Chapter 2 - Working with User and Group Accounts
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
User and group accounts enable users to participate in a domain and to access its resources. Rights and permissions granted to user accounts and group accounts provide the appropriate amount of freedom and restrictions that an organization's various resources require.
Managing user accounts and groups involves careful planning, but the procedures for administering accounts are simple and straightforward. In most cases, these procedures are identical for domain accounts and for workstation accounts.
Managing User Accounts
Each person who will regularly use the network and participate in a domain must have a user account in a domain on the network. The user account contains information about the user, including name, password, various optional entries that determine when and how users log on and how their desktop settings are stored.
Domain Accounts and Workstation Accounts
Computers running Windows NT Workstation and member servers (computers running Windows NT Server that are not domain controllers) maintain user accounts, groups, and security policies separate from those of the domain. The built-in accounts on such computers provide built-in rights on the computer that parallel the rights afforded by these same built-in accounts on the domain level.
When a domain controller is configured, its built-in accounts provide the administrator with certain administrative rights. When a workstation or member server is configured, its built-in accounts provide the administrator with administrative rights. To achieve the appropriate level of control over a workstation, member server, or domain, the administrator decides which user accounts to add to the various built-in groups.
Management Utilities: User Manager and User Manager for Domains
A computer's operating system determines the type of accounts you can manage, as well as the utility you use to manage them:
On computers running Windows NT Workstation, you manage the accounts of that workstation only, and you use the User Manager utility.
On computers running Windows NT Server, you manage accounts on the local domain or on any workstation, member server, or other domain to which you have access. To do so, you use the User Manager for Domains utility.
You can install User Manager for Domains on a computer running Windows NT Workstation or Windows® 95 using Client-based Administration Tools. With User Manager for Domains installed on the client computer, you can administer domain controllers and other workstations from that computer.
For information about using Client-based Network Administration Tools, see Chapter 11, "Managing Client Administration."
For information about using User Manager for Domains on client computers, "To install Client-based Network Administration Tools on a computer running Windows NT Workstation" and "To install Client-based Network Administration Tools on a computer running Windows 95" in Network Client Administrator Help.
Using a Low-Speed Connection
Some domains and computers might communicate with your computer across a connection that has relatively low transmission rates. For example, slow transmission can occur on a domain controller that is connected to your computer using a Remote Access Service (RAS) connection, overseas connection, or connection that is saturated with other high-volume tasks that should not be interrupted with User Manager for Domains tasks. To reduce delays in the display of user accounts, groups, or computers, select Low Speed Connection.
For more information, see "Using Low Speed Connection" in User Manager for Domains Help.
Refreshing the View
When User Manager for Domains first displays a domain or a computer, it receives the information necessary to create the user account and the group lists. Information displayed by User Manager for Domains is automatically updated at fixed intervals. However, if you need to make sure the displayed information is current, use the Refresh command on the View menu.
Note When Low Speed Connection is selected, the Refresh command is unavailable.
Domain User Accounts
A domain user account contains information that defines a user to a Windows NT Server domain controller. In User Manager for Domains, you can establish, delete, or disable domain user accounts. You can also set security policies and add user accounts to groups.
Contents of a User Account
When creating a user account, you provide several pieces of information that determine how the account can be used. The following table shows the contents of each user account:
Account element |
Description |
|---|---|
User name |
The unique name the user types when logging on; often a combination of parts of the user's first and last names. |
Full name |
The user's full name. |
Description |
Any text describing the user or user account. |
Password |
The user's secret password. |
Logon hours |
The hours during which the user is allowed to log on. This setting affects both being able to log on to the network and being able to access servers. Whether users are forced to log off when their logon hours expire is determined by a setting in the domain's account security policy. For more information, see "Managing Logon Hours" later in this chapter. |
Logon workstations |
The computer names of the Windows NT computers that the user can work from. By default, the user can use any workstation, but you can limit this if you want. |
Expiration date |
A future date when the account automatically becomes disabled; it is useful to ensure that accounts for temporary employees or students are not unnecessarily kept active. |
Home directory |
A directory that is private to the user. An administrator creates this directory, and the user controls access to it. |
Logon script |
A batch file or executable file that runs automatically when the user logs on. |
Profile |
The path to a folder containing information that is retained to create the user's desktop environment between logons, such as program groups, network connections, and screen colors, and settings determining what aspects of the environment the user can change. For information about user profiles, see Chapter 3, "Managing User Work Environments." |
Account type |
The account type is either global or local. Most accounts you create will be global accounts. For information about local accounts, see "Adding Local User Accounts" later in this chapter. This option is available only on Windows NT Server domains. |
In addition, several conditions affect the user with respect to their unique domain or local computer password. These conditions can be selected or cleared by the administrator or account operator for the domain controller or by the administrator for a workstation or member server containing user accounts.
Account condition |
Default |
Comments |
|---|---|---|
User Must Change Password at Next Logon |
Selected |
If selected, the user will be forced to change the password the next time he or she logs on. The setting changes to On when the user's password reaches the maximum password age as set for the domain in Account Policy. Once the password is changed, the setting changes to Off. |
User Cannot Change Password |
Cleared |
If selected, the user cannot change his or her own password. This restriction is useful for shared accounts. It does not apply to administrators. |
Password Never Expires |
Cleared |
If selected, this user account ignores the password expiration policy set for the domain, and the password never expires. This is used for accounts that represent services, such as the Replicator service. It is also useful for accounts for which you want the password to never change, such as guest accounts. |
Account Disabled |
Cleared |
If selected, this account is disabled and cannot be logged on to. It is not removed from the database, but no one can log on to the account until you enable it again. |
Security Identifier (SID)
A user or group account includes a security identifier (SID), a unique number that identifies the account. Every account on your network is issued a unique SID when the account is first created. Internal processes in Windows NT refer to an account's SID rather than the account's user or group name. If you create an account, delete it, and then create an account with the same user name, the new account will not have the rights or permissions previously granted to the old account because the accounts have different SID numbers.
Domain Names
On some Windows NT Server screens (such as in User Manager for Domains), a domain name precedes the user name. The domain name indicates where the user's account was created and where it resides within the overall domain structure. For example, user JohnL from the Sales domain might appear as SALES\JohnL.This name would distinguish him from a different JohnL in another domain (such as ENGINEERING\JohnL).
Built-in Domain and Workstation User Accounts
Two built-in user accounts are created automatically when Windows NT Server or Windows NT Workstation is installed: the Administrator account and the Guest account.
