Previous | Contents | Index |
The actions that a user can perform depend on the group memberships of the user's account. The Advanced Server provides several default groups that have established collections of rights and abilities. Both global and local types are provided:
The built-in groups are explained in the sections that follow.
4.8 Built-In Local Groups
When the Advanced Server is installed on any computer, several default built-in local groups are created. Table 4-3 lists the built-in local groups, their initial contents, and who can modify them.
Local Group+ | Initial Contents | Who Can Modify |
---|---|---|
Administrators | Domain Admins (global group) Administrator (user account) | Administrators |
Users | Domain Users (global group) | Administrators, Account Operators |
Guests | Domain Guests (global group) | Administrators, Account Operators |
Server Operators | None | Administrators |
Print Operators | None | Administrators |
Backup Operators | None | Administrators |
Account Operators | None | Administrators |
In addition to these built-in local groups, an identity called Everyone represents all known people on the network, including administrators, all types of operators, users, users from other domains, and guests. You cannot change the membership of Everyone; it always contains all users. Everyone is not actually a local group and does not appear when groups are displayed, but you can assign file permissions and rights to Everyone.
Membership in built-in local groups gives a user certain privileges.
Table 4-4 shows the rights and abilities held by each built-in local group on an Advanced Server domain. The built-in global groups of a domain are not shown in this table because built-in global groups receive their rights and abilities indirectly through their memberships in built-in local groups.
Right or Ability | Admin- istrators |
Server Operators | Account Operators | Print Operators | Backup Operators | Every- one |
Users | Guests |
---|---|---|---|---|---|---|---|---|
Right | ||||||||
Log on locally 1 | X | X | X | X | X | |||
Access this computer from network | X | X | ||||||
Take ownership of files | X | |||||||
Manage auditing and security log | X | |||||||
Change system time 1 | X | X | ||||||
Shut down system 1 | X | X | X | X | X | |||
Force shutdown from a remote system 1 | X | X | ||||||
Back up files and directories 1 | X | X | X | |||||
Restore files and directories 1 | X | X | X | |||||
Ability | ||||||||
Create and manage user accounts | X | X 2 | ||||||
Create and manage global groups | X | X 2 | ||||||
Share and stop sharing directories | X | X | ||||||
Share and stop sharing printers | X | X | X |
The following sections describe the built-in local groups in the
Advanced Server. For information about built-in local groups on a Windows
NT Server, see the Microsoft Windows NT Server Concepts and
Planning Guide.
4.8.1 Administrators
The Administrators local group is the most powerful group in the domain. Members of this group have more control over the domain than do any other users. They manage the overall configuration of the domain and the domain's servers. The built-in Administrator user account is a member of the Administrators local group and cannot be removed. By default, the Domain Admins global group is a member of this local group, but it can be removed.
In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked from the Administrators local group.
Unlike administrators in LAN Manager servers, Advanced Server
administrators do not automatically have access to every file in the
domain. If a file's permissions do not grant access, the administrator
cannot access the file. If needed, an administrator can take ownership
of a file and thus have access to it. But if the administrator does so,
this event is recorded in the security log (if auditing of files is
turned on) and the administrator cannot give ownership back to the
original owner. For more information about ownership of files and
directories, see Chapter 6, Managing Network Shares, in this guide.
4.8.2 Users
Membership in the Users local group provides the abilities most users need to perform normal tasks.
By default, the Domain Users global group is a member of the Users
built-in local group, but it can be removed.
4.8.3 Guests
Differences between the rights granted to the Guests built-in local
group and to the Users local group are minimal; both groups have the
right to access the server over the network.
4.8.4 Server Operators
Members of the built-in Server Operators local group have many of the
same abilities as built-in Administrators; however, they cannot manage
security on the server.
Specifically, Server Operators can share and stop sharing a server's
files and printers, and they can start, stop, pause, and continue
selected services.
4.8.5 Print Operators
Members of the built-in Print Operators local group can manage shared printers.
If you want a domain's Print Operators to administer printers managed by Windows NT workstation computers in the domain, as well as printers managed by the domain's servers, you must perform the following steps:
Members of the built-in Backup Operators local group have specific
rights on any Windows NT Server in the domain, but no specific rights
on Advanced Server.
4.8.7 Account Operators
Members of the built-in Account Operators local group can manage the
server's user and group accounts.
An Account Operator can create, delete, and modify most user accounts,
global groups, and local groups. However, the Account Operators cannot
modify the user accounts of Administrators, nor can they modify the
Administrators, Server Operators, Account Operators, Print Operators,
or Backup Operators local groups. They also cannot assign user rights.
4.8.8 Logging On as System Administrator
Most of the system administrators on your network have dual roles: they are both administrators and users. Although they perform network administration tasks, they also perform tasks as network users.
For this reason, every system administrator should maintain the following two accounts:
Your network will be more secure if your system administrator uses
these two accounts. While a system administrator is logged on as a
regular user, he or she will be unable to change aspects of the network
that only system administrators can change. However, using this method
will result in some inconvenience for system administrators, because
they will have to log off and then log on again before they can
administer the network.
4.8.9 Allowing Guest Access
Every Advanced Server domain has a Guest account which is disabled by default. The Guest account does not have a password and can be used to support network guest logons.
