Rights and Permissions

1
Rights and Permissions

• User Rights apply to the system as a whole and
  are different from permissions, which apply to
  specific resources - objects
• User Right determine what rights a user or group
  has on the computer or network system
• Permissions apply to resources - objects, such as
  files, folders, printers, and Active Directory
  objects and regulates which users can have access
  to which object and in what manner
• All network resources - objects have an Access
  Control Lists (ACLs), which designate the
  permissions for network resources

2
Introduction to Groups

• A group is a collection of users accounts or
  computer accounts with similar rights and
  permissions
• Groups are used to simplify the management of
  multiple user accounts
• An administrator uses groups to manage access to
  network shared resources like folders, files,
  print devices, and Active Directory objects
• Group membership provides an easy way to assign
  permissions and user rights to sets of users at
  one time
• Key properties of groups
• Members of a group will automatically have the
  rights and permissions that have been granted to
  the group
• User accounts can be members of more than one
  group
• Groups can be members of other groups - nesting
• Computer accounts can also be members of groups

3
Major Group Types

• Two types of groups available in Windows Server
  2003
• Distribution Groups - primarily designed for
  certain applications, such as sending e-mail
  messages to a group of users at the same time
• Can not assign permissions and user rights, but
  can add users
• Can not be created on the local computer - they
  can only be created in Active Directory
• Security Groups - primarily used to assign
  permissions and user rights to multiple users to
  grant access to domain resources
• Can be used as an e-mail distribution list

4
Group Scopes

• Windows NT used two basic group scopes local
  groups and global groups, Windows 2000 uses
  global and local groups, and adds two more
  groups domain local groups and universal groups
• When you create a group you must specify the
  group scope
• The group scope determines whether the group can
  be used to access resources in a specific domain
  or across domains in a network
• Local groups are created on local computers to
  provide access to local resources on a single
  local computer
• Local groups are mainly used in peer-to-peer
  workgroup networks or on stand-alone computers
  that are not part of the domain

5
Group Scopes

• Domain local groups can be used to protect
  resources in a single domain. A domain local
  group can contain users from any domain in the
  forest, but it's limited to regulating resources
  in the same domain in which the group is created
• Global groups function the opposite of domain
  local groups. Global group is used to group users
  only from a single local domain where it is
  created, however, it can regulate resources
  located in any domain in the forest.
• Universal groups can contain members from any
  domain in the organization and regulate resources
  on any domain in the forest They exist only in
  the Active Directory's native mode. If you have
  any Windows NT domain controllers on your
  network, you can't use universal groups

6
Domain Functional Levels

• There are four Functional levels in Windows
  Server 2003 Environment
• Windows 2000 Mixed Mode - Default Functional
  Level
• supports domain controllers running Windows
  Server 2003, Windows 2000, and Windows NT 4.0
• supports universal distribution but not universal
  security group
• Does not support any group conversion
• Global groups can not contain other global groups
  (nesting)
• Windows 2000 Native Mode - Functional Level
• supports domain controllers running Windows
  Server 2003, Windows 2000
• Supports universal security and distribution
  groups

7
Domain Functional Levels

• Supports group nesting adding one group to
  another group
• Supports conversion between security and
  distribution groups
• Supports migration of security principals from
  one domain to another domain (Security Identifier
  SID history)
• Windows Server 2003 Interim Mode Function Level
• Used during upgrading of NT 4.0 domains to
  Windows 2003
• Windows Server 2003 Mode Functional Level
• supports domain controllers running Windows
  Server 2003
• Supports universal security and distribution
  groups
• Supports group nesting adding one group to
  another group
• Supports conversion between security and
  distribution groups
• Supports migration of security principals from
  one domain to another domain (Security Identifier
  SID history)

8
Windows Server 2003 Group Scopes

• Three groups scopes in Windows Server 2003
  Domain local, Global, and
  Universal
• Domain Local Group
• Domain Local groups are mainly used to control
  access to resources within a single domain
• Created in Active Directory (A D) on Windows
  Server 2003 domain controllers
• Used to control access to resources in same
  domain
• Can contain
• user and computer accounts from any domain
• global and universal groups (available only in
  Native Mode) from any domain in the forest
• other domain local groups from its own domain

9
Introduction to Group Scopes

• Global Group
• Created in A D on Windows 2003 domain controllers
• Used to organize users who perform similar tasks
  or have similar network access requirements from
  its own domain
• Can contain
• user and computer accounts from its own domain
• other global groups (available only in Native
  mode) from its own domain
• Can not contain
• user and computer accounts from any domain
• any other groups from any domain in the forest
• Although it is not a preferred practice, but can
  assign user rights and permissions to global
  groups

10
Universal Groups

• Universal Groups
• Created in A D on Windows 2003 domain controllers
• Used to organize users from multiple domains that
  perform similar tasks or have similar network
  access requirements
• To control access to shared resources in multiple
  domains
• Can contain
• user and computer accounts, global groups, and
  universal groups (available only in Native mode)
  from any domain in the forest
• Can assign a universal group permission to a
  shared resource on any computer in any domain in
  the forest
• Not available in Mixed mode, only available in
  Native mode
• Can create potential network traffic problems

