An Introduction to Microsft Active Directory

Let us first consider workgroup networks,and then go to Domains and Active Directory.
Workgroups are networks in which each computer can have both server and clinet role.What I mean is that they can both share resources and make use resources shared by other computers.This kind of network is good when we need one in small scale,and when Security is not important.Here,users can easily use network resources,change their settings such as:Usernames,Passwords,... .This is because they have a database called:Local security Database(LSD) on their systems,which stores the local computer'ssecurity information.Every time a user wants to log on,the information provided by that user is comared to those in the LSD.If thet matched,a token in issued to that user and he/she will be allowed to enter the system.(I will exlain the authentication and authorization process in a seperate post).
This kind of network has many shortcomings among which the below things are more important:

1. Workgroups increase administrator's workload.Because the admin should set properties on computers one-by-one.Each user account should be created on all of the system to which that specific user need to logon,... .
2. Security is in it's lowest level.Users can adjust their system's properties,... as they wish.Imagine a novice logs on to your workgroup.Or a user with devilish wills.The only thing remains for you is the trouble made by these two.

This issues lead to making an other network called :Domain network.With domins you can easily manage thousands of thousands of object in your network;Including :user accounts,group accounts,Computer accounts,Printers,... .How?I tell you.

When you decide to implement a domain,the only thing you need a windows server CD.and a computer to install active directory on it (from that time on,the computer is called domain controller or DC).easy.isn't it?

Now,let us see how it works.

Unlike Workgroups,we don't have LSDs in domain networks.Instead we have something called:Domain Securtiy Database(DSD),in which stored is information about all of the objects on our network;including:User accounts,Group accounts,printers,...).In order to log on to network,users must first join to the domain.From that time on,if a user wants to log on,the information provided by that user will be compared to those stores in DSD.If the matched,the token will be issued and user can log on.

We can increase security by defining policies on the whole domain,so we don't have security issues in the future.Easy life.Isn't it?

And as far as domains are concerned,administrators' workload is decreased too much.because you set everything on one system,just one time.

be content.

Security Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before modifying any security settings, it is important to take into consideration the default settings.

There are three fundamental levels of security that are granted to users. These are granted to end users through membership in the Administrators, Power Users, or Users groups.

Administrators

The Administrators group is provided to perform computer maintenance tasks. The default permissions allotted to this group allow complete control over the entire system. As a result, only trusted personnel should be members of this group.

Power Users

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default permissions that are allotted to the Power Users group allow members of the Power Users group to modify computerwide settings.

When you upgrade from Windows NT 4.0, members of the Restricted Users group are automatically placed in the Power Users group to prevent backward compatibility issues with the applications that your organization used before the upgrade. Many applications used on Windows NT 4.0 required elevated permissions to run correctly. The default Windows 2000, Windows XP Professional, and Windows Server 2003 family security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000, Windows XP Professional or Windows Server 2003 family.

If you do not want end users to have the elevated permissions of the Power Users group, you can make them members of the Users group and only run applications that belong to the Windows Logo program for Software. If applications that do not belong to the Windows Logo program for Software must be supported, then end users will need to be part of the Power Users group. For information about the Windows Logo program for Software, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .

Power Users can:

• Run legacy applications, in addition to applications for Windows 2000, Windows XP Professional, or the Windows Server 2003 family that belong to the Windows Logo program for Software.
  
• Install programs that do not modify operating system files or install system services.
  
• Customize systemwide resources including printers, date, time, power options, and other Control Panel resources.
  
• Create and manage local user accounts and groups.
  
• Stop and start system services which are not started by default.
  

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Caution

• Running legacy programs on Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy applications belonging to the Windows Logo program for Software in order to achieve maximum security without sacrificing program functionality. These programs can run successfully under the Secure configuration that is provided by the Users group.
  
• Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks.
  

Users

The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data.

