Understanding Service Administrators and Data Administrators

For Active Directory in Windows Server 2003, there are two types of administrative responsibility. Service administrators are responsible for maintaining and delivering the directory service, including domain controller management and directory service configuration. Data administrators are responsible for maintaining the data that is stored in the directory service and on domain member servers and workstations. In a small organization, these two roles might be performed by the same person, but it is important to understand which default accounts and groups are service administrators. Service administration accounts and groups have the most widespread power in your network environment and require the most protection. They are responsible for directory-wide settings, installation and maintenance of software, and application of operating system service packs and updates on domain controllers. The following table lists the default groups and accounts that are used for service administration, their default locations, and a brief description of each. Groups in the Built-in container cannot be moved to another location. Default Service Administrator Groups and Accounts Group or Account Name Enterprise Admins Schema Admins Default Location Users container Users container Built-in container Description This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers. This group has full administrative access to the Active Directory schema. This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service administrative group. This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain. By default, this built-in group has no members. It can perform maintenance tasks, such as backup and restore, on domain controllers. By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated

Administrators

Domain Admins

Users container

Server Operators

Built-in container Built-in container

Account Operators

Backup Operators DS Restore Mode Administrator

Built-in container Not stored in Active Directory

administration. By default, this built-in group has no members. It can perform backup and restore operations on domain controllers. This special account is created during the Active Directory installation process, and it is not the same as the Administrator account in the Active Directory database. This account is only used to start the domain controller in Directory Services Restore Mode. In Directory Services Restore Mode, this account has full access to the system and all files on the domain controller.

Using Default Group Accounts

Groups Used by Administrators

An administrator is someone who has wide access to network resources. Administrators can create accounts, modify user rights, install printers, manage shared resources, and more.

The local group Administrator and the global groups Domain Admins and Enterprise Admins are members of the Administrators group. The Administrator user membership is used to access the local computer. The Domain Admins membership allows other administrators to access the system from elsewhere in the domain. The Enterprise Admins membership allows other administrators to access the system from other domains in the current domain tree or forest. To prevent enterprise-wide access to a domain, you can remove Enterprise Admins from this group. Table 7-10 Administrators Group Overviews Administrators Group Type Administrators Network Environment Active Directory domains Workgroups, computers not part of a domain Group Scope Domain Local Local Membership Account Administration

Administrator, Domain Administrators Admins, Enterprise Admins Administrator Administrators

Administrators

Active Directory domains Active Directory Enterprise Admins domains Domain Admins

Global Global or Universal

Administrator Administrator

Administrators Administrators

An administrator is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group. Tip In a Windows 2000 domain, the Administrator local user is a member of Domain Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to all resources in the domain. To prevent this, you can remove the local Administrator account from the Domain Admins group. Enterprise Admins is a global group designed to help you administer all the computers in a domain tree or forest. This group has administrative control over all computers in the enterprise because it's a member of the Administrators group by default. To make someone an administrator for the enterprise, make that person a member of this group. Tip In a Windows 2000 domain, the Administrator local user is a member of Enterprise Admins by default. This means that if someone logs on to a computer as the administrator and the computer is a member of the domain, the user will have complete access to the domain tree or forest. To prevent this, you can remove the local Administrator account from the Enterprise Admins group.
Groups Used by Operators

Operators are users who have privileges to perform very specific administrative tasks, such as creating accounts or backing up file systems. By default, no other group or user accounts are members of the operator groups. This feature exists primarily to make sure that you grant explicit access to these accounts. Additionally, because these are local groups, operators can only perform the tasks on a specific computer. The operator groups are Account Operators, Backup Operators, Print Operators, Server Operators, and Replicator Operators, as compared in Table 7-11. Table 7-11 Operators Group Overviews

Operators Group Type Account Operators Backup Operators

Network Environment Active Directory domains Any server or workstation Active Directory Print Operators domains Server Active Directory Operators domains Any server or Replicator workstation

Group Scope Built-In Local Built-In Local, Local Built-In Local Built-In Local Built-In Local, Local

Membership None None None None None

Account Administration Administrators Administrators Administrators Administrators Administrators, Account Operators, Server Operators

Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights. Backup Operators is a local group that enables a user to back up and restore files and directories on workstations and servers in a Windows 2000 domain. Members of this group can log on to a computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. However, they can't change access permissions of the files or perform other administrative tasks. Print Operators is a local group for managing network printers. Members of this group can manage printers running in a Windows 2000 domain. They can define which printers are shared, which printers aren't, and other related printer privileges. Print Operators can also log on to a server locally and shut it down. Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include sharing server resources, performing file backup and recovery, and more. As with other operator accounts, Server Operators can also log on to a server locally and shut it down. Server Operators can perform most common server administration tasks. Replicator, which is a special group account, is used with the directory replication service. Administrators and operators can set up this service to manage the replication of files and directories in a domain. If you do this, you'll need to set up a special user account for the replication service and make the account a member of this group.

Groups Used by Users

Windows 2000 provides many different types of user accounts. These accounts are designed to meet the needs of diverse networking environments. The user groups are Users, Domain Users, Power Users, Guests, and Domain Guests, as compared in Table 7-12. Table 7-12 Users Group Overviews Users Group Type Users Group Scope Account Administration Administrators, Account Operators Administrators Administrators, Account Operators

Network Environment

Membership Authenticated Users, Domain Users User account selected during installation of the operating system Administrators, Guest

Active Directory Built-In domains, domain member Local, server, or workstation Local Stand-alone workstation or server Local

Users Domain Users Power Users Power Users Guest Guest Domain Guest

Active Directory domains Global Domain member server or Local workstation Stand-alone workstation or server Active Directory domains Local Built-In Local

Interactive; user account selected during installation Administrators of the operating system User account selected during installation of the Administrators operating system Administrators, Domain Guests, Guest Account Operators Guest Guest Administrators Administrators, Account Operators

Domain member server or workstation; stand-alone Local workstation or server Active Directory domains Global

Users are the people who do most of their work on a single Windows 2000 workstation. Because of this, members of the Users group have more restrictions than privileges. By default, members of the Users group can't log on locally to a Windows 2000 server acting as a domain controller. However, they can access the controller's resources over the network. On Windows 2000 workstations, members of the Users group can log on to a workstation locally, keep a local profile, lock the workstation, and shut down the workstation. Users can also create local groups and manage those groups.

In Windows 2000 domains, implicitly authenticated users and the global Domain Users are members of this group by default. For workgroups or isolated workstations, there are no predefined members of this group. Domain Users is a global group for users in Active Directory domains. When you create new domain users, they're automatically added to this group. By default, the local Administrator and Guest accounts are members of this group. Power Users exist only on computers that aren't domain controllers. Power Users have all the privileges of members of the Users group, as well as a few additional privileges, such as the capability to modify computer settings and install programs. To give users of a Windows 2000 workstation extra control, Microsoft recommends that you make them members of the Power Users group. This allows users to perform limited administration on their workstations. Guests are users with very limited privileges. Members of the Guests group can access the system and its resources remotely, but they can't perform most other tasks. In Active Directory domains, the members of this group are Domain Guests and the local Guest user. On no domain controllers, the only member is Guest. Note: Keep in mind that any action available to the everyone group is available to the Guests group. This means that if someone is a member of the local Guests account, that person can perform any task that anyone in the everyone group can. Domain Guests are users with guest privileges throughout a domain. By default, the local Guest user is a member of this account. Therefore, anytime you create a local guest account in a Windows 2000 domain, the guest user gains access to the entire domain.
Groups Used by Computers

