BuiltIn Group Accounts
Last Updated on Sun, 13 Feb 2022 | Active Directory
As we saw when we discussed user objects, a number of built-in accounts are automatically created when you install Active Directory. This not only applies to user accounts, but group accounts as well. Many of these groups have preconfigured rights, which allow members to perform specific tasks. When users are added to these groups, they are given these rights in addition to any assigned permissions to access resources.
The groups that are created when Active Directory is installed can be accessed through Active Directory Users and Computers, and are located in two containers: Builtin and Users. Although they are stored in these containers, they can be moved to other OUs within the domain. Those in the Built-in container have a domain local scope, while those in the Users container have either a domain local, global, or universal scope. In the paragraphs that follow, we will look at the individual groups located in each of these containers, and see what rights they have to perform network-related tasks.
Default Groups in Builtin Container
Up to 14 different built-in groups that might be located by default in the Builtin container, including:
■ Account Operators, which allows members to manage accounts
■ Administrators, which gives members full control
■ Backup Operators, which allows members to back up and restore files
■ Guests, which gives members minimal access
■ Incoming Forest Trust Builders, which is only available in forest root domains, and gives members permission to Create Inbound Forest Trusts
■ Network Configuration Operators, which allows members to manage network settings
■ Performance Monitor Users, which allows users to manage performance counters and use System Monitor
■ Performance Log Users, which allows users to manage performance counters and use Performance Logs and Alerts
■ Pre-Windows 2000 Compatible Access, which is used for backward compatibility
■ Print Operators, which allows members to manage printers
■ Remote Desktop Users, which allows members to connect to servers using Remote Desktop
■ Replicator, which is used for replication purposes
■ Server Operators, which allows members to manage servers
■ Users, which contains every user account created in the domain
The Account Operators group is used to allow members to perform group management. Users who are part of its membership have the ability to create, modify, and delete many of the accounts that are stored in Active Directory. They can manage accounts in any OU except the Domain Controllers OU, or those located in the Users or Computers containers. To prevent members of this group from affecting administrator accounts, members of the Account Operators group cannot modify the Administrators and Domain Admins groups, or any accounts that are members of these groups.
Members of the Account Operators group also have certain abilities when dealing with DCs in the domain in which this group is located.They can log on locally to a DC, which means that they can physically sit at a DC and log on to it. In doing so, they could then make modifications to the DC.They also have the ability to shut down the DC, which is useful if there is a problem with the DC and no one else is available to restart the system.
The Administrators group is the most powerful of the groups in the Builtin container, and has full control over the domain.This account can access DCs over the network, back up files and directories, change system time, adjust memory quotes, create page files, load and unload device drivers, delegate responsibility to users and computers, shut down the system, and perform other tasks relating to accounts and DCs. By default, Domain Admins and Enterprise Admins groups and the Administrator account are members of the Administrators group.
The Backup Operators group is used to give members the ability to back up and restore files on DCs. It doesn't matter what the member's permissions on different files are, as they can back up and restore any file on the system. In addition, they have the ability to log on locally to DCs and shut down the system. Due to the level of abilities attributed to members of this group, by default there are no members when it is first created.
The Guests group is the least powerful group in the Builtin container, and has a membership that consists of accounts and groups for people who require minimal access, or haven't logged on using their own accounts. The Guest account and Domains Guests group are members of this group. As you'll recall, the Guest account is disabled by default, meaning that when this group is initially created it has no active users.
Because of its purpose, the Incoming Forest Trust Builders group is only available in forest root domains. Members of this group have the permission to Create Inbound Forest Trust.This permission gives them the ability to create one-way, incoming forest trusts, which can only be made between the root domains of two forests. A one-way trust means that users from one forest can access resources in another forest, but not vice versa. Because of the ability to create trusts between two domains, there are no default members in this group when it is initially created.
As its name states, the Network Configuration Operators group is used to manage changes to the network settings. The members in this group have the ability to renew and release IP addresses on servers in the domain, and modify TCP/IP settings. Because this can possibly make the server inaccessible if done incorrectly, this group has no default members, and new members should be added with caution.
