Information Technology Reference
In-Depth Information
The following predefined global groups are installed in the
Users
folder:
Cert Publishers
Certificates are used to increase security by allowing for strong
authentication methods. User accounts are placed within the
Cert Publishers group
if they
must publish security certificates. Generally, Active Directory security services use these
accounts.
Domain Computers
All of the computers that are members of the domain are generally
members of the
Domain Computers group
. This includes any workstations or servers that
have joined the domain, but it does not include the domain controllers.
Domain Admins
Members of the
Domain Admins group
have full permissions to manage
all of the Active Directory objects for this domain. This is a powerful account; therefore,
you should restrict its membership only to those users who require full permissions.
Domain Controllers
All of the domain controllers for a given domain are generally
included within the
Domain Controllers group
.
Domain Guests
Generally, by default, members of the
Domain Guests group
are given
minimal permissions with respect to resources. System administrators may place user
accounts in this group if they require only basic access or temporary permissions within the
domain.
Domain Users
The
Domain Users group
usually contains all of the user accounts for
the given domain. This group is generally given basic permissions to resources that do not
require higher levels of security. A common example is a public file share.
Enterprise Admins
Members of the
Enterprise Admins group
are given full permissions
to perform actions within the entire forest. This includes functions such as managing trust
relationships and adding new domains to trees and forests.
Group Policy Creator Owners
Members of the
Group Policy Creator Owners group
are
able to create and modify Group Policy settings for objects within the domain. This allows
them to enable security settings on OUs (and the objects they contain).
Schema Admins
Members of the
Schema Admins group
are given permissions to modify
the Active Directory schema. As a member of Schema Admins, you can create additional
fields of information for user accounts. This is a powerful function because any changes to
the schema will be propagated to all the domains and domain controllers within an Active
Directory forest. Furthermore, you cannot undo changes to the schema (although you can
disable some).
In addition to these groups, you can create new ones for specific services and applica-
tions that are installed on the server. Specifically, services that run on domain controllers
and servers will be created as security groups with domain local scope. For example, if
a domain controller is running the DNS service, the DnsAdmins and DnsUpdateProxy
groups become available. In addition, there are two read-only domain controller (RODC)
local groups: the Allowed RODC Password Replication and the Denied RODC Password
Replication groups. Similarly, if you install the DHCP service, it automatically creates the
Search WWH ::
Custom Search