The Users group provides the most secure environment in which to run programs. On a volume formatted with the NTFS file system, the default security settings on a newly-installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify systemwide registry settings, operating system files, or program files. Users can shut down workstations but not servers. Users can create local groups, but can manage only the local groups that they created. They can run Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family programs that belong to the Windows Logo program for Software that have been installed or deployed by administrators. Users have full control over all of their own data files (stored at %userprofile%) and their own portion of the registry (located in HKEY_CURRENT_USER).

Note that user-level permissions often do not allow the user to successfully run legacy applications. To run these legacy applications, you must either loosen security to allow members of the Users group to run the applications or you must promote members of the Users group to the Power Users group. Both options decrease the security of your organization. Since members of the Users group are guaranteed to be able to run applications belonging to the Windows Logo program for Software, it is a best practice to only use applications that belong to the Windows Logo program for Software. For more information, see the Windows Logo program for Software on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=3688 ] .

To secure a system running Windows 2000, Windows XP Professional, or a member of the Windows Server 2003 family, an administrator should:

• Make sure that end users are members of the Users group only.
  
• Deploy programs that members of the Users group can run successfully, such as programs that belong to the Windows Logo program for Software.
  

Users will not be able to run most programs written for versions of Windows prior to Windows 2000, because they did not support file system and registry security (such as Windows 95 and Windows 98) or shipped with other default security settings (Windows NT). If you have problems running legacy applications on newly-installed NTFS systems, then do one of the following:

1. Install new versions of the applications that belong to the Windows Logo program for Software.
   
2. Move end users from the Users group into the Power Users group.
   
3. Decrease the default security permissions for the Users group. This can be accomplished by using the Compatible security template.
   

The Anonymous group is no longer a member of the Everyone group

For Windows XP Professional and the Windows Server 2003 family, the Anonymous group is no longer a member of the Everyone group.

When a Windows 2000 system is upgraded to Windows XP Professional or the Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. You may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions.

However, in some situations where it might be difficult to determine and modify the permission entries on resources, you can change the Network access: Let Everyone permissions apply to anonymous users [ http://technet.microsoft.com/en-us/library/cc778182(WS.10).aspx ] security setting.

Other groups

• Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, Windows XP Professional, or the Windows Server 2003 family, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.
  
• Network. This group contains all users who are currently accessing the system over the network.
  
• Backup Operators
  
  
  Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.
  
  Caution
  
  • Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see the Microsoft Security page on the Microsoft Web site [ http://go.microsoft.com/fwlink/?LinkId=102 ] .
    

Default local groups

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Default local groups

The Groups folder located in the Local Users and Groups Microsoft Management Console (MMC) displays the default local groups as well as the local groups that you create. The default local groups are automatically created when you install a stand-alone server or a member server running Windows Server 2003. Belonging to a local group gives a user the rights and abilities to perform various tasks on the local computer. For more information about domain-based groups, see Default groups [ http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx ] .

You can add local user accounts, domain user accounts, computer accounts, and group accounts to local groups. However, you cannot add local user accounts and local group accounts to domain group accounts. For more information about adding members to local groups, see Add a member to a local group [ http://technet.microsoft.com/en-us/library/cc739265(WS.10).aspx] .

Note

• To learn what group you need to be a member of to perform a particular procedure, many procedural topics under How To in Help and Support Center provide a note that identifies this information.
  

The following table provides descriptions of the default groups located in the Groups folder and lists the assigned user rights for each group. These rights are assigned within the local security policy. For complete descriptions of the user rights listed in the table, see User Rights Assignment [ http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx] . For information about editing these rights, see Assign user rights for your local computer [ http://technet.microsoft.com/en-us/library/cc739028(WS.10).aspx ] .

