Administering Windows 2003 – MCSE 70-290

Using Default Groups

Microsoft Server 2003 has several built in groups which have predefined user rights. These groups are stored in two containers: Builtin and Users.

Groups in the Builtin Container:

Group Description Default User Rights
Account Operators Account Operators can create, modify, and delete accounts for users, groups, and computers located in the containers and OUs – except for the Domain Controllers OU. Cannot modify the Administrators or Domain Admins group. Allow log on locally; Shut down the system
Administrators Full control of all domain controllers in the domain. The Domain Admins and Enterprise Admins are members of the Administrators group. The Administrator user account is a default member. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
Backup Operators Can back up and restore files on domain controllers on the domain. Can shut down domain controllers. No default members. Back up files and directories; Allow log on locally; Restore files and directories; Shut down the system.
Guests The Domain Guests group is a member of this group. The Guest account is also a default member. No default user rights.
Incoming Forest Trust Builders (only appears in the forest root domain) This group allows its members to create one-way incoming forest trusts to the forest root domain. No default members. No default user rights.
Network Configuration Operators Can make changes to TCP/IP settings and renew/release TCP/IP addresses on domain controllers. No default members. No default user rights.
Performance Monitor Users Can monitor performance counters on domain controllers. No default user rights.
Performance Log Users Can manage performance counters, logs, and alerts on domain controllers. No default user rights.
Pre-Windows 2000 Compatible Access Members of this group have read access on all users and groups in the domain. By default, Everyone is a member of this group. Used for users running Windows NT 4.0 or earlier. Access this computer from the network; Bypass traverse checking.
Print Operators Members of this group can manage, create, share, and delete printers connected to domain controllers. They can manage AD printer objects in the domain. No default members. Allow log on locally; Shut down the system.
Remote Desktop Users Members can remotely log on to domain controllers. No default members. No default user rights.
Replicator This group supports directory replication functions and is used by the File Replication service on domain controllers in the domain. No default members. Do not add users to this group. No default user rights.
Server Operators Members of this group can log on interactively to domain controllers, create and delete shared resources, start and stop some services, back up and restore files, format the hard drive, and shut down the computer. No default members. Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
Users Members can perform common tasks – starting applications, using local and network printers, and locking the server. The Domain Users group, Authenticated Users, and Interactive are members of this group. Any user account created in the domain becomes a member of this group. No default user rights.

Groups in the Users Container:

Group Description Default User Rights
Cert Publishers Members of this group are permitted to publish certificates for users and computers. No default user rights.
DNSAdmins Installed with DNS. Members have administrative access to the DNS Server service. No default members. No default user rights.
DNSUpdateProxy Installed with DNS. Members of this group are DNS clients that perform dynamic updates on behalf of other clients, such as DHCP servers. No default members. No default user rights.
Domain Admins Members have full control of the domain. This group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. The Administrator account is a member of this group. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
Domain Computers Contains all workstations and servers joined to the domain. Any computer account created becomes a member of this group automatically. No default user rights.
Domain Controllers Contains all domain co
ntrollers in the domain.
No default user rights.
Domain Guests All domain guests. No default user rights.
Domain Users All domain users. Any user account created in the domain becomes a member of this group automatically. No default user rights.
Enterprise Admins Only appears in the forest root domain. Full control of all domains in the forest. The Administrator account is a member of this group.
Group Policy Creator Owners Can modify Group Policy in the domain. The Administrator account is a default member. No default user rights.
IIS_WPG Installed with IIS. The Internet Information Services (IIS) 6.0 worker process group. No default members. No default user rights.
RAS and IAS Servers Servers in this group are permitted access to the remote access properties of users. No default user rights.
Schema Admins Only appears in the forest root domain. Members can modify Active Directory schema. Administrator account is a default member. No default user rights.

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *