Windows Server 2003 has four categories of default groups: groups in the Builtin folder, groups in the Users folder, special identity groups, and default local groups. All of the default groups are security groups and have been assigned common sets of rights and permissions that you might want to assign to the users and groups that you place into the default groups.
Groups in the Builtin Folder
Windows Server 2003 creates default security groups with a domain local scope in the Builtin folder in the Active Directory Users And Computers console. The groups in the Builtin folder are primarily used to assign default sets of permissions to users who have administrative responsibilities in the domain. Table 8-2 describes the default groups in the Builtin folder.
This group exists only on domain controllers. By default, the group has no members. By default, members can create, modify, and delete accounts for users, groups, and computers in all containers and OUs of Active Directory except the Builtin folder and the Domain Controllers OU. Members do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Members have complete and unrestricted access to the computer or domain controller, including the right to change their own permissions. If the Administrator account resides on the first domain controller con-figured for the domain, the Administrator account is automatically added to the Domain Admins group and complete access to the domain is granted.
By default, this group has no members. Members can back up and restore all files on a computer, regardless of the permissions that pro¬tect those files. Members can also log on to the computer and shut it down.
Members have the same privileges as members of the Users group. Members can create incoming, one-way trusts to this forest.
Members have the same default rights as members of the Users group. Members can perform all tasks related to the client side of network configuration except for installing and removing drivers and services. Members cannot configure network server services such as the Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) server services.
Members have remote access to schedule logging of performance counters on this computer.
Members have remote access to monitor this computer.
Members have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Microsoft Windows NT 4 and earlier.
This group exists only on domain controllers. Members can manage printers and document queues.
Members can log on to a computer from a remote location.
This group supports directory replication functions and is used by the file replication service on domain controllers. By default, the group has no members. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add users to this group.
This group exists only on domain controllers. By default, the group has no members. Members can log on to a server interactively, create and delete network shares, start and stop services, back up and restore files, format the hard disk of the computer, and shut clown the computer.
Terminal Server License Servers
Members are prevented from making accidental or intentional system-wide changes. Members can run certified applications, use printers, shut down and start the computer, and use network shares for which they are assigned permissions. Members cannot share folders or install printers on the local computer. By default, the Domain Users group is a member.
Members have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.
Off the Record If you need to create a list of groups, you can use the Net Localgroup and Net Group commands. For example, you could open a command prompt and type net localgroup > C:\localgroups.txt to create a list of local groups in a file named C:\localgroups.txt. As another example of how the Net commands work, examine and run the batch file named Grouplistings.bat on the Supplemental CD-ROM in the \70-294\ Labs\Chapter08 folder.