Active Directory 2008: Default Domain Groups

A domain group is a resource group to which permissions to access resources can be assigned on a domain-wide scale. Active Directory includes several default groups that are created automatically. These groups have default members, rights, and permissions. The following table lists some of the default groups that are created in the Builtin folder:

Builtin Group Description
Administrators Full control over the computer,   including every available right in the system (the only built-in account that   automatically has all rights), including the Take ownership of files or other   objects right.
Server Operators Log on locally, back up and   restore files and directories, change the system time, and force a local or   remote shutdown. Can also create and delete shared resources, format the hard   disk, and start and stop some services. Abilities extend to domain controllers.
Backup Operators Back up, copy, and restore files   on the computer (regardless of permissions). Log on to and shut down the   computer. Cannot change security settings.
Account Operators Create, delete, and modify domain   user accounts and groups. Cannot modify the Administrators group or any   Operators groups.
Guests The domain Guest account is a   member of this group. The group does not have any default rights.
Network Configuration Operators Change TCP/IP settings including   changes on domain controllers.
Print Operators Create, share, manage, and delete   printers on domain controllers. Manage Active Directory printer objects. Log   on locally, add or remove device drivers, and shut down domain controllers.
Users Perform common tasks such as   running applications, using local and remote printers, and locking   workstations. By default, all domain members are members of this group.

 

Additional domain groups are also created in the Users folder in Active Directory. The following table describes some of these groups:

User Group Description
Domain Admins Full control over the domain. This   group is a member of the Administrators group on all computers when they are   joined to the domain. This means that members of the Domain Admins group can   perform all tasks on any computer in the domain (including domain   controllers).
Domain Computers Contains all computers that are a   member of the domain. When you join a computer to the domain, it becomes a   member of this group.
Domain Controllers Contains all domain controllers.   When a computer is made a domain controller, it is added to this group.
Domain Guests Contains all domain guests. It   does not have any default rights.
Domain Users Contains all domain users. This   group can be used to give access to all users in a domain.
Enterprise Admins Full control over all domains in   the forest. This group is a member of the Administrators group on all   computers in the forest, allowing them to perform any task on any computer in   the forest.
Schema Admins Full control over the Active   Directory schema. By default, the Administrator account is a member of this   group.
Read-only Domain Controllers Contains all members who have   administrative access to the Read-Only Domain Controllers in the domain.
DHCP Administrators Contains all members who have   administrative access to the DHCP service.
Cert Publishers Contains all members which are permitted   to publish certificates to the directory.

When working with domain networking resources, use domain groups for controlling access.

However, to enable users to manage local systems, make domain user or group accounts members of the local groups.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s