Members of the Performance Monitor Users and Performance Log Users groups are used for managing performance counters on servers within the domain. Performance counters are used to monitor and measure elements of the DC, such as memory, hard disk, processor, network activity, and so on. These utilities are used by two related utilities in Windows 2000 and Windows Server 2003: System Monitor, and Performance Logs and Alerts. Both of these utilities can be accessed through the Performance console that is available under Administrative Tools in the Windows Start menu.
Members of the Performance Monitor Users group can use System Monitor to monitor performance counters. They can view counters locally or remotely, viewing them in a graphical or textual format. By doing so, they can determine if performance issues exist on servers within a domain.
Members of the Performance Log Users group also have the ability to manage performance counters, but can use the Performance Logs and Alerts utility to create and view logs, and configure alerts that will notify specific users [such as administrators] if a problem exists. For example, if the amount of free hard disk space drops below a certain level, a message can be sent to a network administrator advising of the potential problem. Members of this group can also configure certain programs to run if the values of performance counters exceed or fall below a specific setting.
The Pre-Windows 2000 Compatible Access group is used for backward compatibility for older versions ofWindows. Members of this group have Read access for viewing all users and groups within the domain. Depending on the security settings chosen during the installation of Active Directory, the Everyone group might be a member of this group; however, additional members can be added that are running Windows NT 4.0 or earlier if needed.
The Print Operators group allows members to perform tasks that are necessary in the administration of printers. Users who are members of this group can manage printer objects in Active Directory, and create, share, manage, and delete printers that are connected to DCs within the domain. Because adding new printers to a server might require performing certain actions like rebooting the computer, this group also has the ability to load and unload device drivers, and shut down the system. As with other groups discussed in this section, the Printer Operators group has no members added to it when initially created.
The Remote Desktop Users group allows members to connect remotely to servers in the domain. Being able to remotely log on to the DC allows them to perform actions as if they were physically sitting at the server and working on it. Because of the power this group gives members, it has no default members.
The Replicator group is one that should never have users added to it. This group is used by the File Replication Service [FRS] and provides support for replicating data; therefore, it isn't meant to have users as members.
The Server Operators group provides a great deal of power to its membership, which is why there are no default members when it is initially created. Members of this group can perform a number of administrative tasks on servers within the domain, including creating and deleting shared resources, backing up and restoring files, starting and stopping services, shutting down the system, and even formatting hard drives. Because members have the potential to cause significant damage to a DC, users should be added with caution to this group.
The Users group includes every user account that's created in the domain as part of its membership. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. By being part of this group, members are able to run applications, access local and network printers, and perform other common tasks that are necessary for normal job functions.
Default Groups in Users Container
In addition to the groups we've discussed, up to 13 built-in groups can be located by default in the Users container, including:
■ Cert Publishers, which gives members the ability to publish certificates
■ DnsAdmins, which provides administrative access to the DNS Server service
■ DnsUpdateProxy, which provides members with the ability to perform dynamic updates for other clients
■ Domain Admins, which gives members full control of the domain
■ Domain Computers, which includes computers that are part of the domain
■ Domain Controllers, which includes DCs
■ Domain Guests, which includes guests of the domain
■ Domain Users, which includes users of the domain
■ Enterprise Admins, which gives full control over every domain in the forest
■ Group Policy Creator Owners, which allows members to manage group policies in the domain
■ IIS_WPG, which is used by Internet Information Service [IIS]
■ RAS and IAS Servers, which allows members to manage remote access
■ Schema Admins, which allows members to modify the schema
■ Telnet Clients, which is used for clients to connect using Telnet
The Cert Publishers group is used for digital certificates, which we discussed in Chapter 1. Although this group has no default members, when members are added to it they have the ability to publish certificates for users and computers. This allows data to be encrypted and decrypted when sent across the network.
The DnsAdmins and DnsUpdateProxy groups are installed when DNS is installed. Both of these groups have no default members, but when members are added they have abilities relating to the DNS Server service. The DnsAdmins group allows members to have administrative access to the DNS Server service. The DnsUpdateProxy group allows members to perform dynamic DNS updates on behalf of other clients, and circumvent the DACLs that typically accompany Secure Dynamic Updates.
