Administrators typically group users according to the types and degrees of network access their jobs require. For example, most accountants working at a certain level probably will need access to the same servers, directories, and files. By using group accounts, administrators can grant rights and permissions to multiple users at one time. Other users can be added to an existing group account at any time, immediately gaining the rights and permissions granted to the group account.
There are two types of group accounts:
A global group consists of several user accounts from one domain that are grouped together under one group account name. A global group can contain user accounts from only one domain — the domain in which the global group was created. "Global" indicates that the group can be granted rights and permissions to use resources in multiple (global) domains. A global group can contain only user accounts and can be created only on a domain, not on a workstation or member server.
A local group consists of user accounts and global groups from one or more domains, grouped together under one account name. Users and global groups from outside the local domain can be added to the local group only if they belong to a trusted domain. "Local" indicates that the group can be granted rights and permissions to use resources in only one (local) domain. A local group can contain users and global groups but no other local groups.
When working with groups, keep the following points in mind:
Global groups are the most efficient way to add users to local groups.
Global groups can be added to local groups in the same domain, in trusting domains, or on computers running Windows NT Workstation or Windows NT Server as a member server in the same domain or in a trusting domain.
Although a global group can be granted permissions and rights in its own domain, it is best to grant rights and permissions to local groups and to use global groups to add user accounts from account domains (trusted) to resource domains (trusting).
Advanced Server domain controllers contain built-in local groups that determine what users can do on the domain when logged on to domain controllers. Computers running Windows NT Workstation and member servers running Windows NT Server have built-in local groups that determine what users can do on the local computer.
The built-in local groups on domain controllers give administrators a significant head start in managing domain security. Each built-in local group has a predetermined set of rights, which automatically apply to each user account that is added to the group. The rights assigned to the built-in groups on a domain controller provide sets of abilities for domain users, as characterized by the group names: Administrators, Account Operators, Server Operators, Backup Operators, Print Operators, Users, Guests, and Replicator.
The built-in local groups for workstations and member servers are Administrators, Backup Operators, Power Users, Users, Guests, and Replicator.
For information about the abilities of built-in global and local groups, see Chapter 3, "Working With User and Group Accounts."