Built-in Administrator User Account
The Administrator account is the one you use when you first set up a new domain controller, member server, or workstation. You use this account before you create an account for yourself. The Administrator user account is a member of the Administrators local group on a domain controller, workstation, or member server. The Administrator account can never be deleted, disabled, or removed from the Administrators local group, ensuring that you never lock yourself out of the computer by deleting or disabling all the administrative accounts. This feature sets the Administrator account apart from other members of the Administrators local group.
The built-in Administrator account gives a user automatic rights to perform domain management tasks on a domain controller or on a workstation or member server that resides within that domain or a trusting domain. During Setup, the domain administrator or MIS person who sets up the domain PDC is prompted for a password to the Administrator account. This password should be guarded carefully, not only for security purposes but also because if the password is forgotten or the person who knows the password becomes unavailable, the built-in Administrator account is unusable. The password can be changed but it does not expire.
The user who sets up a workstation can assign a password to the Administrator account, or leave it blank. In the latter case, anyone can use the account without a password.
After the PDC is set up, the built-in Administrator account can be renamed, but it can never be deleted or disabled.
Tip Following installation, it is a good idea to create an additional administrative account with administrative-level abilities and reserve the built-in Administrator account for emergency purposes. When each administrative user has a separate account, their actions can be audited on the individual user account name as opposed to the Administrator account.
For information about built-in groups and rights, see "Using Groups to Assign User Abilities" later in this chapter.
For information about auditing, see Chapter 9, "Monitoring Events."
For information about installing a PDC, see Windows NT Server Start Here.
Built-in Guest Account
The Guest account is used for logons by people who do not have an actual account on the computer or domain or in any of the domains trusted by the computer's domain. A user whose account is disabled (but not deleted) can also use the Guest account. The Guest account does not require a password and can be used for two types of guest logons: local guest logons and network guest logons. You can configure each domain and computer to allow both types of guest logon, only one type, or neither type. The Guest account is disabled by default when Windows NT Server or Windows NT Workstation is installed, but you can reenable it.
You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group, which allows a user to log on to a workstation or member server (the right to log on locally) only. Rights other than this one, as well as any permissions, must be granted to the Guests local group by an Administrator or Account Operator.
Guests have no predefined rights on a domain controller.
A local guest logon takes effect when a user logs on interactively at a computer running Windows NT Workstation or at a member server running Windows NT Server and specifies Guest as the user name in the Logon Information dialog box. Because the Guest account on these computers (but not on domain controllers) has the built-in right to log on locally, the guest user can then work at that computer (subject to the rights and permissions you have granted the Guest account) and use it to access the network.
A network guest logon takes effect at a computer that uses the Guest account when a user has logged on interactively to either a domain account or a local computer account (as in the case of a workgroup member) and tries to connect to the computer that uses the Guest account:
A computer running Windows NT Workstation in either a workgroup or a domain
A member server
A domain controller
A LAN Manager 2.x client computer
In the case of a workgroup, the computer name is treated as a domain name by the computer being accessed. The computer being connected to might not recognize the user's account for any of the following reasons:
The domain specified as containing the user's account is not trusted and the user does not have an account in the domain or in the directory database of the computer being accessed. This case always applies to a workgroup computer because workgroup computers do not use trust relationships, and the computer being connected to treats the computer name as a domain name.
The domain specified as containing the user's account is trusted but the user does not have an account in the trusted domain.
The domain is the same as the domain of the computer being connected to and the user does not have an account in the domain or in the directory database of the computer being connected to (if it is not a domain controller).
A network guest logon is approved only if the Guest account of the destination computer is enabled and has no password set. The guest user then has all rights, permissions, and group memberships on the computer that are granted to the Guest account, even though the guest user has not specified Guest as his or her user name.
Tip To allow local guest logons but not network guest logons, enable the Guest account, but revoke its Access This Computer From Network user right in User Manager for Domains.
To allow network guest logons but not local guest logons, enable the Guest account, and revoke its Log On Locally user right. (Be sure Guest has the Access This Computer From Network right).
For information about how to manage user accounts, see "Managing Properties for One User Account" in User Manager for Domains Help.
For information about logon validation, see Chapter 1, "Managing Windows NT Server Domains."
For information about configuring computers while installing Windows NT Server or Windows NT Workstation, see Windows NT Server Start Here.
Adding New Domain User Accounts
To create additional user accounts or modify existing accounts, use User Manager for Domains.
When adding a user account you will be asked to provide a user name, which can be up to 20 characters. It must be unique to the domain or computer being administered. It can contain any uppercase or lowercase characters except the following:
" / \ [ ] : ; | = , + * ? < >
A user name cannot consist solely of periods (.) and spaces.
Be consistent in the way you enter user names because when Windows NT presents lists of user accounts, they are usually sorted by the user names. It is a good idea to establish a standard for user names, such as a shortened combination of the first and last names (JeffHo for Jeff Howard).
You will also be asked to provide the user's full name. It is a good idea to establish a standard for full names so that they always begin with either the last name (Howard, Jeff ) or the first name (Jeff Howard). The full name can also affect the sort order because the user account list in the User Manager for Domains window can optionally be sorted by full name instead of user name.
For information about how to create a user account, see "Creating a New User Account" in User Manager for Domains Help.
Adding Several Accounts at One Time
User accounts can contain a lot of information. Typing that information for each user can take a lot of time, but with Windows NT Server Directory Services there are ways you can make creating user accounts easier. You can create a new account by copying an existing account and just changing the user name, full name, and initial password, and any other information that must be changed. You can also create one or more template accounts. These accounts are not used by real users but serve only as bases for the real accounts you create. For greater security, you can disable your template accounts to ensure that no user can log on using them. The copies that you make are enabled by default.
For information about how to add user accounts, see "Creating a New User Account" and Copying a User Account in User Manager for Domains Help.
Selecting User Accounts
The user account list in the User Manager for Domains window includes all user accounts of the displayed domain. One or more user accounts can be selected from this list:
You can copy, delete, rename, or modify the properties of a selected user account or create a new group that contains that account.
You can modify or delete multiple user accounts at the same time.
You can modify the properties of a group, delete a group, or create a new group containing the selected accounts.
Note When Low Speed Connection is selected, the Select Users command is unavailable.
