On a domain’s primary and backup domain controllers, three global groups are built in: Domain Admins, Domain Users, and Domain Guests. None of these groups can be deleted.
The Domain Admins global group is initially a member of the Administrators local group for the domain and of the Administrators local group for every computer in the domain running Windows NT Server or Windows NT Workstation.
The built-in Administrator user account is a member of the Domain Admins global group. It also is a member of the Administrators local group and cannot be removed.
Because of these memberships, a user logged on as an administrator can administer the domain, the primary and backup domain controllers, and every computer running Windows NT Server or Windows NT Workstation in the domain. (However, to prevent Domain Admins from administering a particular workstation or a server that is not a domain controller, remove the Domain Admins global group from that computer’s Administrators group.)
To provide administrative-level capabilities to a new account, add the account to the Domain Admins global group. Members of this group can administer the domain, the servers and workstations of the domain, and a trusting domain that has added the Domain Admins global group from this domain to the Administrators local group in the trusting domain.
For information about using global groups, see Strategies for Using Groups.
The Domain Users global group initially contains the domain’s built-in Administrator account. By default, all new accounts created thereafter in the domain are added to the Domain Users group, unless you specifically remove them.
The Domain Users global group is, by default, a member of the Users local group for the domain and of the Users local group for every computer in the domain running Windows NT Workstation or member servers running Windows NT Server.
Because of these memberships, users of the domain have normal user access to and capabilities for the domain and the computers in the domain running Windows NT Workstation and Windows NT Server as a member server. (However, you can prevent Domain Users from being granted this access on a particular workstation or on a server that is not a domain controller by removing the Domain Users global group from that computer’s Users group.)
The Domain Guests global group initially contains the domain’s built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you might want to add those accounts to the Domain Guests group and remove them from the Domain Users group.
The Domain Guests global group is a member of the domain’s Guests local group.
|
Global group |
Initial contents |
Who can modify1 |
|
Administrator | ||
|
Administrator |
Administrators, Account Operators |
|
|
Guest | ||
|
1 None of these groups can be deleted. | ||