Group	Description	Default user rights
Administrators	Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. The Administrator account is also a default member. When this server is joined to a domain, the Domain Admins group is automatically added to this group. Because this group has full control of the server, add users with caution. For more information, see Default local groups [ http://technet.microsoft.com/en-us/library/cc785098(WS.10).aspx ] and Default groups [ http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx ] .	Access this computer from the network; Adjust memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
Backup Operators	Members of this group can back up and restore files on the server, regardless of any permissions that protect those files. This is because the right to perform a backup takes precedence over all file permissions. They cannot change security settings.	Access this computer from the network; Allow log on locally; Back up files and directories; Bypass traverse checking; Restore files and directories; Shut down the system.
DHCP Administrators (installed with the DHCP Server service)	Members of this group have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service. This group provides a way to assign limited administrative access to the DHCP server only, while not providing full access to the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able to perform other administrative actions on the server.	No default user rights.
DHCP Users (installed with the DHCP Server service)	Members of this group have read-only access to the DHCP Server service. This allows members to view information and properties stored at a specified DHCP server. This information is useful to support staff when they need to obtain DHCP status reports.	No default user rights.
Guests	Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted. The Guest account (which is disabled by default) is also a default member of this group.	No default user rights.
HelpServicesGroup	This group allows administrators to set rights common to all support applications. By default, the only group member is the account associated with Microsoft support applications, such as Remote Assistance. Do not add users to this group.	No default user rights.
Network Configuration Operators	Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses. This group has no default members.	No default user rights.
Performance Monitor Users	Members of this group can monitor performance counters on the server locally and from remote clients without being a member of the Administrators or Performance Log Users groups.	No default user rights.
Performance Log Users	Members of this group can manage performance counters, logs and alerts on the server locally and from remote clients without being a member of the Administrators group.	No default user rights.
Power Users	Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs.	Access this computer from the network; Allow log on locally; Bypass traverse checking; Change the system time; Profile single process; Remove computer from docking station; Shut down the system.
Print Operators	Members of this group can manage printers and print queues.	No default user rights.
Remote Desktop Users	Members of this group can remotely log on to a server. For more information, see Enabling users to connect remotely to the server [ http://technet.microsoft.com/en-us/library/cc781509(WS.10).aspx] .	Allow log on through Terminal Services.
Replicator	The Replicator group supports replication functions. The only member of the Replicator group should be a domain user account used to log on the Replicator services of a domain controller. Do not add user accounts of actual users to this group.	No default user rights.
Terminal Server Users	This group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run with Windows NT 4.0 will run for a member of the Terminal Server User group. The default permissions assigned to this group enable its members to run most earlier programs.	No default user rights
Users	Members of this group can perform common tasks, such as running applications, using local and network printers, and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.	Access this computer from the network; Allow log on locally; Bypass traverse checking.
WINS Users (installed with WINS service)	Members of this group are permitted read-only access to Windows Internet Name Service (WINS). This allows members to view information and properties stored at a specified WINS server. This information is useful to support staff when they need to obtain WINS status reports.	No default user rights.

For more information about the most common default groups, see Default security settings for groups [ http://technet.microsoft.com/en-us/library/cc773320(WS.10).aspx ] .

Local Users and Groups overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Local Users and Groups overview

Local Users and Groups is located in Computer Management, a collection of administrative tools that you can use to manage a single local or remote computer. You can use Local Users and Groups to secure and manage user accounts and groups stored locally on your computer. A local user or group account can be assigned permissions and rights on a particular computer and that computer only. Local Users and Groups is available on the following client and server operating systems:

• Client computers running Microsoft® Windows® 2000 Professional or Windows XP Professional
  
• Member servers running a product in the Microsoft Windows 2000 Server family or the Windows Server 2003 family
  
• Stand-alone servers running a product in the Microsoft Windows 2000 Server family or the Windows Server 2003 family
  

Using Local Users and Groups you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner.

You cannot use Local Users and Groups to view local user and group accounts once a member server has been promoted to a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers (that are not domain controllers) on the network. Use Active Directory Users and Computers to manage users and groups in Active Directory.