For more information, see "Selecting User Accounts", "Managing Properties for One User Account" and "Managing Properties for Multiple User Accounts" in User Manager for Domains Help.
Copying Existing Accounts
It is often quicker and more convenient to copy an existing user account than to create a new one. By copying, you ensure that the group memberships and many other properties are copied to the new account.
When a user account is copied, the description, group memberships, logon hours, logon workstations, and account information are copied exactly.
To have the system automatically enter the account user name into the home directory path, use %USERNAME%. For more information, see "Using %USERNAME% in the Home Directory Path" later in this chapter.
The user name, full name, and password boxes of the new account are blank and must be entered. The User Cannot Change Password and Password Never Expires check boxes are copied.
Note When copying an account that is a member of the Administrators local group, the User Cannot Change Password setting is not copied.
Usually, the User Must Change Password At Next Logon check box is selected, regardless of its setting in the original account. However, if the User Cannot Change Password check box is copied as selected, then the User Must Change Password At Next Logon check box is cleared.
The Account Disabled check box is always cleared, regardless of the setting in the original user account. You can create a new user account, configure it as needed, disable it, and then use it as a template. You can quickly make numerous copies of a disabled template account.
User Manager for Domains does not copy rights and permissions granted to a user account. However, it is recommended that these be provided only to groups and not granted directly to user accounts. Because the group memberships of the original account are copied to the new user account, the new user account will usually have the same abilities and access to resources as the original account.
For information about how to copy user accounts, see "Copying a User Account" in User Manager for Domains Help.
For information about creating and copying user profiles, see Chapter 3, "Managing User Work Environments."
Specifying a Home Directory
A home directory contains a user's files and programs; it can be assigned to an individual or be shared by many users. Because home directories collect user files in one location, they make it easy for an administrator to back up user files and delete user accounts. You specify a home directory by adding a directory path to the user account. Home directories must be added to a shared directory with appropriate access.
The home directory is a user's default directory for the File Open and Save As dialog boxes, for the command prompt, and for all applications that do not have a working directory defined.
User Manager for Domains automatically applies directory permissions if it creates the home directory. When one user account is being administered and a new home directory is created, that user is granted Full Control. When two or more user accounts are being administered and a new home directory is created, Full Control is granted to Everyone.
User Manager for Domains does not automatically apply permissions if the directory already exists. In this case, you must apply the permissions using Windows NT Explorer.
If the user account does not specify a home directory, the default home directory for upgraded computers is \USERS\DEFAULT on the user's local drive where Windows NT is installed. If Windows NT Workstation or Windows NT Server has been installed for the first time, the default home directory is the root of the drive where Windows NT is installed. (To change the default home directory to a shared network directory or to another local directory on the user's workstation, use User Manager for Domains.)
When administering the user accounts of a domain, you should assign network home directories. User Manager for Domains automatically creates that home directory. If it cannot, a message instructs you to create the directory manually.
When administering the user accounts of a workstation or member server, you should assign local home directories. User Manager for Domains automatically creates that home directory at that computer. If it cannot, a message instructs you to manually create the directory.
If you are administering a domain and you specify a local path for the home directory, User Manager for Domains will not create the home directory.
For information about how to add home directories, see "Managing the User Environment" in User Manager for Domains Help.
Managing the User Environment Profile
A user profile consists of work environment settings that are loaded by the system during logon for a given user. These settings include all the user-specific settings of a user's Windows environment, such as screen colors, network connections, printer connections, mouse settings, shortcuts, window size and position. User profiles are identified by the user name.
Local user profiles are created automatically on the computer at logon the first time a user logs on to a computer running Windows NT Workstation or Windows NT Server. Each user's individual user profile is available to that user on successive logons at that computer.
Roaming user profiles are available on computers running Windows NT Workstation or Windows NT Server. To enable roaming user profiles, an administrator enters a user profile path into the user account. The first time the user logs off, the local user profile is copied to that location. Thereafter, the server copy of the user profile is downloaded each time the user logs on (if it is more current than the local copy). Both the local and server copies are updated each time the user logs off.
Mandatory user profiles are roaming profiles that are created for the user and cannot be changed by the user. When the user logs off, the local user profile is not saved and a copy of the local user profile is not copied to the server. User profiles are also available on computers running Windows 95; however, a user profile created on Windows 95 is not available to the user on a computer running Windows NT and vice versa, even if the user profile is stored on a server.
For information about how to add user profiles, see "Managing the User Environment" in User Manager for Domains Help
For information about creating and managing mandatory and roaming user profiles, see Chapter 3, "Managing User Work Environments."
Specifying a User Profile Location
In the User Environment Profile dialog box, assign a roaming or mandatory profile to a user account by typing its full path and user profile folder name in the User Profile Path box.
\\server\share\profile name
For information about adding a user profile location, see "Managing the User Environment" in User Manager for Domains Help.
For information about creating and managing user profiles, see Chapter 3, "Managing User Work Environments."
Using %USERNAME% in the Home Directory Path
In the Home Directory box, %USERNAME% can be substituted for the last entry in the path. The system later substitutes the user name of the user account. This substitution is useful when multiple user accounts are selected.
For example, you have selected eight user accounts. In the Home Directory box, you might select Connect, specify a drive letter of K, select the To box, and type \\SALES\home\%username%. When you choose OK to save the User Environment Profile, the actual user name will be substituted for each %USERNAME% entry.
For information about logon scripts and about creating and managing user profiles, see Chapter 3, "Managing* User Work *Environments."
Managing Dial-in Information
Windows NT Server provides domain-based security for RAS users. To enable users to use RAS to dial in to domain accounts from remote computers, you use the Dialin Information dialog box in User Manager for Domains to add dialin information to their user accounts, including call-back options and permission to use dial-in facilities.
.gif "Cc751446.xcp_b02(en-us,TechNet.10).gif")
For information about using RAS and installing RAS servers, see the Windows NT Server Networking Supplement.
Managing the User Rights Policy
A right authorizes a user to perform certain actions on a computer system, such as backing up files and directories, logging on to a computer interactively, or shutting down a computer system. Rights exist as capabilities for using either domain controllers at the domain level or workstations or member servers at the local level. Rights can be granted to groups or to user accounts, but are best reserved for use by groups. Rights also can be granted to the special built-in groups Everyone, Interactive, and Network (for more information about these groups, see "Special Groups" later in this chapter). A user who logs on to an account that belongs to a group to which the appropriate rights have been granted can carry out the corresponding actions. When a user does not have appropriate rights to perform an action, an attempt to carry out that action is blocked by Windows NT Server (if the attempt is made on a domain controller or member server) or by Windows NT Workstation (if the attempt is made on a workstation computer).
