Lesson 5: Implementing Groups

Lesson 5:?Implementing Groups

In this lesson, you will learn what groups are and how you can use them to simplify user account administration. You will also learn about built-in groups, which have a predetermined set of user rights and group membership. Windows XP Professional has two categories of built-in groups, local and system, which it creates for you to simplify the process of assigning rights and permissions for commonly used functions.


After this lesson, you will be able to

  • Describe the key features of local groups and Windows XP Professional built-in groups
  • Create and delete local groups
  • Add members to and remove them from local groups

Estimated lesson time: 40 minutes


Understanding Groups

A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually (see Figure 3.12).

Figure 3.12??Groups simplify administration

Permissions control what users can do with a resource such as a folder, file, or printer. When you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.

For more information about permissions, see Chapter 8, "Securing Resources with NTFS." For more information about rights, see Chapter 13, "Configuring Security Settings and Internet Options."

Understanding Local Groups

A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows XP Professional creates local groups in the local security database.

Preparing to Use Local Groups

Guidelines for using local groups include the following:

  • Use local groups on computers that do not belong to a domain.

    You can use local groups only on the computer on which you create them. Although local groups are available on member servers and domain computers running Windows 2000 Server, do not use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups do not appear in the Active Directory service, and you must administer them separately for each computer.

  • You can assign permissions to local groups to access only the resources on the computer on which you create the local groups.
You cannot create local groups on domain controllers because domain controllers cannot have a security database that is independent of the database in Active Directory.

Membership rules for local groups include the following:

  • Local groups can contain local user accounts from the computer on which you create the local groups.
  • Local groups cannot belong to any other group.

Creating Local Groups

Use the Computer Management snap-in (shown in Figure 3.13) to create local groups in the Groups folder.

Figure 3.13??The New Group dialog box

To create a local group, complete the following steps:

  1. In Computer Management, expand Local Users And Groups.
  2. Right-click Groups and then click New Group.

    MMC displays the New Group dialog box. Table 3.4 describes the available options.

    Table 3.4??New Local Group Options

  3. Enter the appropriate information, and then click Create.

Adding Members to a Group

You can add members to a local group when you create the group by clicking Add. In addition, Windows XP Professional provides two methods for adding members to a group that has already been created: the Computer Management snap-in and the Member Of tab in the group-name Properties dialog box.

To use the Computer Management snap-in to add members to a group that has already been created, complete the following steps:

  1. Start the Computer Management snap-in.
  2. Expand Local Users And Groups and then click Groups.
  3. In the details pane, right-click the appropriate group, and then click Properties.

    Computer Management displays the group-name Properties dialog box.

  4. Click Add.

    Computer Management displays the Select Users dialog box, as shown in Figure 3.14.

    Figure 3.14??The Select Users dialog box
  5. In the From This Location text box, ensure that the computer on which you created the group is selected.
  6. In the Select Users dialog box, in the Enter The Object Names To Select text box, type the user account names that you want to add to the group, separated by semicolons, and then click OK.
The Member Of tab in the group-name Properties dialog box of a user account allows you to add a user account to multiple groups. Use this method to quickly add the same user account to multiple groups. To review how to use the Member Of tab, see the section in Lesson 4 entitled "The Member Of Tab."

Deleting Local Groups

Use the Computer Management snap-in to delete local groups. Each group that you create has a unique identifier that cannot be used again. Windows XP Professional uses this value to identify the group and its assigned permissions. When you delete a group, Windows XP Professional does not use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.

When you delete a group, you remove only the group and its associated permissions and rights. Deleting a group does not delete the user accounts that are members of the group. To delete a group, right-click the group name in the Computer Management snap-in and then click Delete.

Practice:?Creating and Managing Local Groups

In this practice, you create two local groups, add members to the local groups when you create them, and then add a member to one of the groups after it has been created. You delete a member from one of the groups, and then delete one of the local groups that you created.

Run the LocalGroups file in the Demos folder on the CD-ROM accompanying this book for a demonstration of creating and managing local groups.

Exercise 1: Creating Local Groups and Adding and Removing Members

In this exercise, you create two local groups, Accounting and Marketing, and add members to both groups. You add a member to the existing Marketing group, and then remove a member from the Marketing group.

To create the Accounting and Marketing local groups

  1. Log on as Fred or with a user account that is a member of the Administrators group.
  2. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

    Windows XP Professional starts Computer Management.

  3. Under System Tools, if necessary, expand Local Users And Groups, right-click Groups, and then click New Group.

    MMC displays the New Group dialog box.

  4. In the Group Name text box, type Accounting.
  5. In the Description text box, type Access to Accounts Receivable Files.
  6. Click Add.

    MMC displays the Select Users dialog box.

  7. In the Name text box, type User1; User2; User4 and then click OK.

    User1, User2, and User4 appear in the Members list in the New Group dialog box.

  8. Click Create.

    Windows XP Professional creates the group and adds it to the list of groups in the details pane. Note that the New Group dialog box is still open and might block your view of the list of groups.

