Default Groups and Administrative Security
You can get a lot of mileage out of the many built-in groups that come with Windows 2000.
So far in this series, I've introduced you to the various types of groups in Windows 2000 and shown you some techniques that you can use to enhance your organization's security by nesting those groups. However, I haven't yet discussed one type of group. Like Windows NT, Windows 2000 has many built-in groups designed for special purposes. In this article, I'll introduce you to those groups and show you how to get the most out of using them.
Windows 2000 Default Groups
Predefined groups are nothing more than global groups. You can control who has access to what by adding these predefined groups to domain local groups or by adding permissions directly to these groups. The predefined groups include Domain Admins, Domain Guests, Domain Users, and Enterprise Admins.
Built-in groups give group members the authority to perform specific tasks at the domain level. For example, Account Operators can create, delete, and modify user accounts within the domain. Most of the built-in groups closely match groups found in Windows NT. The built-in groups include Account Operators, Administrators, Backup Operators, Guests, Pre-Windows 2000 Compatible Access, Print Operators, Replicator, Server Operators, and Users.
Built-In Local Groups
Built-in local groups are located only on stand-alone servers, member servers, and Windows 2000 Professional workstations. They allow users of the machine to perform specific system-related tasks, such as backing up the system. The built-in local groups function very similarly--if not identically--to their Windows NT counterparts. As with Windows NT, most of the built-in local groups are empty by default. It's up to the local administrator to assign group memberships. The built-in local groups include Administrators, Backup Operators, Guests, Power Users, Replicators, and Users.
Special Identity Groups
Special identity groups deserve a little more explanation than the groups I've already discussed. Unlike other groups, you can't add users to or remove users from special identity groups. Instead, special identity groups represent different users at different times. In fact, you can't even see the special identity groups when you're administering groups. The only time you'll ever see them is when you assign permissions to resources. The following list describes some of the special identity groups and their functions:
- Anonymous LoginIncludes any user who is using Windows 2000 resources but didn't go through the authentication process.
- Authenticated UserIncludes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Authenticated User group in place of the Everyone group to prevent anonymous access to resources.
- Creator OwnerRefers to the user who created or took ownership of the resource to which you're assigning permissions. For example, if the User Brien created a resource, but the Administrator took ownership of it, then the Creator Owner would be the Administrator.
- Dial-upIncludes anyone who's currently connected to the network through a dial-up connection.
- EveryoneIncludes all users who access the system. As I mentioned earlier, be careful about assigning resources to Everyone, because you could accidentally allow unauthenticated users to access the system. One way of reducing this problem is to disable the Guest account. Remember that the Guest is a part of Everyone; and in some cases, Windows 2000 represents anonymous users as a guest.
- InteractiveRefers to users who are logged on to a local machine. As you may recall, users who are logged in locally are said to be logged in interactively. Therefore, if you want to restrict a resource so that it can only be accessed locally, this is the resource to use. Likewise, you can make a resource available only through the network by applying a denial to the Interactive group.
- NetworkThe exact opposite of the Interactive group; includes any users who are accessing a given machine from another computer. Remember that just because users are on the network, they aren't necessarily members of the Network group. The Network group is specific to each machine. Therefore, a user isn't a member of a machine's Network group unless he is currently accessing resources on that machine.