Note Rights apply to the system as a whole and are different from permissions, which apply to specific objects. A permission is a rule associated with an object (usually a directory, file, or printer), and it regulates which users can have access to the object and in what manner. Most often the creator or owner of the object sets the permissions for the object.
Because all rights are not associated with a specific object and are applied at the domain (domain controllers) or local (workstation or member server) level, they can sometimes override permissions set on an object. For example, a user logged on to a domain account that is a member of the Backup Operators group has the right to perform backup tasks for all servers of the domain. Doing so requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A right — in this case, the right to perform a backup — takes precedence over all file and directory permissions. The following diagram shows the range of user rights within a domain (all domain controllers have the same user rights) and on workstations (every workstation and member server has it's own set of user rights.
.gif "Cc751446.xcp_b14(en-us,TechNet.10).gif")
Setting User Rights
Members of the Administrators local group in a domain or on a local computer (member server or workstation) have the built-in ability to grant rights to users for the domain or the computer, respectively. The easiest way to provide rights to a user is to add a user's account to a built-in group that has the desired rights. (Each built-in group conveys certain rights and abilities to its members.) However, when you create new local groups, or if a special situation occurs, it is possible to grant a right to, or remove it from, a user or a group account.
The following table describes the user rights that can be managed with the User Rights command on the Policy menu.
Note When you administer the User Rights policy for a domain, the computers referred to in the following table are the primary and backup domain controllers of the domain; when you administer the User Rights policy on a workstation or member server, the computer referred to is the workstation or member server.
User right |
Allows a user to |
|---|---|
Access this computer from network |
Connect over the network to a computer. |
Add workstations to domain |
Add a workstation to the domain, allowing the workstation to recognize the domain's user and global group accounts and those of trusted domains. |
Back up files and directories |
Back up files and directories, allowing the user to read all files. This right supersedes file and directory permissions, and also applies to the registry. |
Change the system time |
Set the time for the internal clock of a computer. |
Force shutdown from a remote system |
This right is not currently implemented. It is reserved for future use. |
Load and unload device drivers |
Install and remove device drivers. |
Log on locally |
Log on at the computer itself, from the computer's keyboard. |
Manage auditing and security log |
Specify what types of resource access (such as file access) are to be audited. View and clear the security log. This right does not allow a user to set system auditing using the Audit command in the Policy menu of User Manager for Domains. This ability is always held only by the Administrators group. |
Restore files and directories |
Restore files and directories, allowing the user to write to all files. This right supersedes file and directory permissions, and also applies to the registry. |
Shut down the system |
Shut down Windows NT Server. |
Take ownership of files or other objects |
Take ownership of files, directories, and other objects on a computer. |
If Show Advanced User Rights is selected, some additional rights (shown in the following table) can be managed with the User Rights policy. Many of these advanced rights are useful only to programmers writing applications to run on Windows NT Server or Windows NT Workstation, and are not typically granted to a group or user. The first two advanced user rights, Bypass traverse checking and Log on as a service, are of special interest to administrators.
Advanced user right |
Allows |
|---|---|
Bypass traverse checking |
A user to change directories and travel through a directory tree, even if the user has no permissions for those directories. |
Log on as a service |
A process to register with the system as a service, used to administer the Directory Replicator service. For information about directory replication, see Chapter 4, "Managing Shared Resources and Resource Security." |
Act as part of the operations system |
A user to perform as a secure, trusted part of the operating system. Some subsystems are granted this right. |
Create a page file |
A user to create a paging file. |
Create a token object |
A user or program to create access tokens. Only the Local Security Authority can do this. |
Create permanent shared objects |
A user to create special permanent objects, such as \Device, which are used within the Windows NT platform. |
Debug programs |
A user to debug various low-level objects such as threads. |
Generate security audits |
A user or program to generate security audit log entries. |
Increase quotas |
A user to increase object quotas (not available in this version of Windows NT Server). |
Increase scheduling priority |
A user to boost the priority of a process. |
Lock pages in memory |
A user to lock pages in memory so they cannot be paged out to a backing store such as PAGEFILE.SYS. |
Log on as a batch job |
A user to log on using a batch queue facility for delayed logons. |
Modify firmware environment variables |
A user to modify system environment variables. (Users can always modify their own user environment variables). |
Profile single process |
The use of Windows NT platform profiling (performance sampling) capabilities on a process. |
Profile system performance |
The use of Windows NT platform profiling capabilities on the system. (This can slow the system down.) |
Replace a process-level token |
A user to modify a process's security access token. This is a powerful privilege used only by the system. |
For more information about programming rights, see the Windows NT programming documentation.
For information about how to set user rights, see "Managing the User Rights Policy" in User Manager for Domains Help.
For information about adding users to groups, see "Using Groups to Assign User Abilities" later in this chapter.
For information about granting rights to new groups, see "Granting Rights to New Local Groups" later in this chapter.
For information about the capabilities of built-in groups, see "Built-in Local Groups — Controlling What Users Can Do" later in this chapter.
Managing Logon Hours
By default, users can connect to a server 24 hours a day, 7 days a week. To restrict this access, use the User Properties dialog box.
When you select a user account in User Manager for Domains and view user properties, you can select Logon Hours in the User Properties dialog box to change the settings for that user. The Logon Hours dialog box displays a one-week calendar, with logon hours displayed in one-hour increments across seven days. A box represents each hour. For example, the first box in each row represents the hour from midnight through 12:59 A.M., and the last box in each row represents the hour from 11:00 P.M. through 11:59 P.M.
Note The logon hours are in the time zone of the primary domain controller, not of the workstation or server that the user is logging on to or connecting to.
.gif "Cc751446.xcp_b03(en-us,TechNet.10).gif")
The filled boxes indicate when the user is allowed to connect to domain servers; the empty boxes indicate when a user is prohibited from connecting.
When a user is connected to a server and the logon hours are exceeded, the user will either be disconnected from all server connections or will be allowed to remain connected but denied any new connections, depending on the status of an option in the Account Policy dialog box.
For information about how to set logon hours, see "Managing Logon Hours" in User Manager for Domains Help.
Managing Account Information
You can define an account expiration date and specify the account type for the selected user accounts.