A network guest logon occurs when a user tries to access a computer over the network but does not have an account in the computer's domain or in a domain that the computer trusts. Because the account does not exist in the computer's domain, or in any domain that it trusts, the computer does not recognize the user who is trying to access it. In this case, the computer approves the access as a guest logon, as long as the Guest account of the target computer is enabled and has no password.
The guest user then has all of the rights, permissions, and group memberships on the computer that are granted to the Guest account, even though the guest user did not specify Guest as his or her user name.
If you set up your Advanced Server network so that all of the Advanced Server domains in which user accounts are defined are trusted by other domains, network guest logons will rarely occur at servers. |
A network guest logon can occur only when a user with no account on the
domain or on a trusted domain tries to access the computer, and the
guest account is enabled.
By default, the guest account is disabled. To enable the guest account,
the administrator must modify the guest disuser flag, using the MODIFY
USER command. See the Advanced Server for OpenVMS Commands Reference Manual for information on
how to enable the guest account.
4.8.10 Using the Operators Local Groups
As an example of how to use operators local groups, consider a medium-sized department that is deciding how to assign its technical staff to the various administrator and operator groups.
At least one user must be an administrator. Members of the Administrators group have several unique abilities. These include taking ownership of files and managing auditing. Because of their unique abilities, members of the Administrators group are responsible for planning and maintaining network security for the department. They also can be allowed to administer Windows NT workstation computers.
If there is someone in the group who is responsible for helping new employees get started, it may be wise to make this person a member of the Account Operators group. This account operator then can create domain accounts for new employees and place these accounts in the appropriate groups.
If the domain's Administrators group has only a few members, you should assign at least one additional person to the Server Operators group. The basic function of the Server Operators group is to keep the domain servers running. This goal is reflected in their abilities to share directories and printers on servers. If possible, at least one member of either the Administrators or Server Operators group should be present at all hours during which people are using the network.
If the ability to print documents quickly is important to your group,
you should add several people to the Print Operators group to ensure
that printer problems can be addressed quickly.
4.8.11 Setting Up a Universal Operators Group
If your network has multiple domains, each containing computers with shared printers, and you have a single group of Print Operators who need the ability to administer printers in all domains, use a universal operators group (a combination of global groups and local groups) to set this up. By doing so, you ensure that your Print Operators group is easy to maintain as your network evolves, as print operators come and go, and as new computers or domains are added.
Follow these steps to establish a universal operators group:
After you complete these steps, every Print Operator has the ability to administer all printers.
If you also need to administer printers on Windows NT workstation
computers, you will need to go a step further, because a domain's local
groups (such as Print Operators) cannot be used by Windows NT
workstation computers --- even Windows NT workstation computers
participating in that domain. To each Windows NT workstation computer
with printers to administer,
add all of the Domain PrintOps global groups to the workstation's Power
Users local group.
4.9 Built-In Global Groups
Three global groups are built in:
Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.
Global Group | Initial Contents | Who Can Modify |
---|---|---|
Domain Admins | Administrator | Administrators |
Domain Users | Administrator | Administrators, Account Operators |
Domain Guests | Guest | Administrators, Account Operators |
The following sections further explain the built-in global groups and
how to use them.
4.9.1 Domain Admins
The Domain Admins global group is a member of the Administrators local group for the domain and of the Administrators local group for every Windows NT workstation computer in the domain. The built-in Administrator user account is a member of the Domain Admins global group.
Because of these memberships, a user logged on to the Administrator account can administer the domain, the primary and backup domain controllers, and all of the Windows NT workstation computers in the domain. (However, Domain Admins users can be prevented from administering a particular workstation by removing the Domain Admins global group from that workstation's Administrators group.)
To provide administrative abilities to a new account, make the new
account a member of the Domain Admins global group. This allows that
user to administer the domain, the workstations of the domain, and the
trusted domains that have added the Domain Admins global group from
this domain to their Administrators local group.
4.9.2 Domain Users
By default, all domain user accounts belong to the Domain Users group, including the built-in Administrator account and any new accounts that are created.
The Domain Users global group is by default a member of the Users local group for the domain and of the Users local group for every Windows NT workstation computer in the domain. Domain Users is the default group for each user.
Because of these memberships, users of the domain have normal user
access to and abilities in the domain and the Windows NT workstation
computers of the domain. (However, domain users can be prevented from
being granted this access for a particular workstation by removing the
Domain Users global group from that workstation's Users group.)
4.9.3 Domain Guests
The Domain Guests global group initially contains the domain's built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you may want to add those accounts to the Domain Guests group and remove them from the Domain Users group.
The Domain Guests global group is a member of the domain's Guests local
group.
4.10 Server-Specific Groups
In addition to the built-in groups mentioned, server-specific groups are created by the system and are used for special purposes. You cannot delete these special groups and should not modify them. When you administer a computer and are presented with a list of groups, these server-specific groups sometimes appear in the list. For example, they can appear when assigning permissions to directories, files, shared network directories, or printers.
Table 4-6 lists the server-specific groups provided and the purpose of each.
Group | Refers to |
---|---|
EVERYONE |
Anyone using the computer. This includes all local and remote users;
that is, the INTERACTIVE and NETWORK groups combined.
In a domain, members of EVERYONE can access the network, connect to a server's shared network directories, and print to a server's printers. |
INTERACTIVE | Anyone using a computer locally. |
NETWORK | All users connected over the network to a computer. |
SYSTEM | The operating system. |
Previous | Next | Contents | Index |