  9. Repeat steps 4 through 9 to create a group named Marketing with a description of Access to Mailing Lists and User2 and User4 as group members.
  10. When you finish creating both the Accounting and the Marketing groups, click Close to close the New Group dialog box.

    The Accounting and the Marketing groups now appear in the details pane.

To add members to and remove members from the Marketing local group

  1. In the details pane of the Computer Management window, double-click Marketing.

    The Marketing Properties dialog box displays the properties of the group. Notice that User2 and User4 are in the Members list.

  2. To add a member to the group, click Add.

    Computer Management displays the Select Users dialog box.

  3. In the Name text box, type User1, and then click OK.

    The Marketing Properties dialog box now displays User1, User2, and User4 in the Members list.

  4. Select User4 and then click Remove.

    Notice that User4 is no longer in the Members list. User4 still exists as a local user account, but it is no longer a member of the Marketing group.

  5. Click OK.

Exercise 2: Deleting a Local Group

In this exercise, you delete the Marketing local group.

To delete the Marketing local group

  1. In the details pane of the Computer Management window, right-click Marketing, and then click Delete.

    Computer Management displays a Local Users And Groups dialog box asking if you are sure that you want to delete the group.

  2. Click Yes.

    Marketing is no longer listed in the details pane indicating that the Marketing group was successfully deleted.

  3. In the console pane of the Computer Management window, click Users.

    User1 and User2 are still listed in the details pane indicating that the group was deleted, but the members of the group were not deleted from the Users folder.

  4. Close Computer Management.

Understanding Built-In Local Groups

All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups. These groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows XP Professional places the built-in local groups in the Groups folder in Computer Management.

Table 3.5 lists the most commonly used built-in local groups and describes their capabilities. Except where noted, these groups do not include initial members.

Table 3.5??Built-In Local Group Capabilities

Local group Description

Administrators

Members can perform all administrative tasks on the computer. By default, the built-in Administrator account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Admins group to the local Administrators group.

Backup Operators

Members can use Windows Backup to back up and restore the computer.

Guests

Members can do the following:

  • Perform only the tasks for which they have been specifically granted rights
  • Access only those resources for which they have assigned permissions

Members cannot make permanent changes to their desktop environment. By default, the built-in Guest account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Guests group to the local Guests group.

Power Users

Members can create and modify local user accounts on the computer and share resources.

Replicator

Supports file replication in a domain.

Users

Members can do the following:

  • Perform only the tasks for which they have been specifically granted rights
  • Access only those resources for which they have assigned permissions

By default, Windows XP Professional adds to the Users group all local user accounts that an administrator creates on the computer. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Users group to the local Users group.

Understanding Built-In System Groups

Built-in system groups exist on all computers running Windows XP Professional. System groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource. You do not see system groups when you administer groups, but they are available when you assign rights and permissions to resources. Windows XP Professional bases system group membership on how the computer is accessed, not on who uses the computer. Table 3.6 lists the most commonly used built-in system groups and describes their capabilities.

Table 3.6??Built-In System Group Capabilities

Lesson Review

The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."

  1. What are groups, and why do you use them?
  2. An administrator or owner of a resource uses __________________ to control what users can do with a resource such as a folder, file, or printer.
  3. You use local groups to assign permissions to resources residing __________________.
  4. Which of the following statements about local groups are correct? (Choose all that apply.)
    1. If a computer running Windows XP Professional is part of a domain, the local groups for that computer are stored in the directory rather than in the local security database on that computer.
    2. Local groups allow you to grant permission to the group to perform system tasks, such as changing the time on a computer and backing up or restoring files.
    3. A local group is a collection of user accounts on a computer that you can use to control access to resources residing on that computer.
    4. You can use the Computer Management snap-in to create groups, to add members to existing groups, and to delete groups from a computer running Windows XP Professional.
  5. Which of the following statements about local groups are correct? (Choose all that apply.)
    1. You can use local groups only on the computer on which you create them.
    2. Local groups are available on member servers and domain computers running Windows 2000 Server.
    3. Local groups appear in Active Directory so you can administer them centrally.
    4. You must create each user profile by copying and modifying an existing user profile.
  6. Which of the following statements about deleting local groups are correct? (Choose all that apply.)
    1. Each group that you create has a unique identifier that cannot be reused.
    2. You can restore access to resources by recreating the group.
    3. When you delete a group, you also remove the permissions and rights associated with it.
    4. Deleting a group deletes the user accounts that are members of the group.
  7. What is the difference between built-in system groups and built-in local groups found on computers running Windows XP Professional? Give at least two examples of each type of group.

Lesson Summary

  • Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to individual user accounts.
  • Permissions control what users can do with a resource such as a folder, file, or printer.
  • Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.
  • Windows XP Professional creates local groups in the local security database, so you can use local groups only on the computer on which you create them. You cannot use local groups on computers that are part of a domain.
  • You can use the Computer Management snap-in to create, add members to, and delete local groups.
  • All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups that give rights to perform system tasks on a single computer.