When an account has an expiration date, the account is disabled at the end of that day. (Expired accounts are not deleted, only disabled.) When an account expires, a logged on user remains logged on but can establish no new network connections and cannot log on again after logging off.
By default, a new user account is a global user account.
Adding Local User Accounts
A local account is a user account provided in a domain for a user whose regular account is not in a trusted domain. Local accounts provide access to resources in a single domain, and resources can be used only by connecting to a domain controller over the network. (You can log on interactively to a local account only if the right to log on locally has been granted to the account.)
The local account user must first log on to the network using a workgroup computer account or a global domain account and then connect to a domain controller in the domain where the local account resides. When the user connects to the domain controller, the user's credentials (domain name, user name, and password) are passed to the domain controller. This controller first checks the domain name and, because the domain is not trusted, checks further to see if the user has a local or global user account by the same name and if the password specified in the user's credentials matches the password for the local account. If the account is found but the passwords do not match, the user is prompted for the local account password.
Creating a User Account as Local
A user account can be created as a local account to give domain access to a user who:
Is not a member of any domain.
Is a member of a domain that does not have an established trust relationship with the domain where the user's global account is located.
For example, a local account would be required for a user who is a member of a workgroup or whose domain account is located on servers of other systems such as LAN Manager 2.x, Novell NetWare, or IBM LAN Server (which do not recognize trust relationships).
If necessary, you can easily return the account type to global. For example, you would do so if you created an account for a user whose workstation is a member of a workgroup, and the workstation later joined the domain.
Tip By default, local accounts are added to the Domain Users global group. In a multiple-domain setting, the Domain Users global group in a trusted domain can be added to local groups in trusting domains to gain access to resources there. To limit local account access to resources in the domain where you want the account to be used (the trusted domain), remove the local account from the Domain Users group in that domain, or do not grant permissions on any resources in the trusting domain or domains to the Domain Users group from the trusted domain.
.gif "Cc751446.xcp_b13(en-us,TechNet.10).gif")
In User Manager or User Manager for Domains, you see the icon at the left that represents local user accounts instead of the standard global user account icon.
The default setting for a new user account is Global Account. When you add a new local user account, you can change the default setting in the Account Information dialog box.
.gif "Cc751446.xcp_b01(en-us,TechNet.10).gif")
For information about how to manage user accounts, see "Creating a New User Account" and "Managing Account Information" in User Manager for Domains Help.
Renaming a User Account
Any user account — including built-in user accounts — can be renamed. Because it retains its security identifier (SID), a renamed user account retains all its other properties, such as its description, password, group memberships, user environment profile, logon hours, logon workstations, account information, and any assigned permissions and rights.
For information about how to rename a user account, see "Renaming User Accounts" in User Manager for Domains Help.
Deleting and Disabling User Accounts
To prevent a user from logging on, you disable or delete the user account:
A disabled user account still exists, but the user is not permitted to log on; a deleted user account is completely removed.
A disabled account still appears in the user account list of the User Manager for Domains window; a deleted account is removed from the user account list of the User Manager for Domains window, and it cannot be restored.
A disabled account can be reenabled at any time.
To prevent accidental deletions, it is a good idea to first disable a user account, and then periodically delete the disabled accounts.
Note Internal processes in Windows NT Server refer to a user account's SID rather than its user name. So if you delete a user account that had read access to a certain shared directory and then create another user account with the same user name, the new account will not have access to the directory: You will have to reapply permissions to the shared directory.
For information about how to disable and delete user accounts, see "Disabling and Enabling User Accounts" and "Deleting User Accounts" in User Manager for Domains Help.
Migrating User Accounts from Novell NetWare
You can migrate user accounts from Novell NetWare servers to Windows NT Server computers.
Use the Migration Tool for NetWare in Windows NT Server to transfer user and group accounts and files and directories from Netware 2.x and 3.x servers to Windows NT Server.
For information about upgrading from NetWare to Windows NT Server, see the Windows NT Server Networking Supplement.
Managing Workstation and Member Server User and Group Accounts
From a computer running Windows NT Server (domain controller or member server), you can remotely manage local member server or workstation user accounts with User Manager for Domains. You can manage user accounts locally from a computer running Windows NT Workstation with User Manager.
Membership in the Built-in Administrators Group
When Windows NT Workstation is installed on a computer, or Windows NT Server is installed as a member (stand-alone) server, the built-in Administrator account is created automatically. The Administrator account is the account used by the person who manages the computer's overall configuration.
If a computer participates in a domain, the Domain Admins global group is by default a member of the computer's Administrators local group, and members of the Administrators group can administer the computer. However, a member of Administrators can remove the Domain Admins global group from the computer's Administrators group.
Administrators group members do not have automatic access to every file on the computer. If a file's permissions do not grant access, the administrator cannot use the file. Every file on an NTFS volume has an owner who can set permissions on the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so and auditing of files is selected, this event is recorded in the security log and the administrator cannot give ownership back to the original owner.
To manage workstation or member server accounts instead of domain accounts, in User Manager for Domains, type the computer name as \\computername instead of selecting or typing a domain name. With the workstation or member server selected as the domain, you can perform all the functions from a Windows NT Server computer that can be performed at the computer itself.
For information about how to select a computer instead of a domain, see "Selecting a Domain" in User Manager for Domains Help.
For information about using the NTFS file system, see Chapter 4, "Managing Shared Resources and Resource Security," and Windows NT Server Start Here.
For information about file auditing, see Chapter 9, "Monitoring Events."
Managing Group Accounts
Group accounts are collections of user accounts. Giving a user account membership in a group gives that user all the rights and permissions granted to the group. Group membership provides an easy way to grant common capabilities to sets of users.
Using Groups to Assign User Abilities
Because maintaining permissions for a group is easier than maintaining permissions for many user accounts, you generally want to use groups to manage access to resources (such as directories, files, or printers):
Assign resource permissions to a group, and then add user accounts to that group as desired.
Change the permissions provided to a set of users or add or remove the permissions assigned to the group but do not change each account.
Note When assigning user abilities, remember to take advantage of the built-in groups provided with Windows NT, which have been granted useful collections of rights and abilities. (For example, members of the Administrators group have administrative abilities in the domain and over the servers of the domain.)
Two types of groups can be maintained in a Windows NT Server domain: local groups and global groups.