11
Nesting of Groups

• You add a group to another group in order to
  minimize the number of times you assign
  permissions to multiple groups
• The process of adding groups to other groups is
  called group nesting
• Domains must be using Windows 2000 native or
  Windows Server 2003 functional level
• Can add a global group to another global group in
  the same domain
• Can add a global group to universal and domain
  local groups in other domains
• In Windows 2000 native and Windows Server 2003
  functional level, can convert groups to different
  scopes

12
Planning a Group Strategy

• Organize domain users logically based on common
  needs
• Create global groups for each logical groups of
  users
• Add appropriate user accounts to the appropriate
  global groups
• Create domain local groups based on resource
  access need and share it
• Add appropriate global groups to domain local
  groups
• Assign appropriate permissions to the domain
  local groups

13
Implementing a Group Strategy

• Determine the required group scope according to
  your needs
• Add users with similar needs to a global group
  from the same domain
• Add users with similar needs to universal group
  from different domains
• Add global groups from different domains with
  similar job tasks to universal group
• Add global groups to domain local groups and
  universal groups
• Use domain local groups or universal groups to
  assign permissions to a resource
• Avoid adding users to universal groups since
  adding and removing users from universal groups
  will increase replication traffic

14
Deleting a Group

• Deleting a group
• When you delete a group, it is permanently
  removed, along with the permissions and rights
  that are associated with it. SID is deleted
• Later if you create a new group with the same
  name, the new group will not have the same
  privileges as the old, deleted group
• A new SID identify the group and the permissions
  that are granted to it.
• Deleting a group does not delete the user
  accounts that are members of the group
• By default, only members of the Administrators or
  Account Operators group in a domain can create
  groups

15
Built-in Groups

• Windows Server 2003 includes default groups
  called built-in-groups that have a preset
  collection of rights and permissions
• These built-in groups are created automatically
  when the operating system is installed and they
  cannot be deleted
• local groups are created on stand-alone servers,
  member servers, Windows 2000 Professionals or XP
  workstations
• Built-in local groups can be found in the group
  folder in Computer Management console
• Built-in domain local groups can be found in
  Builtin folder in Active Directory Users and
  Computers console
• domain local groups are not created on multiple
  computers on the network because Active Directory
  serves as the central storage area

16
Built-In Domain Local Groups In theActive
Directory on a Domain Controllers

• Ten (10) Most important Domain Local Groups
• Account Operators
• No members by default
• Members can create, delete and modify user
  accounts and groups
• Members cannot modify the Administrator group or
  any of the Operators groups
• Administrators
• by default, this group initially contains the
  Administrator user account, the Domain Admins
  global group, and the Enterprise Admins global
  group
• Members can perform all administrative tasks on
  all domain controllers

17
Built-In Domain Local Groups In the Active
Directory on a Domain Controllers

• Backup Operators
• No members by default
• Members can backup and restore on all computers
• Guests
• by default, this group initially contains the
  Guest User account and the Domain Guests global
  group
• Members can perform only tasks for which they
  have granted user rights and permissions
• Pre-Windows 2000 Compatible Access
• Created for backward compatibility
• Members have Read access for all users and groups
  in a domain

18
Built-In Domain Local Groups In theActive
Directory on a Domain Controllers

• Print Operators
• No members by default
• Members can set up and manage network printers on
  domain controllers and manage Active Directory
  printer objects
• Install and uninstall device drivers on Domain
  Controllers, log on and shutdown Domain
  Controllers computers
• Remote Desktop Users
• Members can remotely log on to domain controllers
  in the domain using Terminal Services
• Replicator
• Supports file replication in a domain, no members
  by default

19
Built-In Domain Local Groups In theActive
Directory on a Domain Controllers

• Server Operators
• No members by default
• Members can share disk resources, back up and
  restore files, start and stop services, format
  the hard disk, log on and shut down the computers
  Domain Controllers
• Users
• All user accounts created in the domain are added
  to this group
• By default, the Domain User global group,
  Authenticated Users, built-in System group and
  Interactive built-in system group will be nested
  in this group
• Members can perform only tasks for which they
  have granted user rights and permissions

20
Built-In Domain Local Groups In theActive
Directory on a Domain Controllers

• The number of domain local groups will be
  different on each domain controller, depending on
  the type of services the domain controller is
  running Some of these groups are
• Incoming Forest Trust Builders
• Network Configuration Operators
• Performance Log Users
• Performance Monitors Users
• Terminal Server License Servers
• Windows Authorization Access Group
• IIS_WPG (installed with IIS)
• Cert Publishers
• Telnet Clients
• RAS and IAS Servers
• DHCP Administrators

