Save time and effort with user groups
You'll use Windows 2000 user groups—specifically security groups—frequently to manage your enterprise. Groups provide a way to manage permissions and rights for users en masse, instead of dealing with users one at a time (a horrible thought if you have thousands of users).
Permissions are rules that you associate with objects such as folders, files, or printers. These rules define which users can access those objects and what the users can do when they access the objects. For example, permissions for a folder might include reading, modifying, and creating files in the folder. Permissions for a printer might include deleting jobs (including jobs that belong to other users), changing configuration options, and installing drivers. Rights are rules that define the actions users can perform, such as backing up a computer or shutting down a system.
Try to think of the process of populating groups as assigning users to the groups, rather than thinking of the groups as containing users. (You can also assign computers to groups, but this column centers on user groups.) Taking this perspective on groups will help you understand the notion that a user can be a member of more than one group. You can also assign groups to other groups, creating nested groups.
Types of Groups
Win2K supports two primary types of groups: security and distribution. You use security groups to configure permissions and rights for the users who are members of the group. According to Microsoft, you use distribution groups only for email; these groups have the same purpose as distribution lists (DLs) that you create in your email address books. (You can use a security group as a DL, but you can't use a distribution group to assign permissions and rights.)
In Win2K, security groups exist for both local computers (Local groups) and the domain (Global groups)—the same approach you find in Windows NT. (For information about groups in NT, see Michael D. Reilly, Getting Started with NT, "Windows NT Group Strategies," August 1998.) However, Win2K adds another type of security group called a Universal group. Universal groups encompass the enterprise; they're forestwide. (A forest is a collection of one or more Win2K domains that share a global catalog of Active Directory—AD—objects and that are linked through two-way trusts.) Universal groups can exist only in Win2K domains running in native mode, which means that all the domain controllers (DCs) across the enterprise have been migrated to Win2K.
Builtin and Predefined Groups
Win2K automatically establishes several groups, called builtin groups, when you install the OS. To see the builtin groups for any computer that isn't a DC, open the local Microsoft Management Console (MMC) Computer Management snap-in. (Right-click My Computer, and choose Manage from the shortcut menu.) Expand the Local Users and Groups container, and select Groups to display the local builtin groups in the right pane. Figure 1, page 156, shows the builtin groups for Win2K Server and Win2K Professional. (Win2K Advanced Server includes additional builtin groups for assigning permissions and rights for Web services.)
When you configure a server as a DC, local users and groups are inaccessible because DCs are designed for domain management, and the local users and groups are no longer manageable objects. The local Computer Management snap-in superimposes a red X over the Local Users and Groups container; clicking that container produces an error message explaining that this snap-in can't be used on a DC.
DCs have both builtin and predefined groups. To see those groups:
- Open the MMC Active Directory Users and Computers snap-in under Programs, Administrative Tools.
- Select the Builtin object in the left pane to display the builtin groups. The description column provides information about the permissions and rights attached to each group.
- Select the Users object in the left pane to see the predefined groups, which share the display in the right pane with the domain users list, as Figure 2 shows. (Notice that some of the predefined groups are for computers instead of users.)