The Domain Admins group has full control in a domain. This group becomes a member of the Administrators group on each DC, workstation, and member server when they join a domain. Because of this membership, group members have all of the rights associated with the Administrators group, including the ability to back up and restore files, change the system time, create page files, enable accounts for delegation, shut down a computer remotely, load and unload device drivers, and perform other takes relating to administration of Active Directory and servers.
The Domain Computers and Domain Controllers groups have memberships consisting of computers in the domain.The Domain Computers group contains all workstations and servers that have joined a domain, except for DCs. When a computer account is created, the computer object automatically becomes a part of this group. Similarly, the Domain Controllers group contains all DCs that are part of the domain. Using these groups, you can set permissions and rights that apply to the computer accounts that exist within a domain.
The next two groups we'll discuss are for users who have their own accounts, or log on using a guest account. The Domain Guests group has a membership consisting of any domain guests, while the Domain Users group consists of all domain users, by default. Any user account that is created in a domain automatically becomes a member of the Domain Users group.
Enterprise Admins is a group that appears in the forest root domain, and allows members to have full control over every domain in the forest. Members of this group are automatically added to the Administrators group on every DC in every domain of the forest. As discussed earlier in this chapter, the Administrator account is a member of this group. Because of the power it gives a user, additional members should be added with caution.
The Group Policy Creator Owners group is used to manage group policy within a domain. Group policies allow you to control a user's environment. Using policies, you can control such things as the appearance and behavior of a user's desktop, and limit the user's control over his or her computer. Members of the Group Policy Creator Owners group can modify these policies. Due to the power these members have over users within a domain, the Administrator account is the only default member of this group.
The IIS_WPG group is installed when IIS is installed. IIS version 6.0 uses worker processes to serve individual DNS namespaces, and allow them to run under other identities. For example, a worker process might serve the namespace www.syngress.com, but could also run under another identity in the IIS_WPG group called Syngress. Because these identities need configuration to apply them to a particular namespace, there are no default members in this group.
The RAS and IAS Servers group is used for the Remote Access Service [RAS] and Internet Authentication Service [IAS], which provide remote access to a network.The members of this group have the ability to access the remote access properties of users in a domain. This allows them to assist in the management of accounts that need this access.
The Schema Admins group is another group that only appears in the forest root domain. This group allows members to modify the schema. The schema is used to define the user classes and attributes that form the backbone of the Active Directory database. As mentioned previously, the Administrator account is a default member of this group. Additional users should be added with caution, due to the widespread effect this group can have on a forest.
Continue reading here: Creating Group Accounts
Was this article helpful?
+16 0
Archived Forums
>Windows Server 2012 General
Question
-
0
Sign in to vote
Hi,
I want to allow Remote Desktop Access for multiple users in windows server 2012 domain.
All users are member of Domain Users and Remote Desktop Users groups in Active Directory.
Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.
However users are still not able to connect and they are getting the following error:
"The connection was denied because the user account is not authorized for remote login"
If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted.
What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.
Regards,
Tarek
Thursday, October 20, 2016 6:07 PM
All replies
-
0
Sign in to vote
Hi Tarek,
Remote desktop has been enabled on the all other servers in the same domain, and "Allow log on through Remote Desktop Services " is enabled for Administrator and Remote Desktop Users group.
However users are still not able to connect and they are getting the following error:
"The connection was denied because the user account is not authorized for remote login"
If I add them the local Remote Desktop Service of every machine in the domain, the access will be granted.
What I should configure to allow RDP for all users without adding them to the local Remote Desktop Users groups.
>>>The error may occur when user is part of the Remote Desktop users group but that group is not present in the GPO for “Allow Logon through Terminal Services”.
I suggest you configure GPO with Administrator and those specific users for the setting allow logon through remote desktop services.
To allow domain users logon remotely domain member, we need delegate domain users with remote logon and logon right.
In other word, we need add the user to remote desktop users group and delegate with allow logon through remote desktop service.
For more information, please refer to the article below.
