home *** CD-ROM | disk | FTP | other *** search
- DOCUMENT:Q101471 19-JUL-1993 [W_NT]
- TITLE :INF: Local and Global Groups in Windows NT and Advanced Server
- PRODUCT :Windows NT
- PROD/VER:3.10
- OPER/SYS:WINDOWS
- KEYWORDS:
-
- ---------------------------------------------------------------
- The following information applies to:
-
- - Microsoft Windows NT operating system, version 3.1
- - Microsoft Windows NT Advanced Server, version 3.1
- ---------------------------------------------------------------
-
- SUMMARY
- =======
-
- The Windows NT networking environment defines groups to organize users
- who have similar jobs or resource requirements into a unit, to ease
- the process of granting appropriate rights and resource permissions.
- When groups are defined, an administrator need only to take the one
- action of giving a right or permission to a group to give that right
- or permission to all the present and future members of that group.
- Without this capability, it would be necessary for the administrator
- to manually grant rights and resource permissions to each individual
- user account.
-
- To create or manage user and group accounts, use the User Manager. Use
- File Manager to assign permissions for files and directories to users
- or groups and use Print Manager to assign access to printers to users
- or groups. Windows NT defines two types of groups: local and global
- groups.
-
- MORE INFORMATION
- ================
-
- Windows NT workstations and Advanced Servers support local groups. The
- table below presents the default local groups which represent the
- different default privilege levels:
-
- Windows NT Windows NT
- Advanced Server Domains Workstations
- ---------------------------------------------------
-
- Administrators Administrators
- Backup Operators Backup Operators
- Server Operators Power Users
- Account Operators Users
- Print Operators Guests
- Users Replicator
- Guests
- Replicator
-
- A second type of default group contains no members because the group
- privileges apply to any account that uses the computer in a specified
- manner. These groups do not refer to the privilege level of the user
- but reflect resource access. The four groups are as follows:
-
- - Interactive Users. Any user that only logs onto the computer
- interactively.
-
- - Network Users. Any user who connects to the computer through the
- network.
-
- - Everyone. Any user who accesses the computer. This group includes
- both interactive and network users.
-
- - Creator/Owner. Any user who creates or takes ownership of a
- resource.
-
- Local Groups
- ------------
-
- User Manager represents local groups with a graphic of two faces
- imposed over a computer. A local group is local to the security system
- in which it is created. A local group created on a Windows NT
- workgroup workstation is available only on the workstation on which it
- is created. A local group created on an Advanced Server is available
- only on the Advanced Servers in the domain.
-
- A local group on a Windows NT workstation can contain user accounts
- created on the workstation, users and global groups from the
- workstation's domain and users and groups from domains trusted by the
- workstation's domain.
-
- Global Groups
- -------------
-
- User manager represents global groups with a graphic of two faces
- imposed over a globe. Global groups contain user accounts from one
- domain grouped together as one group name. A global group cannot
- contain another global group or a local group. The default global
- groups on an Advanced Server are the Domain Admins and the Domain
- Users groups. A Windows NT workstation does not define any default
- global groups. However, because a global group can be a member of a
- local group, a local group defined on a Windows NT workstation can
- contain a global group from the domain. A local group can also contain
- a global group from another domain by passing through trust
- relationships. Local groups cannot traverse trust relationships.
-
- The primary purpose of a global group is to support use on machines
- other than the Advanced Servers in a domain. In a single domain model,
- this applies to Windows NT domain workstations and LAN Manager servers
- that participate in the domain.
-
- NOTE: A local group and a global group that share the same name are
- two separate entities, each of which has its own distinct security
- identifier and characteristics as defined above. Permissions
- assigned to one group do not apply to the other group that shares
- the same name.
-
- Additional reference words: 3.10 ntas
-
- =============================================================================
-
- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
- PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
- ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
- EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
- ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
- CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
- MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
- OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
- SO THE FOREGOING LIMITATION MAY NOT APPLY.
-
- Copyright Microsoft Corporation 1993.