Global Groups
.gif "Cc751446.xcp_b11(en-us,TechNet.10).gif")
A global group contains a number of user accounts from one domain that are grouped together under one group account name. A global group can contain only user accounts from the domain where the global group is created. Once a global group is created, it can be granted permissions and rights in its own domain, on workstations or member servers, or in trusting domains. However, it is best to grant rights and permissions to local groups and use the global group as the method of adding users to local groups.
Global groups can be added to local groups in the same domain, in domains that trust that domain, or to member servers or computers running Windows NT Workstation in the same or a trusting domain. Global groups contain domain user accounts only. You cannot create a global group on a computer running Windows NT Workstation or on a computer running Windows NT Server as a member server.
The "global" in "global groups" indicates that the group is available to receive rights and permissions in multiple (global) domains.
A global group can contain only user accounts; it cannot contain local groups or other global groups.
Local Groups
.gif "Cc751446.xcp_b12(en-us,TechNet.10).gif")
A local group contains user accounts and global group accounts from one or more domains, grouped together under one group account name. Users and global groups from outside the local domain can be added to the local group only if they belong to a trusting domain. Local groups make it possible to quickly assign rights and permissions for the resources on one domain (that is, the local domain) to users and groups from that domain and other domains that trust it.
Local groups also exist on member servers and computers running Windows NT Workstation, and can contain user accounts and global groups.
The "local" in "local groups" indicates that the group is available to receive permissions and rights in only a single (local) domain.
A local group cannot contain other local groups.
The following table summarizes how the two types of groups are used.
If |
Need to be used in |
You can put them in |
|---|---|---|
User accounts from this domain |
The domain controllers, member servers, and workstations of this domain, or of other domains |
A global group |
User accounts from this domain or other domains |
The domain controllers of this domain |
A local group |
Global groups from this domain or other domains |
The domain controllers of this domain |
A local group |
.gif "Cc751446.xcp_b10(en-us,TechNet.10).gif")
Strategies for Using Groups
A local group is a single security entity that can be granted access to many objects in a single location (a domain, or a workstation or member server) rather than having to edit the permissions on all those objects separately.
With global groups you can group user accounts which might be granted permissions to use objects on multiple domains and workstations.
For example, in a multiple-domain setting, you can think of global groups as a means of adding users to the local groups of trusting domains. To extend users' rights and permissions to resources on other domains, add their accounts to a global group in your domain and then add the global group to a local group in a trusting domain.
Even for a single domain, if you keep in mind that additional domains might be added in the future, you can use global groups added to local groups for granting all rights and permissions. Later, if another domain is created, the rights and permissions assigned to your local groups can be extended to a new domain's users by creating a trust relationship and adding global groups from the new domain to your local groups. Likewise, if the new domain trusts your domain, your global groups can be added to the new domain local groups.
Domain global groups can also be used for administrative purpose on computers running Windows NT Workstation or on member servers running Windows NT Servers. For example, the Domain Admins global group is added by default to the Administrators built-in local group on each workstation or member server that joins the existing domain. Membership in the workstation or member server local Administrators group enables the network administrator to manage the computer remotely by creating program groups, installing software, and troubleshooting computer problems.
The following table provides some guidelines for using global and local groups:
Purpose of group |
Use |
Comments |
|---|---|---|
Group users of this domain into a single unit for use in other domains or user workstations |
Global |
The global group can be put into local groups or given permissions and rights directly in other domains. |
Need permissions and rights only in one domain |
Local |
The local group can contain users and global groups from this and other domains. |
Need permissions on computers running Windows NT Workstation or on member servers |
Global |
A domain's global groups can be given permissions on these computers, but a domain's local groups cannot. |
Contain other groups |
Local |
The local group can contain only global groups (and users); however, no group can contain other local groups. |
Include users from multiple domains |
Local |
The local group can be used in only the domain in which it is created. If you need to be able to grant this local group permissions in multiple domains, you will have to manually create the local group in every domain in which you need it. |
For information about trust relationships, see Chapter 1, "Managing Windows NT Server Domains."
Built-in Local Groups—Controlling What Users Can Do
Being a member of one of the built-in local groups of a domain gives a user rights and abilities to perform various tasks on the domain controllers in the domain. Similarly, being a member of a built-in local group on a member server or workstation gives the user rights and abilities on that computer.
You can add a user to more than one built-in group. For example, a user in both the Print Operators and Backup Operators groups has all the rights granted to print operators and all the rights granted to backup operators.
However, not all built-in local groups exist on both Windows NT Server domain controllers and on individual Windows NT computers (Windows NT Workstation computers and member servers running Windows NT Server). The following table shows which built-in local groups exist on domain controllers and on individual computers.
Windows NT Server domain controllers |
Windows NT workstations and member servers |
|---|---|
Administrators |
Administrators |
Backup Operators |
Backup Operators |
Server Operators |
Power Users |
Account Operators |
Users |
Print Operators |
Guests |
Users |
Replicator |
Guests |
|
Replicator |
|
By default, every new domain user (global or local) is a member of the Domain Users global group, which is a member of the Users built-in local group. Each new workstation or member server user is a member of the Users built-in local group on the computer.
In general, you will want to add administrator users for a domain to the Domain Admins global group rather than adding them directly to the Administrators local group. By adding users to Domain Admins, they are also administrators on workstations and member servers.
The following tables show which rights and built-in abilities are held by each built-in local group on both Windows NT Server domains and on member servers and workstations.
Windows NT Server domain controllers
.gif "Cc751446.xcp_b04(en-us,TechNet.10).gif")
Workstations and member servers
.gif "Cc751446.xcp_b05(en-us,TechNet.10).gif")
The following table presents the built-in rights with comments about the specific actions the rights allow, as well as what local groups have the rights by default on both domain controllers and on workstations and member servers.
