Default Groups
Windows Server 2003 has four categories of groups: groups in the Builtin folder, groups in the Users folder, special identity groups, and default local groups. All of the default groups are security groups and have been assigned common sets of rights and permissions that you might want to assign to the users and groups that you place into the default groups.
Groups in the Builtin Folder
Windows Server 2003 creates default security groups with a domain local scope in the Builtin folder in the Active Directory Users And Computers console. The groups in the Builtin folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-2 describes the default groups in the Builtin folder.
This group exists only on domain controllers. By default, the group has no members. By default, members can create, modify, and delete accounts for users, groups, and computers in all containers and OUs of Active Directory except the Builtin folder and the Domain Controllers OU. Members do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Members have complete and unrestricted access to the computer or domain controller, including the right to change their own permissions. If the Administrator account resides on the first domain controller configured for the domain, the MCITP Administrator account is automatically added to the Domain Admins group and complete access to the domain is granted.
By default, this group has no members. Members can back up and restore all files on a computer, regardless of the permissions that pro?tect those files. Members can also log on to the computer and shut it down.
Members have the same privileges as members of the Users group. Members can create incoming, one-way trusts to this forest
Members have the same default rights as members of the Users group. Members can perform all tasks related to the client side of network configuration except for installing and removing drivers and services. Members cannot configure network server services such as the Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) server services.
Members have remote access to schedule logging of performance counters on this computer.
Members have remote access to monitor this computer.
Members have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Microsoft Windows NT 4 and earlier.
This group exists only on domain controllers. Members can manageCCNA certification printers and document queues.
Members can log on to a computer from a remote location.
Processing your request, Please wait....