Windows 2000 provides two types of user accounts for computers. These accounts are designed to set permissions for member servers, workstations, and domain controllers. The computer groups are Domain Computers and Domain Controllers, as compared in Table 7-13. Table 7-13 Computers Group Overviews Computers Group Type Domain Computers Domain Controllers Network Group Environment Scope Active Directory Global domains Active Directory Global domains Account Administration All member servers and Administrators, workstations in the domain Account Operators All domain controllers in a Administrators, domain Account Operators Membership

You use Domain Computers to identify and set default permissions for member servers and workstations in a domain. By default, Domain Computers have more restrictions than they have capabilities. This configuration reflects their role in the domain environment. You use Domain Controllers to identify and set default permissions for domain controllers in a domain. By default, Domain Controllers have more capabilities than restrictions. This configuration reflects their high-priority role in the domain environment.
Implicit Groups and Identities

Windows 2000 defines a set of special identities that you can use to assign permissions in certain situations. You usually assign permissions implicitly to special identities. However, you can assign permissions to special identities when you modify Active Directory objects. The special identities include
y

y y y

The Anonymous Logon identity Any user accessing the system through anonymous logon has the Anonymous Logon identity. This identity is used to allow anonymous access to resources, such as Web pages published on the corporate presence servers. The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity is used to allow access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. The Batch identity Any user or process accessing the system as a batch job (or through the batch queue) has the Batch identity. This identity is used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files. The Creator Group identity Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory. The Creator Owner identity The person who created the file or the directory is a member of this group. Windows 2000 uses this group to automatically grant access permissions to the creator of a file or directory. The Dial-Up identity Any user accessing the system through a dial-up connection has the Dial-Up identity. This identity is used to distinguish dial-up users from other types of authenticated users. The Enterprise Domain Controllers identity Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise using transitive trusts. The Everyone identity All interactive, network, dial-up, and authenticated users are members of the everyone group. This group is used to give wide access to a system resource. The Interactive identity Any user logged on to the local system has the Interactive identity. This identity is used to allow only local users to access a resource. The Network identity Any user accessing the system through a network has the Network identity. This identity is used to allow only remote users to access a resource. The Proxy identity Users and computers accessing resources through a proxy have the Proxy identity. This identity is used when proxies are implemented on the network.

y y y y

The Restricted identity Users and computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity. The Self identity The Self identity refers to the object itself and allows the object to modify itself. The Service identity Any service accessing the system has the Service identity. This identity grants access to processes being run by Windows 2000 services. The System identity The Windows 2000 operating system itself has the System identity. This identity is used when the operating system needs to perform a system-level function. The Terminal Server User identity Any user accessing the system through terminal services has the Terminal Server User identity. This identity allows terminal server users to access terminal server applications and to perform other necessary tasks with terminal services

Groups in the Built-in container

The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group. For complete descriptions of the user rights listed in the table, see User Rights Assignment. For information about editing these rights, see Edit security settings on a Group Policy object.

Group

Description

Default user rights

Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to Allow log on locally; Shut down the Account Operators modify the Administrators or the system. Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Members of this group have full control of all domain controllers in the Enable computer and user accounts to be trusted for delegation; Force a domain. By default, the Domain Admins and Enterprise Admins groups shutdown from a remote system; Increase scheduling priority; Load Administrators are members of the Administrators group. The Administrator account is and unload device drivers; Allow log on locally; Manage auditing and also a default member. Because this group has full control in the domain, security log; Modify firmware environment values; Profile single add users with caution. process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. Members of this group can back up and restore all files on domain controllers in the domain, regardless of their own individual permissions on Back up files and directories; Allow those files. Backup Operators can also log on locally; Restore files and Backup Operators log on to domain controllers and shut directories; Shut down the system. them down. This group has no default members. Because this group has significant power on domain controllers, add users with caution. By default, the Domain Guests group is a member of this group. The Guest Guests No default user rights. account (which is disabled by default) is also a default member of this group. Members of this group can create oneway, incoming forest trusts to the forest root domain. For example, members of this group residing in Incoming Forest Forest A can create a one-way, incoming forest trust from Forest B. Trust Builders (only appears in This one-way, incoming forest trust No default user rights. the forest root allows users in Forest A to access domain) resources located in Forest B. Members of this group are granted the permission Create Inbound Forest Trust on the forest root domain. This group has no default members. For

