible. The following table lists the Local groups built-in to Windows NT Server.

 
Available on Local Group Name Members Who can modify? Rights
DC Account Operators None Administrators

Account Operators

Server Operators

Create, Delete, Modify user accounts and groups.

Cannot modify the Administrator or Server Operator groups

W+S+DC Administrators Domain Admins

Administrator

Administrators Create, Delete, Manage user accounts and groups.

Share directories and printers.

Grant resource permissions.

Install OS files and programs.

W+S+DC Backup Operators None Administrators Backup and Restore servers.

Logon locally.

Shut down the server.

W+S+DC Guests Guest Administrators

Account Operators

 
W+S Power Users      
DC Print Operators None Administrators Share and remove sharing printers.

Manage printers.

Logon locally.

Shut down servers.

W+S+DC Replicator None Administrators

Account Operators

Server Operators

Used with the Directory Replication Service.
DC Server Operators None Administrators Share and remove sharing resources.

Format the server disks.

Logon locally.

Backup and restore servers.

Shut down servers.

Lock and unlock servers.

W+S+DC Users Domain Users Administrators

Account Operators

 

	W=NT Workstation
	S=Windows NT Server
	DC=Domain Controller

Default Rights for Built-in Local Groups on Windows NT Server
The following rights are visible in User Manager for Domains.

 
Rights AD AO BO E G PO SO U
Access this computer from the network Yes     Yes        
Backup Files and directories Yes   Yes       Yes  
Change the system time Yes           Yes  
Force shutdown from remote location Yes           Yes  
Logon locally Yes Yes Yes     Yes Yes  
Manage auditing and security log Yes              
Shut down the system Yes Yes Yes     Yes Yes  
Restore files and directories Yes   Yes       Yes  
Take ownership of files Yes              

The following rights are NOT visible in User Manager for Domains [defaults which you cannot change].

 
Rights AD AO BO E G PO SO U
Assign user rights Yes              
Create and manage user accounts Yes Yes            
Create and manage global groups Yes Yes            
Create and manage local groups Yes Yes           Yes
Create common groups Yes           Yes  
Format the servers hard disk Yes           Yes  
Keep local profile Yes Yes Yes     Yes Yes  
Lock the server Yes     Yes     Yes  
Share and stop sharing directories Yes           Yes  
Share and stop sharing printers Yes         Yes Yes  
Unlock the server lock Yes           Yes  

If you unlock a server that has been locked by another user, any work in progress will be lost.

Users will only be able to add local groups if they have access to User manager for Domains.

Everyone has the right to lock a NT Server, but does not have the right to logon locally.

 

Global Groups
Global groups contain users from the local domain. They are also used to export users to another trusting domain. Global groups do not have rights to perform any administrative tasks. For instance, the built-in global group Domain Admins can only perform administrative tasks if it is made a member of the local group Administrators.

The Built-In Global Groups
The following table lists the Global groups built-in to Windows NT Server.

 
Global Group Name Members Who can modify? Initially member of
Domain Admins Administrator Administrators Administrators
Domain Guests Guest Administrators

Account Operators

Guests
Domain Users Administrator Administrators

Account Operators

Users

How to Use Groups In Domains
Let's consider some recommendations concerning the use of Global and Local group memberships as outlined by Microsoft.

 
Function Group to use
Export users to another domain Global
Assign permissions and rights to local domain resources Local
Give rights to users from another domain Local
Combine groups Local
users need access to Windows NT Workstations or NT servers in a domain Global

 

  1. Create users and add them to a global group
  2. Add the global group to a local group
  3. Assign permission rights to the local group

 

PreviousNext

Salam Saif Said AL-Riyami Sultanate of Oman
Copyright © 2001 www.donya.8m.net All rights reserved.
Revised:
ãÇíæ 09, 2001 .