Groups are an important part of network management.
Many administrators are able to accomplish the majority of their
management tasks through the use of groups; they rarely assign
permissions to individual users.
Windows 7 includes built-in
local groups, such as Administrators and Backup Operators. These groups
already have all the permissions needed to accomplish specific tasks.
Windows 7 also uses default special groups, which are managed by the
system. Users become members of special groups based on their
requirements for computer and network access.
You can create and manage
local groups through the Local Users And Groups utility. With this
utility, you can add groups, change group membership, rename groups, and
One misconception about groups
is that groups have to work with Group Policy Objects (GPOs). This is
not correct. Group Policy Objects are a set of rules that allow you to
set computer configuration and user configuration options that apply to
users or computers. Group policies are typically used with Active
Directory and are applied as Group Policy Objects.
In the next sections, you
will learn about groups and all the built-in groups. Then you will learn
how to create and manage these groups.
1. Using Built-in Groups
On a Windows 7 computer,
default local groups have already been created and assigned all
necessary permissions to accomplish basic tasks. In addition, there are
built-in special groups that the Windows 7 system handles automatically.
These groups are described in the following sections.
1.1. Using Default Local Groups
A local group is a group that
is stored on the local computer's accounts database. These are the
groups to which you can add users and can manage directly on a Windows 7
computer. By default, the following local groups are created on Windows
We will briefly describe each group, its default permissions, and the users assigned to the group by default.
If possible, you should
add users to the built-in local groups rather than creating new groups
from scratch. This simplifies administration because the built-in groups
already have the appropriate permissions. All you need to do is add the
users you want to be members of the group.
The Administrators Group
The Administrators group has full permissions and privileges. Its
members can grant themselves any permissions they do not have by default
to manage all the objects on the computer. (Objects include the file
system, printers, and account management.) By default, the Administrator
account, which is disabled by default, and the initial user account are
members of the Administrators local group.
Assign users to the Administrators group with caution since they will have full permissions to manage the computer.
Members of the Administrators group can perform the following tasks:
Install the operating system.
Install and configure hardware device drivers.
Install system services.
Install service packs, hot fixes, and Windows updates.
Upgrade the operating system.
Repair the operating system.
Install applications that modify the Windows system files.
Configure password policies.
Configure audit policies.
Manage security logs.
Create administrative shares.
Create administrative accounts.
Modify groups and accounts that have been created by other users.
Remotely access the Registry.
Stop or start any service.
Increase and manage disk quotas.
Increase and manage execution priorities.
Remotely shut down the system.
Assign and manage user rights.
Re-enable locked-out and disabled accounts.
Manage disk properties, including formatting hard drives.
Modify systemwide environment variables.
Access any data on the computer.
Back up and restore all data.
The Backup Operators Group
Members of the Backup Operators group have permissions to back up and
restore the file system, even if the file system is NTFS and they have
not been assigned permissions to access the file system. However, the
members of Backup Operators can access the file system only through the
Backup utility. To access the file system directly, Backup Operators
must have explicit permissions assigned. There are no default members of
the Backup Operators local group.
The Cryptographic Operators Group
The Cryptographic Operators group has access to perform cryptographic
operations on the computer. There are no default members of the
Cryptographic Operators local group.
The Distributed COM Users Group
The Distributed COM Users group has the ability to launch and run
Distributed COM objects on the computer. There are no default members of
the Distributed COM Users local group.
The Event Log Readers Group
The Event Log Readers group has access to read the event log on the
local computer. There are no default members of the Event Log Readers
The Guests Group
The Guests group has limited access to the computer. This group is
provided so that you can allow people who are not regular users to
access specific network resources. As a general rule, most
administrators do not allow Guest access because it poses a potential
security risk. By default, the Guest user account is a member of the
Guests local group.
The IIS_IUSRS Group
The IIS_IUSRS group is used by Internet Information Services (IIS). The
NT AUTHORITYUUSR user account is a member of the HSJUSRS group by
The Network Configuration Operators Group
Members of the Network Configuration Operators group have some
administrative rights to manage the computer's network configuration—for
example, editing the computer's TCP/IP settings.
The Performance Log Users Group
The Performance Log Users group has the ability to access and schedule
logging of performance counters and can create and manage trace counters
on the computer.
The Performance Monitor
Users Group The Performance Monitor Users group has the ability to
access and view performance counter information on the computer. Users
who are members of this group can access performance counters both
locally and remotely.
The Power Users Group
The Power Users group is included in Windows 7 for backward
compatibility. The Power Users group is included to ensure that
computers upgraded from Windows XP function as before with regard to
folders that allow access to members of the group. Otherwise, the Power
Users group has limited administrative rights.
The Remote Desktop Users Group
Member of the Remote Desktop Users group allows members of the group to
log on remotely for the purpose of using the Remote Desktop service.
The Replicator Group
The Replicator group is intended to support directory replication,
which is a feature used by domain servers. Only domain users who will
start the replication service should be assigned to this group. The
Replicator local group has no default members.
The Users Group
The Users group is intended for end users who should have very limited
system access. If you have installed a fresh copy of Windows 7, the
default settings for the Users group prohibit its members from
compromising the operating system or program files. By default, all
users who have been created on the computer, except Guest, are members
of the Users local group.
Windows 7 also uses special groups. In the next section, we will look at special groups and how they work.
2. Using Special Groups
Special groups can be used by
the system or by administrators. Membership in these groups is automatic
if certain criteria are met. You cannot manage special groups through
the Local Users And Groups utility, but an administrator can add these
special groups to resources. Table 1 describes several of the special groups that are built into Windows 7.
