Default User Groups in Windows Server 2008
A number of groups are created automatically on a server running Windows Server 2008.
These are called default local groups, and they include well-known groups such as Administrators, Backup Operators, and Remote Desktop Users. Additional groups are created in a domain, in both the Builtin and Users containers, including Domain Admins, Enterprise Admins, and Schema Admins.
Use the buttons below to navigate through the lesson
Enterprise Admins (Users container of the forest root domain) This group is a member of the Administrators group in every domain in the forest, giving it complete access to the configuration of all domain controllers. It also owns the Configuration partition of
the directory and has full control of the domain naming context in all forest domains.
Schema Admins (Users container of the forest root domain) This group owns and has full control of the Active Directory schema.
Administrators (Builtin container of each domain) This group has complete control over all domain controllers and data in the domain naming context. It can change the membership of all other administrative groups in the domain, and the Administrators group in the forest root domain can change the membership of Enterprise Admins, Schema Admins, and Domain Admins. The Administrators group in the forest root domain is arguably the most powerful service administration group in the forest.
Domain Admins (Users container of each domain) This group is added to the Administrators group of its domain. Therefore, it inherits all the capabilities of the Administrators group. It is also, by default, added to the local Administrators group of each domain member computer, giving Domain Admins ownership of all domain computers.
Server Operators (Builtin container of each domain) This group can perform maintenance tasks on domain controllers. It has the right to log on locally, start and stop services, perform backup and restore operations, format disks, create or delete shares, and
shut down domain controllers. By default, this group has no members.
Account Operators (Builtin container of each domain) This group can create, modify, and delete accounts for users, groups, and computers located in any organizational unit in the domain (except the Domain Controllers OU) as well as in the Users and Computers
container. Account Operators cannot modify accounts that are members of the Administrators or Domain Admins groups, nor can they modify those groups. Account Operators can also log on locally to domain controllers. By default, this group has no
Backup Operators (Builtin container of each domain) This group can perform backup and restore operations on domain controllers as well as log on locally and shut down domain controllers. By default, this group has no members.
Print Operators (Builtin container of each domain) This group can maintain print queues on domain controllers. It can also log on locally and shut down domain controllers. The default groups that provide administrative privileges should be managed carefully because they typically have broader privileges than are necessary for most delegated environments and because they often apply protection to their members.
Windows and Active Directory also support special identities, groups for which membership is controlled by the operating system. You cannot view the groups in any list in the Active Directory Users and Computers snap-in, for example. You cannot view or modify the membership of these special identities, and you cannot add them to other groups. You can, however, use these groups to assign rights and permissions. The most important 5 special identities, often referred to as groups for convenience, are described in the following list:
Represents identities that have been authenticated. This group
does not include Guest, even if the Guest account has a password.
Represents connections to a computer and its resources that are made without supplying a user name and password. Prior to Microsoft Windows Server 2003, this group was a member of the Everyone group. Beginning in Windows Server 2003, this group is no longer a default member of the Everyone group.
Includes Authenticated Users and Guest. On computers running versions of Windows earlier than Windows Server 2003, this group includes Anonymous Logon.
Represents users accessing a resource while logged on locally to the computer hosting the resource, as opposed to accessing the resource over the network. When a user accesses any given resource on a computer to which the user is logged on
locally, the user is automatically added to the Interactive group for that resource. Interactive also includes users logged on through a remote desktop connection.
Represents users accessing a resource over the network, as opposed to users who are logged on locally at the computer hosting the resource. When a user accesses any given resource over the network, the user is automatically added to the Network
group for that resource.
The importance of these special identities is that they enable you to provide access to resources based on the type of authentication or connection rather than on the user account.
For example, you could create a folder on a system that allows users to view its contents when logged on locally to the system but does not allow the same users to view the contents from a mapped drive over the network. This would be achieved by assigning permissions to the Interactive special identity.