In this lesson, you will learn what groups are and how you can use them to simplify user account administration. You will also learn about built-in groups, which have a predetermined set of user rights and group membership. Windows XP Professional has two categories of built-in groups, local and system, which it creates for you to simplify the process of assigning rights and permissions for commonly used functions.
A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions and rights to a group of users rather than to each user account individually (see Figure 3.12).
Permissions control what users can do with a resource such as a folder, file, or printer. When you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.
A local group is a collection of user accounts on a computer. Use local groups to assign permissions to resources residing on the computer on which the local group is created. Windows XP Professional creates local groups in the local security database.
Guidelines for using local groups include the following:
You can use local groups only on the computer on which you create them. Although local groups are available on member servers and domain computers running Windows 2000 Server, do not use local groups on computers that are part of a domain. Using local groups on domain computers prevents you from centralizing group administration. Local groups do not appear in the Active Directory service, and you must administer them separately for each computer.
Membership rules for local groups include the following:
Use the Computer Management snap-in (shown in Figure 3.13) to create local groups in the Groups folder.
To create a local group, complete the following steps:
MMC displays the New Group dialog box. Table 3.4 describes the available options.
Table 3.4??New Local Group Options
You can add members to a local group when you create the group by clicking Add. In addition, Windows XP Professional provides two methods for adding members to a group that has already been created: the Computer Management snap-in and the Member Of tab in the group-name Properties dialog box.
To use the Computer Management snap-in to add members to a group that has already been created, complete the following steps:
Computer Management displays the group-name Properties dialog box.
Computer Management displays the Select Users dialog box, as shown in Figure 3.14.
Use the Computer Management snap-in to delete local groups. Each group that you create has a unique identifier that cannot be used again. Windows XP Professional uses this value to identify the group and its assigned permissions. When you delete a group, Windows XP Professional does not use the identifier again, even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore access to resources by recreating the group.
When you delete a group, you remove only the group and its associated permissions and rights. Deleting a group does not delete the user accounts that are members of the group. To delete a group, right-click the group name in the Computer Management snap-in and then click Delete.
In this practice, you create two local groups, add members to the local groups when you create them, and then add a member to one of the groups after it has been created. You delete a member from one of the groups, and then delete one of the local groups that you created.
Run the LocalGroups file in the Demos folder on the CD-ROM accompanying this book for a demonstration of creating and managing local groups.
In this exercise, you create two local groups, Accounting and Marketing, and add members to both groups. You add a member to the existing Marketing group, and then remove a member from the Marketing group.
Windows XP Professional starts Computer Management.
MMC displays the New Group dialog box.
MMC displays the Select Users dialog box.
User1, User2, and User4 appear in the Members list in the New Group dialog box.
Windows XP Professional creates the group and adds it to the list of groups in the details pane. Note that the New Group dialog box is still open and might block your view of the list of groups.
The Accounting and the Marketing groups now appear in the details pane.
The Marketing Properties dialog box displays the properties of the group. Notice that User2 and User4 are in the Members list.
Computer Management displays the Select Users dialog box.
The Marketing Properties dialog box now displays User1, User2, and User4 in the Members list.
Notice that User4 is no longer in the Members list. User4 still exists as a local user account, but it is no longer a member of the Marketing group.
In this exercise, you delete the Marketing local group.
Computer Management displays a Local Users And Groups dialog box asking if you are sure that you want to delete the group.
Marketing is no longer listed in the details pane indicating that the Marketing group was successfully deleted.
User1 and User2 are still listed in the details pane indicating that the group was deleted, but the members of the group were not deleted from the Users folder.
All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local groups. These groups give rights to perform system tasks on a single computer, such as backing up and restoring files, changing the system time, and administering system resources. Windows XP Professional places the built-in local groups in the Groups folder in Computer Management.
Table 3.5 lists the most commonly used built-in local groups and describes their capabilities. Except where noted, these groups do not include initial members.
Table 3.5??Built-In Local Group Capabilities
Local group | Description |
---|---|
Administrators |
Members can perform all administrative tasks on the computer. By default, the built-in Administrator account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Admins group to the local Administrators group. |
Backup Operators |
Members can use Windows Backup to back up and restore the computer. |
Guests |
Members can do the following:
Members cannot make permanent changes to their desktop environment. By default, the built-in Guest account is a member. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Guests group to the local Guests group. |
Power Users |
Members can create and modify local user accounts on the computer and share resources. |
Replicator |
Supports file replication in a domain. |
Users |
Members can do the following:
By default, Windows XP Professional adds to the Users group all local user accounts that an administrator creates on the computer. When a member server or a computer running Windows XP Professional joins a domain, Windows 2000 Server adds the Domain Users group to the local Users group. |
Built-in system groups exist on all computers running Windows XP Professional. System groups do not have specific memberships that you can modify, but they can represent different users at different times, depending on how a user gains access to a computer or resource. You do not see system groups when you administer groups, but they are available when you assign rights and permissions to resources. Windows XP Professional bases system group membership on how the computer is accessed, not on who uses the computer. Table 3.6 lists the most commonly used built-in system groups and describes their capabilities.
Table 3.6??Built-In System Group Capabilities
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next chapter. The answers are in Appendix A, "Questions and Answers."