Table 1. SpeciaiGroupsinWindows7
is the account that created or took ownership of an object. This is
typically a user account. Each object (files, folders, printers, and
print jobs) has an owner. Members of the Creator Owner group have
special permissions to resources. For example, if you are a regular user
who has submitted 12 print jobs to a pr inter, you can manipulate your
print jobs as Creator Owner, but you can't manage any print jobs
submitted by other users.|
group includes anyone who could possibly access the computer. The
Everyone group includes all users who have been defined on the computer
(including Guest), plus (if your computer is a part of a domain) all
users within the domain. If the domain has trust relationships with
other domains, all users in the trusted domains are part of the Everyone
group as well. The exception to automatic group membership with the
Everyone group is that members of the Anonymous Logon group are not
included as a part of the Everyone group.|
|Interactive||This group includes all users who use the computer's resources locally. Local users belong to the Interactive group.|
group includes users who access the computer's resources over a network
connection. Network users belong to the Network group.|
group includes users who access the Windows 7 operating system through a
valid username and password. Users who can log on belong to the
Authenticated Users group.|
group includes users who access the computer through anonymous logons.
When users gain access through special accounts created for anonymous
access to Windows 7 services, they become members of the Anonymous Logon
group includes users who log on as a user account that is used only to
run a batch job. Batch job accounts are members of the Batch group.|
|Dial-up||This group includes users who log on to the network from a dial-up connection. Dial-up users are members of the Dialup group.|
group includes users who log on as a user account that is used only to
run a service. You can configure the use of user accounts for logon
through the Services program, and these accounts become members of the
|System||When the system accesses specific functions as a user, that process becomes a member of the System group.|
|Terminal Server User||This group includes users who log on through Terminal Services. These users become members of the Terminal Server User group.|
Now that we have looked at
the different types of groups, let's take a look at how to manage and
work with these groups. In the next section we will discuss how to work
To work with groups, you can use the Local Users And Groups utility. Let's take a look at how to create new groups.
2.1. Creating Groups
To create a group, you must be
logged on as a member of the Administrators group. The Administrators
group has full permissions to manage users and groups.
As you do in your choices for
usernames, keep your naming conventions in mind when assigning names to
groups. When you create a local group, consider the following
The group name should be descriptive (for example, Accounting Data Users).
The group name must be unique to the computer, different from all other group names and usernames that exist on that computer.
Group names can be up to 256 characters. It is best to use alphanumeric characters for ease of administration. The backslash (\) character is not allowed.
Creating groups is similar
to creating users, and it is a fairly easy process. After you've added
the Local Users And Groups MMC or use Local Users And Groups through
Computer Management, expand it to see the Users and Groups folders.
Right-click the Groups folder and select New Group from the context
menu. This brings up the New Group dialog box, shown in Figure 1.
Figure 1. The New Group dialog box
The only required entry in
the New Group dialog box is the group name. If appropriate, you can
enter a description for the group, and you can add (or remove) group
members. When you're ready to create the new group, click the Create
Complete Exercise 1 to create two new local groups.
Open the Admin Console MMC Desktop shortcut you created and expand the Local Users And Groups snap-in.
Right-click the Groups folder and select New Group.
In the New Group dialog box, type Data Users in the Group Name text box. Click the Create button.
In the New Group dialog box, type Application Users in the Group Name text box. Click the Create button.
After the groups are
created, you will have to manage the groups and their membership. In the
next section, we will look at managing groups.
2.2. Managing Group Membership
After you've created a group,
you can add members to it. As mentioned earlier, you can put the same
user in multiple groups. You can easily add and remove users through a
group's Properties dialog box, shown in Figure 2.
To access this dialog box from the Groups folder in the Local Users And
Groups utility, double-click the group you want to manage.
Figure 2. A group Properties dialog box
From the group's
Properties dialog box, you can change the group's description and add or
remove group members. When you click the Add button to add members, the
Select Users dialog box appears (Figure 3).
Figure 3. The Select Users dialog box
In the Select Users dialog
box, you enter the object names of the users you want to add. You can
use the Check Names button to validate the users against the database.
Select the user accounts you wish to add and click Add. Click the OK
button to add the selected users to the group.
To remove a member from the
group, select the member in the Members list of the Properties dialog
box and click the Remove button.
In Exercise 2, you'll create new user accounts and then add these users to one of the groups you created in the previous steps.
Open the Admin Console MMC shortcut you created and expand the Local Users And Groups snap-in.
Create two new users: JOoe and DDoe. Deselect the User Must Change Password At Next Logon option for each user.
Expand the Groups folder.
Double-click the Data Users group.
In the Data Users Properties dialog box, click the Add button.
In the Select Users dialog box, type the username JDoe; then click OK. Click Add and type the username DDoe; then click OK.
the Data Users Properties dialog box, you will see that the users have
both been added to the group. Click OK to close the group's Properties
There may come a point when a
specific group is no longer needed. In the next section, we will look
at how to delete a group from the Local Users And Groups utility.
2.3. Deleting Groups
If you are sure that you will
never again want to use a particular group, you can delete it. Once a
group is deleted, you lose all permissions assignments that have been
specified for the group.
To delete a group,
right-click the group and choose Delete from the context menu. You will
see a warning that once a group is deleted, it is gone for good. Click
the Yes button if you're sure you want to delete the group.
If you delete a group and
give another group the same name, the new group won't be created with
the same properties as the deleted group because, as with users, groups
get unique SIDs assigned at the time of creation.
Creating users and
groups is one of the most important tasks that we as IT members can do.
On a Windows 7 machine, creating users and groups is an easy and
Now that you understand
how to create users and groups, you need to know how to manage security.
In the next sections, we will look at how to secure Windows 7.