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group
//blogs.technet.microsoft.com/askperf/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group/
Best Regards,
Jay
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact .- Proposed as answer by Jay Gu Friday, October 21, 2016 1:26 AM
- Unproposed as answer by TarekF Friday, October 21, 2016 3:57 PM
Friday, October 21, 2016 1:26 AM
-
1
Sign in to vote
Hi TarekF,
For my understanding adding a user or group to builtin Remote Desktop Users group in Active Directory will give him access to all servers in the domain without adding this group again to the local Remote Desktop Users of every server.
>>>I have tested for this. If I add user to the group, I cannot see the user in local Remote Desktop Users group.
As I mentioned the users are members of Remote Desktop Users builtin domain group, and the this group is already added to all log on thought Remote Desktop Services GPO of the remote server [this setting is by Default].
>>>As mentioned above, to allow those users could logon the computers remotely, if the computer is domain member, you just need the user to the local Remote Desktop Users group like below.
If the computer is a domain controller, you need add the user to local remote desktop users group and give the user logon through remote desktop service in GPO.
Best Regards,
Jay
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact .- Proposed as answer by Jay Gu Monday, November 7, 2016 11:37 AM
- Marked as answer by Jay Gu Thursday, November 10, 2016 1:20 AM
Tuesday, November 1, 2016 2:50 AM
-
0
Sign in to vote
No i tried cant add
Wednesday, March 28, 2018 5:09 PM
-
0
Sign in to vote
Its works for me..
Friday, July 24, 2020 5:57 PM
Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
I haven't tried this myself as we don't have a need to yet, but the description seems to be related to what you are trying to accomplish.
1
· · ·
Thai Pepper
OP
Jul 8, 2010 at 08:59 UTC
You can also use:
Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
- Within this setting, right-click in the empty white area and select "All Tasks" > "Add".
- Select "Update" in the "Action:" drop-down
- Select "Remote Desktop Users [built-in]" from the "Group name:" field
- Under the "Members:" section click the "Add..." button.
- Add Domain Users to the "Name:" field and select "Add to this group" from the "Action:" field
That should add Domain Users to the Remote Desktop Users group for any computer you apply this policy to.
2
· · ·
Habanero
OP
Jul 8, 2010 at 09:05 UTCWell, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
0
· · ·
Serrano
OP
Jul 8, 2010 at 09:10 UTC
hi ,
you should look into Restricted Groups in The GPO.
This will make it possible for you to make a domain group a member of a local groups in the gpo effected computers
0
· · ·
Datil
OP
Jul 8, 2010 at 09:14 UTC
David1618 wrote:
Well, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
You can do this using remote registry by modifying the following key and value:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
"fDenyTSConnections"=dword:00000001 [RDP disabled]
"fDenyTSConnections"=dword:00000000 [RDP enabled]
Going on that you could also use the attached to enable across domain using a GPO by dropping it on a share and calling it from a batch script with the following command:
regedit /s \\servername\share\fDenyTSConnections.reg
fDenyTSConnections.reg [298 Bytes]0
· · ·
Datil
OP
Jul 8, 2010 at 09:23 UTCspiceuser wrote:
David1618 wrote:
Well, when I researched it, RDP can't be turned on for WinXP pro desktops remotely, it requires a visit to the machine. Just add it then, as you'll have to be logged in as admin anyhoo.
I'd love to hear I was wrong.
You can do this using remote registry by modifying the following key and value:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
"fDenyTSConnections"=dword:00000001 [RDP disabled]
"fDenyTSConnections"=dword:00000000 [RDP enabled]
Going on that you could also use the attached to enable across domain using a GPO by dropping it on a share and calling it from a batch script with the following command:
regedit /s \\servername\share\fDenyTSConnections.reg
what about computer configuration >Administrative templates>Windows components>Terminal Services> Terminal services. Then enable terminal services. this should turn on remote desktop, i am pretty sure i have done this before.
0
· · ·
Thai Pepper
OP
Jul 8, 2010 at 09:25 UTC
Ralph, this worked.
Thank you everyone for your responses.
