Windows Server Reference Guide

Groups of Groups and Their Associated Groups

Last updated Sep 29, 2006.

In Windows Server 2003, groups enable you to refer to a collection of users, computers, or resources in order to apply a set of restrictions, policies, and permissions to all of its members equally. Essentially, groups are one-to-many pointers that can be used to refer to a collection of objects as a single entity. Group Policy Management Console is the tool you use to accomplish this; it's another Microsoft Management Console snap-in that's now a regular feature of WS2K3 R2.

Moving Away from Local Groups

When the concept of local groups was created for Windows NT, the Security Accounts Manager was utilized to define the resources belonging to a group, and then distribute the definition of that group through to every machine's local SAM database. From a security standpoint, you should probably already see the flaw in that design.

Granting global group membership to a local group transfers much of the access to resources in a global scope, to the Security Access Manager database on the local computer. If that local computer is less secured than the rest of the network, then the local group becomes the weakest link in the chain.

WS2K3 officially has to maintain the concept of local groups (sometimes called "machine local groups" in recent Microsoft documentation) in order that NT domains can be recognized by the new operating system during a migration. But this is why Microsoft created domain functional levels. A migration from the very old scheme to the new scheme is like traversing the Panama Canal. Every so often, your ship encounters a lock, where its water level has to be raised so you can proceed over higher ground.

Some writers believe that just because something exists in software, you must automatically conclude it's good and explain how to use it. No example more clearly disproves that notion than for local groups, the continued use of which pretty much invalidates any kind of higher-level security you apply at the domain level.

Of course, you may actually have to learn how to create local groups in order to pass certain third-party certification tests, in order to qualify for an admin job. Laugh at the sheer ridiculousness of the idea of learning something to please a textbook writer rather than an employer, then go pass your test, and promptly forget the nonsense about creating local groups. In a modern network of any size whatsoever, you will no longer be creating them intentionally.

Security Groups and Their Counterparts

In the AD Users and Computers console, you'll see frequent use of the term security group. This is actually a smart and sensible distinction, because "group" is used to mean so many other things. A security group is a collection of resources to which a single set of policies, permissions, and restrictions may be applied. These can be groups of users who may require policy settings regarding what they can access and why, or groups of resources that may require policy settings regarding how they may be accessed and when.

When you're using Microsoft Exchange, you'll see the term distribution group, and that's a completely different thing. Thankfully, Microsoft has been careful of late not to confuse the two groups—or, more accurately, to use them in parallel in such a way that you don't know what kind of group a dialog box or menu may be referring to. In the AD Users and Computers console, there's a setting during creation of a group, where you designate whether it's a security or distribution group. There's no particular reason to be creating a distribution group in AD anyway; it's typically more convenient to do so in Exchange.

Universal Groups

Universal groups are available only on domains whose forest functional level has been raised to Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003. Their purpose is to enable you to assign permissions to objects from anywhere within a forest. This is the only type of group where this is possible. You do need to remain careful (like you wouldn't be careful) because membership in a Universal Group is replicated throughout the forest in the global catalog (GC)—not unlike how membership in a local group used to be replicated throughout every machine's SAM database.

Default Universal Group Members

Group	Permissions/Access Level
Enterprise Admins	Generally sweeping administrative privileges on all systems throughout the entire forest
Schema Admins	Those admins with the explicit privilege of being able to adjust the Active Directory schema. An "overlord" administrator can be a member of both groups

Global Groups

Since there is no "globe" or "universe" metaphor elsewhere within Windows, you just need to think of global as Microsoft's way of saying "big," and universal as "really big." There are several important distinctions, though, between global and universal groups. First of all, even though global groups can be replicated throughout an entire forest, so that other forests can see what their members are capable of doing or permitted to do, the members of a global group are limited to their root domain. This is to help limit the authority of admins—specifically, so that only admins with the authority to designate permissions throughout the entire forest, can assign universal group membership. A domain administrator can designate access to resources in the forest to his domain's own objects, but not to someone else's domain's objects.

Default Global Group Members

Group	Permissions/Access Level
DnsUpdateProxy	Members of this group are generally services in themselves, permitted to perform dynamic changes to the DNS table on behalf of other administrative applications
Domain Admins	Sweeping administrative privileges on all systems throughout the domain
Domain Computers	All domain computers, including both workstations and servers
Domain Controllers	All domain controllers
Domain Guests	Membership in the Guests domain local group
Domain Users	Membership in the Users domain local group
Enterprise Admins	Membership in the Domain Admins group for each domain, granting forest-level privileges and rights
Group Policy Creators & Owners	Members allowed to assign and modify group policy

Domain Local Groups

Domain local groups can be created and used only on domain controller computers. They’re analogous to local groups on workstations: They’re known only to computers holding the account database (domain controllers), and can therefore be applied only to resources on those computers. A domain local group can contain practically all other security objects: domain user accounts, domain local groups (from the same domain), domain global groups, and universal groups, as shown in the following table.

Default Domain Local Group Members

Group	Permissions/Access Level
Backup Operators	Backing up and restoring files on the local system regardless of permissions; also logging on and shutting down on the system, when backup services are installed
Cert Publishers	Members with the authority to publish authentication certificates to Active Directory. These may not necessarily be people, but accounts that represent security functions
DHCP Administrators	When Dynamic Host Configuration Protocol service is installed, members of this group may make changes to DHCP settings
DHCP Users	When DHCP is installed, a member of this group may see what the settings are, especially to configure services within the network. A member of neither group will not be able to see IP allocation within the local loop
IIS_WPG	Short for Internet Information Services Worker Progress Group. It sounds like a labor union. Actually, this is a group designed to represent those accounts that IIS can use to trigger out-of-process applications, such as IWAM_<name>
Print Operators	Administration of the local printers, when print services are installed
RAS and IAS Servers	Members permitted to access remote access properties of users
Replicator	Allows Active Directory replication functions; only persons supporting Replicator services should have membership
WINS Users	The set of members who have view-only access to the Windows Internet Name Service server. This is for applications that may still be using Windows NT's method for name resolution, rather than DNS

Books and E-books

• Boswell, William. Inside Windows Server 2003. Addison-Wesley, 2003. Read Chapter 12, "Managing Group Policies," on Safari.
• Williams, Robert; Walla, Mark. The Ultimate Windows Server 2003 System Administrator’s Guide. Addison-Wesley, 2003. Read Chapter 7, "User Accounts and Groups," on Safari.

References

• "Creating user and group accounts." Article from microsoft.com.