21
Built-In Global-Universal Groups In theActive
Directory on a Domain Controllers

• Nine (9) most commonly used global/universal
  groups
• Domain Admins - is automatically added to the
  domains built-in local Administrators group.
  The Administrator account is a member by default.
  Members have full administrative control over
  the domain
• Domain Computers All workstations and servers
  joined to the domain are members of this group
• Domain Controllers All domain controllers in
  the domain are members of this group
• Domain Guests - is automatically added to the
  Guests domain local group. The disabled Guest
  account is a member by default

22
Built-In Global-Universal Groups In theActive
Directory on a Domain Controllers

• Domain Users Members of this group include all
  user accounts in the domain. The administrator
  is a default member and every new domain user
  account becomes a member of the Domain Users
  built-in group
• Enterprise Admins The Domain Admins group, The
  Administrators group, and the Administrators user
  account are default members. Members have full
  administrative control over all domains in the
  forest. In Windows 2000 native mode or Windows
  Server 2003 mode this global group will be
  converted to universal group

23
Built-In Global-Universal Groups In theActive
Directory on a Domain Controllers

• Schema Admins - This group appears only in the
  forest root domain. Members of this group can
  modify the Active Directory Schema and the domain
  Administrator account is a member by default. In
  Windows 2000 native mode or Windows Server 2003
  mode this global group will be converted to
  universal group
• Group Policy Creator Owners Members of this
  group can modify Group Policy for the domain and
  the domain Administrator account is a member by
  default.
• RAS and IAS Servers Servers that are members of
  this group are permitted to access the remote
  access properties of users
• Members of all built-in Global/Universal groups
  have no initial rights or permissions. These
  groups initially derive all of its rights and
  permissions from its memberships in other groups

24
Built-In Local Groups on a non-Domain Controllers

• Windows Server 2003 standalone servers and member
  servers all have built-in groups and can be
  viewed in the Group folder in the Computer
  Management console
• Built-in local groups provide users with user
  rights and permissions to perform tasks on a
  single computer
• Eight (8) important built-in local groups
• Administrators
• by default, the built-in Administrator user
  account for the computer is a member.
• When this computer (member server or
  professional) joins a domain, the Domain Admins
  global group is added to the local Administrator
  group.
• Members can perform all administrative tasks on
  the computer

25
Built-In Local Groups on a non-Domain Controllers

• Backup Operators - Members can override any
  security restrictions for backup and restore the
  computer
• Guests - by default, the built-in Guest account
  for the computer is a member. When this computer
  joins a domain, Domain Guests group is added to
  the local guests group
• Power Users
• Members can create local user and group accounts,
  on the computer, and modify the users and groups
  they have created.
• Can create shared resources and administer
  created shares
• Power users can not back up or restore, or take
  ownership of files, load or upload device drivers
  or manage security logs.
• Gives the user the ability to perform system
  administrative functions without having complete
  control over the system

26
Built-In Local Groups on a non-Domain Controllers

• Printer Operators Members can manage printers
  and print queues on the computer
• Remote Desktop Users Members can log on to the
  computer remotely using Terminal Services
• Replicator - Supports directory replication
  function of the domain, no members by default
• Users
• by default, newly created user accounts on the
  computer are members
• When this computer joins a domain, the Domain
  Users group, Authenticated Users, and
  Interactive groups are added to local Users group
  
• Members can perform only tasks for which they
  have granted user rights and permissions

27
Built-in System Groups

• System groups, also known as Special groups or
  Special identities are built-in groups. found on
  all Windows Server 2003 computers
• Users are either members of these groups by
  default or become members during network activity
• Can not add users or groups, however, you can
  make a system group a member of a local group or
  domain local group
• Administrators can not create, delete or modify
  them but operating system does so automatically
• You do not see system groups when you administer
  groups, but they are available for use when you
  assign rights and permissions to resources

28
Built-in System Groups

• Nine most commonly used system groups
• Anonymous Logon When Windows Server 2003 can
  not validate a user account, it is added to the
  anonymous log on built-in system group
• Authenticate Users - includes all users who have
  been authenticated either on the local computer
  or in the Active Directory. Guest account is not
  included
• Creator Owner Every user who creates a resource
  or takes ownership of a resource is a member of
  this group
• Creator Group Every group who creates a
  resource or takes ownership of a resource is a
  member of this group
• Dial-up Users who are accessing a shared
  resource on a computer via dial-up connection or
  a VPN (Virtual Private Network)

29
Built-in System Groups

• Everyone - On computers running Windows Server
  2003, Everyone group includes the Authenticated
  Users special identity plus the guest user
  account. Earlier version of Windows included
  anonymous users.
• Interactive - includes all user who are currently
  logged on locally or through a Remote Desktop
  connection
• Network - includes any user with a current
  connection from another computer on the network
  to a shared resource on the computer
• Terminal Server Users includes all users who
  are currently logged in on the Terminal Server.
  Members of this group can run applications on the
  Terminal Server

30
Group Policy Objects

• You can not apply Group Policy Objects (GPO)s to
  four of the built-in containers in Windows Server
  2003. These containers are
• Users
• Computers
• Foreign Security Principals
• Builtin
• Create an organization unit and create users and
  group accounts in that OU.
• Apply Group Policy Object (GPO) to that OU