0
· · ·
Datil
OP
Jul 8, 2010 at 09:29 UTC
Yeah Kimbo, that works too. So 3 ways to enable/disable remotely:
- By remote registry
- By script
- By GPO
0
· · ·
Mace
OP
Jul 8, 2010 at 09:35 UTC
I'd highly suggest trying the group policy preferences, as gonefishing mentioned. I use GPP to map drives and printers, add users to groups [like my admin account to the RDP group, or my spiceworks user to local admin], and set some initial preferences. It works fantastically, and I haven't had to mess with a script in ages. Works in XP once you install the Client Side Extensions.
0
· · ·
Datil
OP
Jul 8, 2010 at 09:45 UTCspiceuser wrote:
Yeah Kimbo, that works too. So 3 ways to enable/disable remotely:
- By remote registry
- By script
- By GPO
you forgot about
- By IT Magic!
Edit: How did you do the bullet points, appaently HTML wasn't the way :]
0
· · ·
Tabasco
OP
Jul 8, 2010 at 09:46 UTC
If the computers are on the domain, then you can use a group policy to enable Terminal Services:
Computer Configuration =? Administrative Templates => Windows Components => Terminal Services =>
Allow users to connect remotely using Terminal Services
Also, enable Restricted Groups to add the users you want to permit access to over Remote Desktop
Computer Configuration => Windows Settings => Security Settings => Restricted Groups
Right click on Restricted Groups, and click Add group
At the first prompt, type Domain users
A second dialog box will open
If you want to give your users the ability to modify the Remote Desktop Users group, add "Remote Desktop Users" to the box that says "This group is a member of" If you want to restrict access to only the Domain Users group, add "Remote Desktop Users" to "Members of this group"
Click OK
When you apply the policy, Apply it to the domain level, remove Authenticated Users from Security Filtering, and add your group of computers to the Security Filtering box. This will restrict the policy to only the computers in that group
Once the policy is applied, run a gpupdate /force on the notebooks, and you should be good to go
0
· · ·
Jalapeno
OP
Jul 8, 2010 at 09:50 UTC
Cool, BTW the first post was for Terminal Services
0
· · ·
Datil
OP
Jul 8, 2010 at 09:58 UTC
Kimberlin wrote:
Edit: How did you do the bullet points, appaently HTML wasn't the way :]
- By IT Magic! LOL ;D
0
· · ·
Ghost Chili
OP
Jul 9, 2010 at 08:29 UTC- I have to throw my 2 cents in - this is a great post - I learned some new things from this post and I have been using TS for years! thanks guys!
0
· · ·
· · ·
Jalapeno
OP
Sep 16, 2016 at 08:30 UTCThank's, very helpfull
0
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
How-to: Windows Built-in Users, Default Groups and Special Identities
Special identities are implicit placeholders, they are not listed in Active Directory but are available when applying permissions – membership is automatically calculated by the OS.
Default GroupDefault User or Session ownerSpecial IdentityDescription Access Control Assistance Operators Remotely query authorization attributes and permissions for resources on the computer.
BuiltIn Local.
Default User Rights: NoneAccount Operators Grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Members of this group cannot modify user rights.
Default User Rights: Allow log on locally: SeInteractiveLogonRightAdministrator A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group. Administrators A built-in group . Grants complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins.
The group is the default owner of any object that is created by a member of the group.
Default User Rights for AdministratorsAllowed RODC Password Replication Group Manage a RODC password replication policy. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
Default User Rights: NoneAnonymous Logon A user who has logged on anonymously. This identity allows anonymous access to resources, such as a web page that is published on corporate servers.
Default User Rights: NoneAuthenticated Users A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Add workstations to domain: SeMachineAccountPrivilege [Often removed in environments that have an IT administrator.]
Bypass traverse checking: SeChangeNotifyPrivilegeBackup Operators A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Back up files and directories: SeBackupPrivilege
Log on as a batch job: SeBatchLogonRight
Restore files and directories: SeRestorePrivilege
Shut down the system: SeShutdownPrivilegeBatch Any user or process that accesses the system as a batch job [or through the batch queue] has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup jobMembership is controlled by the operating system.
Default User Rights: NoneCertificate Service DCOM Access Members of this group are allowed to connect to certification authorities in the enterprise.
