Information Technology Reference
In-Depth Information
Table 5-2
Default groups in the Builtin folder
Group
Description
Account Operators
Members can administer domain user, group, and computer accounts, except computers in the
Domain Controllers OU and the Administrators, Domain Admins, Enterprise Admins, Schema Admins,
and Read-Only Domain Controllers groups. Members can log on locally and shut down domain
controllers in the domain. There are no default members.
Administrators
Members have full control of all DCs in the domain and can perform almost all operations on DCs.
Default members are Domain Admins, Enterprise Admins, and the Administrator user account.
Backup Operators
Members can back up and restore all files and directories on DCs in the domain with an Active
Directory-aware backup program. Members' ability to access all files and folders doesn't extend
beyond their use of backup software. Members can log on locally to and shut down DCs. There are
no default members.
5
Guests
This group has no default rights or permissions. The Domain Guests group and Guest user account
are default members.
IIS_IUSRS
Internet Information Services uses this group to allow anonymous access to Web resources.
Network Configuration
Members can change TCP/IP settings and release and renew DHCP-assigned addresses on DCs. There
Operators
are no default members.
Print Operators
Members can manage all aspects of print jobs and printers connected to DCs. Members can log on
locally to and shut down DCs in the domain. There are no default members.
Remote Desktop Users
Members can log on remotely to DCs with the Remote Desktop client. There are no default members.
Server Operators
Members can log on locally to DCs, manage some services, manage shared resources, back up and
restore files, shut down DCs, format hard drives, and change the system time. There are no default
members.
Users
Members can run applications and use local printers on member computers, among other common
tasks. Members of this group can't, by default, log on locally to DCs. Domain Users and the special
identity Authenticated Users and Interactive groups are members of the Users group by default.
Because all user accounts created in a domain are automatically members of the Domain Users global
group, all domain users become members of this group as well.
Default Groups in the Users Folder
The default groups in the Users folder are a com-
bination of domain local, global, and, in the forest root domain, universal scope. User accounts
are generally added to global and universal groups in this folder for assigning permissions and
rights in the domain and forest. Table 5-3 describes several groups in the Users folder.
Table 5-3
Default groups in the Users folder
Group/scope
Description
Allowed RODC Password
Members can have their passwords replicated to RODCs. There are no default members.
Replication Group
Denied RODC Password
Members can't have their passwords replicated to RODCs, so this group is a security measure to
Replication Group
ensure that passwords for sensitive accounts don't get stored on RODCs. Default members include
Domain Admins, Enterprise Admins, and Schema Admins.
DnsAdmins/domain local
This group is created when DNS is installed in the domain. Members have administrative control
over the DNS Server service. There are no default members.
Domain Admins/global
Members have full control over domainwide functions. This group is a member of all domain local
and local Administrators groups. The domain Administrator account is a member by default.
Domain Computers/global
All computers that are domain members (excluding DCs) are added to this group by default.
Domain Controllers/global
All DCs are members of this group by default.
Domain Users/global
All user accounts in the domain are added to this group automatically. This group is used to assign
rights or permissions to all users in the domain, but it has no specific rights by default. This group is
a member of the Users domain local group by default.
Enterprise
This universal group is found only on DCs in the forest root domain. Members have full control over
Admins/universal
forestwide operations. This group is a member of the Administrators group on all DCs. The
Administrator account for the forest root domain is a member by default.
(continued)
Search WWH ::
Custom Search