Information Technology Reference
In-Depth Information
Table 5-3
Default groups in the Users folder
(continued)
Group/scope
Description
Group Policy Creator
Members can create and modify group policies throughout the domain.
Owners/global
Read-only Domain
RODCs are members by default.
Controllers/global
Schema Admins/universal
This universal group is found only on DCs in the forest root domain. Members can modify the Active
Directory schema. The Administrator account for the forest root domain is a member by default.
Special Identity Groups
Special identity groups, described in Table 5-4, don't appear as
objects in Active Directory Users and Computers, but they can be assigned permissions by
adding them to resources' DACLs. Membership in these groups is controlled dynamically by
Windows, can't be viewed or changed manually, and depends on how an account accesses the
OS. For example, membership in the Authenticated Users group is assigned to a user account
automatically when the user logs on to a computer or domain. No group scope is associated with
special identity groups.
Table 5-4
Special identity groups
Group
Description
Anonymous Logon
Users and services that access domain resources without using an account name or a password. Typically
used when a user accesses an FTP server that doesn't require user account logon.
Authenticated Users
Members include any user account (except Guest) that logs on to a computer or domain with a valid
username and password. Often used to specify all users in a forest.
Creator Owner
A user becomes a member automatically for a resource he or she created (such as a folder) or took
ownership of. Often assigned Full control permission for subfolders and files only on the root of a drive
so that a user who creates a file or folder on the drive has full control of the object automatically.
Dial-up
A user logged on through a dial-up connection is a member.
Everyone
Refers to all users who access the system. Similar to the Authenticated Users group but includes the
Guest user.
Interactive
Members are users logged on to a computer locally or through Remote Desktop. Used to specify that
only a user sitting at the computer's console is allowed to access a resource on that computer.
Network
Members are users logged on to a computer through a network connection. Used to specify that only
a user who's trying to access a resource through the network can do so.
Owner Rights
New in Server 2008, it represents the current owner of a folder or file. Permissions set on this group can
be used to override implicit permissions granted to the owner of a file, such as Change Permissions and
Take Ownership.
Service
Any security principal logged on as a service is a member.
System
Refers to the Windows OS.
Self
Refers to the object for which permissions are being set. If this group is an ACE in the object's DACL, the
object can access itself with the specified permissions.
Activity 5-10: Working with Default Groups
Time Required:
20 minutes
Objective:
View properties of default groups.
Description:
You want to see the scope and membership of some default groups that Windows
creates.
1. If necessary, log on to your server as Administrator and open Active Directory Users and
Computers.
2. Click the
Builtin
folder. Click the
Administrators
group, and open its Properties dialog box.
Click the
General
tab, if necessary. The options in the Group scope and Group type sections
Search WWH ::
Custom Search