Default User Rights: NoneCert Publishers A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
Default User Rights: NoneCert Server Admins Certificate Authority Administrators - authorized to administer certificates for User objects in Active Directory. [Domain Local] Cert Requesters Members can request certificates [Domain Local] Cloneable Domain Controllers Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. Default User Rights: None Cryptographic Operators Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 [SP1] to configure Windows Firewall for IPsec in Common Criteria mode. Default User Rights: None Creator Group The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder security identifier [SID] is created in an inheritable access control entry [ACE]. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner.
The primary group is used only by the Portable Operating System Interface for UNIX [POSIX] subsystem.
Default User Rights: NoneCreator Owner The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. Denied RODC Password Replication Group Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups.
Default User Rights: NoneDevice Owners This group is not currently used in Windows.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Access this computer from the network: SeNetworkLogonRight
Bypass traverse checking: SeChangeNotifyPrivilege
Change the time zone: SeTimeZonePrivilegeDialup Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. Digest Authentication Default User Rights: None Distributed COM Users Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer.
Default User Rights: NoneDnsAdmins [installed with DNS] Members of this group have administrative access to the DNS Server service. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group has no default members.
Default User Rights: NoneDnsUpdateProxy [installed with DNS] Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Default User Rights: None Domain Admins A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
Default User Rights: as AdministratorsDomain Computers A global group that includes all computers that have joined the domain, excluding domain controllers. Default User Rights: None Domain Controllers A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically. Default Default User Rights: None Domain Guests A global group that, by default, has only one member, the domain's built-in Guest account.
Default User Rights: See 'Guests'Domain Users A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group automatically.
Default User Rights: See 'Users'Enterprise Admins A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Default User Rights:
See Administrators
See Denied RODC Password Replication GroupEnterprise Key Admins Members of this group can perform administrative actions on key objects within the forest. The Enterprise Key Admins group was introduced in Windows Server 2016. Default User Rights: None Enterprise Read-Only Domain Controllers Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds.
Default User Rights: NoneEnterprise Domain Controllers A group that includes all domain controllers an Active Directory directory service forest of domains. Membership is controlled by the operating system.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Allow log on locally: SeInteractiveLogonRightEvent Log Readers Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. Default User Rights: None Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default [although this can be changed]. Membership is controlled by the operating system.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Act as part of the operating system: SeTcbPrivilege
Bypass traverse checking: SeChangeNotifyPrivilegeGroup Policy Creators Owners A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. The default owner of a new Group Policy object is usually the user who created it. If the user is a member of Administrators or Domain Admins, all objects that are created by the user are owned by the group. Owners have full control of the objects they own. Default User Rights: See 'Denied RODC Password Replication Group'. Guest A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. Guests A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the %userprofile% directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system.
Default User Rights: NoneHyper-V Administrators Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
Introduced in Windows Server 2012. Default User Rights: NoneIIS_IUSRS IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized.
Default User Rights: NoneIncoming Forest Trust Builders Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. This group cannot be renamed, deleted, or moved. Default User Rights: None Key Admins Members of this group can perform administrative actions on key objects within the domain.
Default User Rights: NoneInteractive Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
Default User Rights: NoneKRBTGT A service account that is used by the Key Distribution Center [KDC] service. Local Service The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.
Default User Rights:
Adjust memory quotas for a process: SeIncreaseQuotaPrivilege
Bypass traverse checking: SeChangeNotifyPrivilege
Change the system time: SeSystemtimePrivilege
Change the time zone: SeTimeZonePrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after authentication: SeImpersonatePrivilege
Replace a process level token: SeAssignPrimaryTokenPrivilegeLocal System This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
Default User Rights: NoneNetwork This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
Default User Rights: NoneNetwork Service The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
Default User Rights:
Adjust memory quotas for a process: SeIncreaseQuotaPrivilege
Bypass traverse checking: SeChangeNotifyPrivilege
Create global objects: SeCreateGlobalPrivilege
Generate security audits: SeAuditPrivilege
Impersonate a client after authentication: SeImpersonatePrivilege
Restore files and directories: SeRestorePrivilege
Replace a process level token: SeAssignPrimaryTokenPrivilegeNetwork Configuration Operators Members of this group can make changes to TCP/IP settings, Rename/Enable/disable LAN connections,Delete/rename remote access connections, enter the PIN unblock key [PUK] for mobile broadband devices that support a SIM card and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members.