User rights |
Comments |
Granted to Domain controllers |
Granted to Workstations and member servers |
|---|---|---|---|
Manage auditing and security log |
Specify what types of file and object access are to be audited. View and clear the security log. |
Administrators |
Administrators |
Back up files and directories |
|
Administrators, Server Operators, Backup Operators |
Administrators, Backup Operators |
Restore files and directories |
This right supersedes file permissions; a user with the Restore right can overwrite files for which he or she has no permissions, when performing a restore. |
Administrators, Server Operators, Backup Operators |
Administrators, Backup Operators |
Change system time |
|
Administrators, Server Operators |
Administrators, Power Users |
Access this computer from network |
Access the computer from another workstation on the network. |
Administrators, Everyone |
Administrators, Power Users, Everyone |
Log on locally |
Ability to log on at the computer itself on the computer's keyboard. |
Administrators, Server Operators, Account Operators, Print Operators, Backup Operators |
Administrators, Backup Operators, Power Users, Users, Guests |
Shut down the system |
|
Administrators, Server Operators, Account Operators, Print Operators, Backup Operators |
Administrators, Backup Operators, Power Users, Users, Guests |
Add workstations and member servers to domain |
Allows a user who is not a member of the domain's Administrators group to add computers running Windows NT Workstation or computers running Windows NT Server as member servers to the domain. |
None1 |
N/A |
Take ownership of files and other objects |
Take ownership of files and directories on the computer. |
Administrators |
Administrators |
Load and unload device drivers |
|
Administrators |
Administrators |
Force shutdown from a remote system |
This right gives a user no abilities in this version of Windows NT but will be supported in future upgrades of the operating system. |
Administrators, Server Operators |
Administrators, Power Users |
1 Members of the domain's Administrators and Account Operators groups can always add workstations to a domain, whether or not they have this right assigned to them. This right is needed only to enable users who are not members of these groups to add workstations to the domain. With this right, Windows NT Server does not have to check that the user is a member of the Administrators or Account Operators group. |
The following sections describe the purpose and abilities of each built-in local group:
Administrators
The Administrators local group in a domain, on a computer running Windows NT Workstation, or on a member server has full control over its computer. The Administrators local group is the only group that is automatically granted every built-in right and ability. Administrators manage the overall configuration of the domain and the domain's controllers.
By default, the Domain Admins global group is also a member of the Administrators local group, but it can be removed.
Users
Users logged on as members of the Users local group cannot log on locally at servers running Windows NT Server. However, they do possess certain rights at their local workstations and can perform most necessary tasks.
By default the Domain Users global group is a member of the Users local group, but it can be removed.
Guests
The Guests local group allows occasional or one-time users to log on to a workstation's built-in Guest account interactively (local guest logon) or to a domain's built-in Guest account remotely (network guest logon), and be granted limited abilities. Users logged on as members of the Guests local group have no rights at domain servers. However, they do have certain rights at their individual workstations. By default, the domain Guests global group is a member of the Guests local group, but it can be removed.
For information about the Guest account, see "Built-in Guest Account" earlier in this chapter.
Account Operators
Members of the Account Operators local group can use User Manager for Domains to create user accounts and groups for the domain and to modify or delete most user accounts and groups of the domain. Account Operators can also log on to domain servers, can shut down domain servers, and can use Server Manager to add computers to a domain.
However, an account operator cannot modify or delete the Domain Admins global group, nor the Administrators, Account Operators, Backup Operators, Print Operators, or Server Operators local groups or any global groups belonging to these local groups. Account operators cannot modify the accounts of members of any of these groups and cannot administer security policies.
Backup Operators
Members of the Backup Operators local group can back up and restore files on the domain's primary and backup domain controllers. They can also log on to these servers and shut them down.
Print Operators
Members of the Print Operators local group can create, delete, and manage printer shares on the domain's primary and backup domain controllers. They can also log on at these servers, and shut them down.
Server Operators
Members of the Server Operators local group can manage the domain's primary and backup domain controllers. For example, server operators can create, delete, and manage printer shares at these servers; create, delete and manage network shares; back up and restore files; lock and unlock these servers; format a server's hard disk; and change the system time. They can also log on from servers and shut down servers.
Replicator
The Replicator local group supports directory replication functions. The only member of the domain's Replicator local group should be a domain user account used to log on the Replicator services of the primary domain controller and the backup domain controllers in the domain. Do not add the user accounts of actual users to this group.
For information about directory replication, see Chapter 4, "Managing Shared Resources and Resource Security."
Special Groups
In addition to the built-in groups mentioned, their groups are created by the system and are used for special purposes. Because the memberships of these groups cannot be altered, the groups are not listed in User Manager for Domains.
However, when you administer a computer and Windows NT presents lists of groups, these special groups sometimes appear in the list. For example, they can appear when assigning permissions to directories, files, shared network directories, or printers.
Group |
Refers to |
|---|---|
Everyone |
Anyone using the computer. This includes all local and remote users (that is, the Interactive and Network groups combined). |
Interactive |
Anyone using the computer locally. |
Network |
All users connected over the network to the computer. |
System |
The operating system. |
Creator Owner |
Transfer of permissions to creators of subdirectories, files, and print jobs. For a directory, if permissions are granted to the Creator Owner group, the creator of a subdirectory or file will be granted those permissions for that subdirectory or file. For a printer, if permissions are granted to the Creator Owner group, the creator of a print job will be granted those permissions for that print job. |
Using Administrators and Operators — An Example
Suppose a medium-sized group is deciding how to assign its technical staff to the various administrator and operator groups. (It is recommended that at least one member of either the Administrators or Server Operators group is present during all hours that people are using the network.)
At least one person must have an administrator account. Members of the Administrators group are ultimately responsible for planning and maintaining network security for the department. If desired, members of the domain's Administrators group can administer users' Windows NT Workstation computers.
People responsible for hiring new or temporary employees, or for helping newly hired people get started would be good candidates for the Account Operators group. They can create domain accounts for the new employees and put these accounts in the appropriate groups.
If the domain's Administrators group has few members, assign at least one additional person to the Server Operators group. This group keeps the domain servers running. Accordingly, members of this group can shut down servers, set the system time on servers, lock and override the lock of servers, share directories and printers on the server, and format its hard disks.
If printing documents quickly is important, add several capable people to the Print Operators group to ensure that printer problems can always be addressed quickly.
Built-in Global Groups—Providing Automatic Memberships in Local Groups
On a domain's primary and backup domain controllers, three global groups are built in: Domain Admins, Domain Users, and Domain Guests. None of these groups can be deleted.
Domain Admins
The Domain Admins global group is initially a member of the Administrators local group for the domain and of the Administrators local group for every computer in the domain running Windows NT Workstation or Windows NT Server.
The built-in Administrator user account is a member of the Domain Admins global group. It is also a member of the Administrators local group and cannot be removed.
Because of these memberships, a user logged on as an administrator can administer the domain, the primary and backup domain controllers, and all other computers running Windows NT Workstation and Windows NT Server in the domain. (However, to prevent Domain Admins from administering a particular workstation or a server that is not a domain controller, remove the Domain Admins global group from that computer's Administrators group.)
