Upgrading and Repairing Networks (5th Edition)

When you use the Active Directory in your network, a number of other groups can be used. The Active Directory controls many aspects that grant or deny access to resources throughout the network, including other domains, and possibly other Active Directory trees in a forest of AD trees. Following is a list of these default groups:

  • Account Operators ” This group 's members can create user accounts and groups in their domain in the Active Directory, as well as modify or delete them. The exception is that members cannot access the Domain Controllers organizational unit. They cannot make changes to Administrator accounts in the domain, or accounts that are members of the Domain Admins group. However, members of this group can shut down a domain controller, so be careful when selecting users to add to this group.

  • Administrators ” This group, of course, can do anything on any domain controller for a particular domain. The groups Domain Admins and Enterprise Admins (for Windows 2003 Enterprise Edition) are automatically placed into this group. This group can perform all functions in a domain, so choose its members very carefully . For example, if only a subset of the administrative functions are required, choose another built-in group that matches the job specifications, or create a new group and grant it the rights to perform those functions.

  • Enterprise Administrators ” There is very little this group cannot do. Enterprise Administrators have full control permissions, enabling them to have Read permissions throughout the enterprise. And, you can consider the group Enterprise Administrators to have the same capabilities as Domain Administrators or the local Administrators group.

  • Backup Operators ” As discussed earlier in this chapter, members of this group can perform backup and restore functions. In addition, however, note that this group's members can log on to a domain controller and shut it down.

    Caution

    Placing a user account into any group that can shut down a domain controller should be done with great caution. For example, if you have just one domain controller in your domain, shutting it down can have a severe impact on your domain. Even if you have multiple domain controllers (which is highly recommended for fault-tolerance), that will not prevent a user who has the right to shut down one domain controller from doing the same to others.

  • Guests ” See the previous entry for the Guests group for the local computer.

  • Incoming Forest Trust Builders ” This group will be present only in the forest root domain. A forest is a collection of domain trees. This group can create incoming trust relationships between trees in a forest. This is a powerful right, so be sure to understand the implications before adding members to this group. By default, there are no members in this group.

  • Network Configuration Operators ” This group can modify the TCP/IP configuration, and release/renew DHCP configurations for the same, on domain controllers.

  • Performance Monitor Users ” This group's members can monitor the performance on a domain controller.

  • Performance Log Users ” This group, as you can probably guess from the local group definitions, can manage the items that are set up as counters, alerts, and logs for performance monitoring ”but this group can do so on domain controllers.

  • Pre-Windows 2000 Compatible Access ” This group is used to provide backward compatibility for Windows NT users, as well as earlier operating systems. If your network is composed of Windows 2000 and later editions of the operating system, this group will not be present, or needed.

  • Print Operators ” This is another group that is similar in function to the local group for a particular server. Yet this group can manage printers on a domain controller. More important is the fact that members of this group can make changes in the Active Directory for printer objects, and can also shut down domain controllers. Choose members for this group carefully!

  • Remote Desktop Users ” This is the same as the local group, but this Active Directory group can also log on to domain controllers in your network.

  • Replicator ” This is another group that is similar to the local group of the same name . This group can also be used to enable file replication between domain controllers.

  • Server Operators ” Members of this group can log on locally to a domain controller. They can perform many other functions in addition, such as create/delete shared resources (such as file or print shares), start/stop most services, shut down the server, and also back up/restore files on the server. Members can also change the system time.

  • Users ” Members of this group, as with the same local group, can run applications and perform other functions. Any domain account you create becomes a member of this group.

As if that were not enough, there are additional groups contained in the Users container in the Active Directory. These groups are many, and you should investigate their use after becoming familiar with the Active directory. These groups can contain both users and computers.

Tip

Earlier in this chapter you learned that you can disable or rename the Administrator account. However, an important fact you need to remember is that if you boot the computer in Safe Mode, the administrator account will be enabled, to help you recover the system. This is an example of why you need to protect important servers using not only the safeguards built into the operating system, but also the physical constraints used to access the server. In other words, unless the server is located in a secure computer room, there is always the possibility that it can be compromised.

Категории