more information about creating forest trusts, see Create a forest trust. Members of this group can make changes to TCP/IP settings and renew Network and release TCP/IP addresses on Configuration domain controllers in the domain. This Operators group has no default members. Members of this group can monitor performance counters on domain Performance controllers in the domain, locally and Monitor Users from remote clients without being a member of the Administrators or Performance Log Users groups. Members of this group can manage performance counters, logs and alerts Performance Log on domain controllers in the domain, Users locally and from remote clients without being a member of the Administrators group. Members of this group have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. Pre-Windows 2000 By default, the special identity Compatible Access Everyone is a member of this group. For more information about special identities, see Special identities. Add users to this group only if they are running Windows NT 4.0 or earlier. Members of this group can manage, create, share, and delete printers connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can Print Operators log on locally to domain controllers in the domain and shut them down. This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. Remote Desktop Members of this group can remotely Users log on to domain controllers in the

No default user rights.

No default user rights.

No default user rights.

Access this computer from the network; Bypass traverse checking.

Allow log on locally; Shut down the system.

No default user rights.

Replicator

Server Operators

Users

domain. This group has no default members. This group supports directory replication functions and is used by the File Replication service on domain controllers in the domain. This group has no default members. Do not add users to this group. On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, backup and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution. Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server. By default, the Domain Users group, Authenticated Users, and Interactive are members of this group. Therefore, any user account created in the domain becomes a member of this group.

No default user rights.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.

No default user rights.

Groups in the Users container

The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group. For complete descriptions of the user rights listed in the table, see User Rights Assignment. For information about editing these rights, see Edit security settings on a Group Policy object.

Group

Description

Default user rights

Cert Publishers DnsAdmins (installed with

Members of this group are permitted to publish certificates for users and No default user rights. computers. This group has no default members. Members of this group have No default user rights. administrative access to the DNS Server

DNS)

DnsUpdateProxy (installed with DNS)

service. This group has no default members. Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members.

No default user rights.

Domain Admins

Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. No default user rights.

This group contains all workstations and servers joined to the domain. By default, Domain Computers any computer account created becomes a member of this group automatically. This group contains all domain Domain Controllers controllers in the domain. Domain Guests This group contains all domain guests. This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For Domain Users example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has

No default user rights. No default user rights.

No default user rights.

permissions for the printer). Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug Members of this group have full control programs; Enable computer and of all domains in the forest. By default, user accounts to be trusted for delegation; Force shutdown from this group is a member of the a remote system; Increase Administrators group on all domain controllers in the forest. By default, the scheduling priority; Load and unload device drivers; Allow log Administrator account is a member of this group. Because this group has full on locally; Manage auditing and security log; Modify firmware control of the forest, add users with environment values; Profile single caution. process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. Members of this group can modify Group Policy in the domain. By default, the Administrator account is a member No default user rights. of this group. Because this group has significant power in the domain, add users with caution. The IIS_WPG group is the Internet Information Services (IIS) 6.0 worker process group. Within the functioning of IIS 6.0 are worker processes that serve specific namespaces. For example, www.microsoft.com is a namespace No default user rights. served by one worker process, which can run under an identity added to the IIS_WPG group, such as Microsoft Account. This group has no default members. Servers in this group are permitted access to the remote access properties of No default user rights. users. Members of this group can modify the Active Directory schema. By default, the No default user rights. Administrator account is a member of

Enterprise Admins (only appears in the forest root domain)

Group Policy Creator Owners

IIS_WPG (installed with IIS)

RAS and IAS Servers Schema Admins (only appears in the forest root domain)

this group. Because this group has significant power in the forest, add users with caution.