To provide administrative-level abilities to a new account, add the account to the Domain Admins global group. Members of this group can administer the domain, the servers and workstations of the domain, and a trusted domain that has added the Domain Admins global group from this domain to the Administrators local group in the trusted domain.
For information about using global groups, see "Strategies for Using Groups" earlier in this chapter.
Domain Users
The Domain Users global group initially contains the domain's built-in Administrator account. By default, all new accounts created thereafter in the domain are added to the Domain Users group, unless you specifically remove them.
The Domain Users global group is, by default, a member of the Users local group for the domain and of the Users local group for every computer in the domain running Windows NT Workstation or member servers running Windows NT Server. Domain Users is the default primary group for each user. (A primary group is a feature for Macintosh clients and users running POSIX compliant applications. For information about using primary groups with services for Macintosh, see the Windows NT Server Networking Supplement.)
Because of these memberships, users of the domain have normal user access to and abilities for the domain and the computers in the domain running Windows NT Workstation and Windows NT Server as member servers. (However, you can prevent Domain Users from being granted this access on a particular workstation or on a server that is not a domain controller by removing the Domain Users global group from that computer's Users group.)
Domain Guests
The Domain Guests global group initially contains the domain's built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you might want to add those accounts to the Domain Guests group and remove them from the Domain Users group.
The Domain Guests global group is a member of the domain's Guests local group.
Global group |
Initial contents |
Who can modify1 |
|---|---|---|
Domain Admins |
Administrator |
Administrators |
Domain Users |
Administrator |
Administrators, Account Operators |
Domain Guests |
Guest |
Administrators, Account Operators |
1 None of these groups can be deleted. |
Creating New Groups
To create and define additional groups, use User Manager for Domains:
Create new local groups for granting permissions to resources.
Create new global groups to organize users based on the type of work they do.
For example, suppose you have a color printer in your domain, and you want to restrict access to it:
Create a local group that has permission to print on the color printer.
Create a global group consisting of users who are allowed to use the color printer.
Add the global group to the local group.
Add or remove people who can use the printer by changing the membership of the global group.
If you want members of this group to be able to use a printer connected to a particular workstation or member server, add the global group to the local group that governs printing on that computer. Likewise, if a color printer is available on a trusting domain, you can place your global group into a local group in that domain.
For information about managing resource permissions, see Chapter 4, "Managing Shared Resources and Resource Security."
When adding a group you will be asked to provide a group name. It must be unique to the domain or to the computer being administered. A global group name can contain up to 20 characters. It can also contain any uppercase or lowercase characters except the following:
" / \ [ ] : ; | = , + * ? < >
A local group name can contain up to 256 characters. It can also contain any uppercase or lowercase characters except the backslash character (\).
A global group name cannot consist solely of periods (.) and spaces.
Note When a group name is displayed and when the distinction is necessary, Windows NT Server identifies the domain or workstation the group is from by presenting the name in the form DOMAINNAME\groupname or COMPUTERNAME\groupname. For example, a group named Managers from a domain named Engineering would be displayed as ENGINEERING\Managers.
To create a new group, you either copy an existing group or create a completely new one. By copying, you ensure that the new group has the same members as the original group. However, the permissions and rights of the original group are not copied to the new group.
Creating a New Global Group
To create a new global group, you give the group a name and then add members (user accounts in the local domain) to it.
.gif "Cc751446.xcp_b07(en-us,TechNet.10).gif")
Note When Low Speed Connection is chosen on the Options menu in User Manager for Domains, global groups cannot be created, modified, or copied.
For information about how to manage global groups, see "Creating a New Global Group", "Copying a Global Group", and "Managing Global Group Properties" in User Manager for Domains Help.
Creating a New Local Group
To create a new local group, give the group a name and then add members (user accounts and global groups from the local domain or a trusting domain) to it.
.gif "Cc751446.xcp_b08(en-us,TechNet.10).gif")
For information about how to manage local groups, see "Creating a New Local Group", "Copying a Local Group", and "Managing Local Group Properties" in User Manager for Domains Help.
Changing a Group's Membership or Description
You can add new members or remove members or change the description of a local group or a global group by selecting a group in User Manager for Domains and clicking Properties on the User menu.
For information about how to add, remove, or change group members, see "Managing Global Group Properties" and "Managing Local Group Properties" in User Manager for Domains Help.
Granting Rights to a Local Group
You can grant or revoke rights to and from users and groups. You cannot control other abilities directly. They are granted to some built-in local groups when Windows NT Workstation or Windows NT Server is installed. The only way for you to grant a user one of these built-in abilities is to make that user a member of the appropriate local group. For example, the only way to allow a person to create user accounts on a domain is to add that person's account to either the Administrators or Account Operators local group on the domain. The built-in abilities of local groups for workstations and member servers, as well as for domain controllers, are listed in "Built-in Local Groups — Controlling What Users Can Do" earlier in this chapter. On Windows NT Server domains, rights are granted and restricted on the domain level; if a group has a right in a domain, its members have that right on all primary and backup domain controllers in the domain. On each Windows NT Workstation computer and on each Windows NT Server computer that is not a domain controller, rights granted apply only to that single computer.
When you create new local groups in a domain, User Manager for Domains is used to grant rights to the group.
When you create new local groups on a workstation or member server, User Manager (or User Manager for Domains remotely) is used to grant rights to the group.
The User Rights command on the Policy menu lets you grant user rights to local groups. The User Rights Policy dialog box lists each right selected and the groups that have them. You can add or remove groups from the Grant To list.
.gif "Cc751446.xcp_b09(en-us,TechNet.10).gif")
For information about how to grant user rights, see "Managing the User Rights Policy" in User Manager for Domains Help.
Deleting a Group
Groups created with User Manager for Domains can be deleted, but the built-in groups provided with Windows NT Server and Windows NT Workstation cannot. Deleting a group removes only that group; it does not delete the user accounts or global groups that are members of the deleted group
A deleted group cannot be recovered, so be sure you want to delete a group before you do so. When you delete a group, the SID for the group account is deleted, and SIDs are used only once. For this reason, resource permissions associated with the group cannot be reestablished by creating a new group using the same account name.
For information about how to delete groups, see "Deleting a Local Group" and "Deleting a Global Group" in User Manager for Domains Help.
.gif "Cc751446.spacer(en-us,TechNet.10).gif")