Windows 2000 allows you to organize users and other objects into groups for easy access permission administration. Defining security groups is a major security task. Security groups can be described according to their scope, such as Global groups or Universal groups, as well as according to their purpose, rights, and role, such as the Everyone group or the Administrators group.

The Windows 2000 security groups let you assign the same security permissions to large numbers of users. This ensures consistent security permissions across all members of a group. Using security groups to assign permissions means the access control on resources remains fairly static and easy to control and audit. Users who need access are added or removed from the appropriate security groups as needed, and the access control lists change infrequently.

How Security Groups Work

Depending on the environment you are working in, you might encounter any of the four main types of security groups:

  • Domain local groups, which are best used for granting access rights to resources such as file systems or printers that are located on any computer in the domain where common access permissions are required.

  • Global groups, which are used for combining users who share a common access profile based on job function or business role.

  • Universal groups, which are used in larger, multi-domain organizations where there is a need to grant access to similar groups of accounts defined in multiple domains. Universal groups are used only in multiple domain trees or forests that have a global catalog.

  • Computer local groups, which are security groups specific to a computer and not recognized elsewhere in the domain.

For more information about working with the four different types of groups, see the Deployment Planning Guide .

Permissions of Security Groups

Windows 2000 includes a number of preconfigured groups including the following:

  • Guests : This group allows occasional or one-time users to log on to a workstations built-in Guest account and be granted limited abilities. Members of the Guest group can also shut down the system. The built-in guest account is disabled by default.

  • Users : Members of this group (normal authenticated users) do not have broad read/write permission as they did in Windows NT 4.0. These users have read-only permission for most parts of the system and read/write permission in their own profile folders. Users cannot read other users data, install applications that require modification of system directories, or perform administrative tasks.

  • Power Users : Members of this group have all the access permissions that Users and Power Users had in Windows NT 4.0. Power Users have read/write permission to other parts of the system in addition to their own profile folders. Power Users can install applications and perform many administrative tasks. If you are running applications that have not been certified for use with Windows 2000, users will need to have Power User privileges.

  • Backup Operators : Members of this group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

  • Administrators : Members of this group have total control of the desktop, allowing them to complete all tasks. Members of the Administrators group have the same level of rights and permissions they did for Windows NT 4.0. There is also a built-in administrator account that allows administration of the computer. The administrator account is the first account that is created when Windows 2000 is installed.

Prerequisites for Implementing Security Groups

Security groups are a built-in feature of Windows 2000. No special installation or prerequisite is required.

Implementing Security Groups

To create new users and place them in Security groups, use the Computer Management snap-in of MMC. For more information about creating new users, see Windows 2000 Professional Help.