Default User Rights: NoneNTLM Authentication Default User Rights: None Other Organization This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. Default User Rights: None Performance Monitor Users Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups.
Default User Rights: NonePerformance Log Users Members of this group can manage performance counters, logs and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group.
Default User Rights: Log on as a batch job: SeBatchLogonRightPower Users By default, members of this group have no more user rights or permissions than a standard user account.
The Power Users group did once grant users specific admin rights and permissions in previous versions of Windows.Pre-Windows 2000 Compatible Access A backward compatibility group which allows read access on all users and groups in the domain. By default, the special identity Everyone is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
Default User Rights:
Access this computer from the network: SeNetworkLogonRight
Bypass traverse checking: SeChangeNotifyPrivilegePrincipal Self
or
SelfThis identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
Default User Rights: NonePrint Operators A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Load and unload device drivers: SeLoadDriverPrivilege
Shut down the system: SeShutdownPrivilegeProtected Users Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This group was introduced in Windows Server 2012 R2.
Default User Rights: NoneRAS and IAS Servers Servers in this group are permitted access to the remote access properties of users. A domain local group . By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. Default User Rights: None RDS Endpoint Servers Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
Default User Rights: NoneRDS Management Servers Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. Default User Rights: None RDS Remote Access Servers Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. Default User Rights: None Read-Only Domain Controllers This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. Default User Rights See 'Denied RODC Password Replication Group'. Remote Desktop Users The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role [also known as flexible single master operations or FSMO].
Default User Rights: NoneRemote Interactive Logon This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
Default User Rights: NoneRemote Management Users Members of the Remote Management Users group can access WMI resources over management protocols [such as WS-Management via the Windows Remote Management service]. This applies only to WMI namespaces that grant access to the user. The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands.
Default User Rights: NoneReplicator Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service [FRS] to replicate system policies and logon scripts stored in the System Volume [SYSVOL].
The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom [non-SYSVOL] data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication.
Default User Rights: NoneRestricted Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
Default User Rights: NoneSChannel Authentication Default User Rights: None Schema Admins A group that exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native mode , a global group if the domain is in mixed mode . The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. Because this group has significant power in the forest, add users with caution.
Default User Rights: See 'Denied RODC Password Replication Group'.Server Operators A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Default User Rights:
Allow log on locally: SeInteractiveLogonRight
Back up files and directories: SeBackupPrivilege
Change the system time: SeSystemTimePrivilege
Change the time zone: SeTimeZonePrivilege
Force shutdown from a remote system: SeRemoteShutdownPrivilege
Restore files and directories SeRestorePrivilege
Shut down the system: SeShutdownPrivilegeService Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
Default User Rights:
Create global objects: SeCreateGlobalPrivilege
Impersonate a client after authentication: SeImpersonatePrivilegeStorage Replica Administrators Members of this group have complete and unrestricted access to all features of Storage Replica.
Default User Rights: NoneSystem Managed Accounts Group Members of this group are managed by the system.
Default User Rights: NoneTerminal Server License Servers Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role [also known as flexible single master operations or FSMO].
Default User Rights: NoneTerminal Server Users Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
Default User Rights: NoneThis Organization Default User Rights: None Users A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation.
This group cannot be renamed, deleted, or moved.
Default User Rights: NoneWindows Authorization Access Group Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal [TGGAU] attribute on user account objects or on computer account objects in Active Directory Domain Services.
Default User Rights: NoneWindow Manager\Window Manager Group Default User Rights:
Bypass traverse checking: SeChangeNotifyPrivilege
Increase a process working set: SeIncreaseWorkingSetPrivilegeWinRMRemoteWMIUsers_ In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
The WinRMRemoteWMIUsers_ group allows running PowerShell commands remotely whereas the 'Remote Management Users' group is generally used to allow users to manage servers by using the Server Manager console. This security group was introduced in Windows Server 2012.
Default User Rights: NoneVideo liên quan