附录 B:Active Directory 中有权限的帐户和组Appendix B: Privileged Accounts and Groups in Active Directory

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

附录 B:Active Directory 中有权限的帐户和组Appendix B: Privileged Accounts and Groups in Active Directory

"特权" 帐户和 Active Directory 中的组是指那些向其授予了强大权限、特权和权限的用户,允许他们在 Active Directory 和已加入域的系统上执行几乎所有操作。"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. 本附录首先讨论权限、特权和权限,然后介绍 Active Directory 中 "最高权限" 帐户和组的信息,即最强大的帐户和组。This appendix begins by discussing rights, privileges, and permissions, followed by information about the "highest privilege" accounts and groups in Active Directory,that is, the most powerful accounts and groups.

除了其权限外,还提供有关 Active Directory 中的内置和默认帐户和组的信息。Information is also provided about built-in and default accounts and groups in Active Directory, in addition to their rights. 尽管提供安全级别最高的帐户和组的特定配置建议作为单独的附录提供,但本附录提供了背景信息,可帮助你识别你应关注的用户和组。Although specific configuration recommendations for securing the highest privilege accounts and groups are provided as separate appendices, this appendix provides background information that helps you identify the users and groups you should focus on securing. 你应这样做,因为攻击者可能会利用它们来损害甚至销毁你的 Active Directory 安装。You should do so because they can be leveraged by attackers to compromise and even destroy your Active Directory installation.

Active Directory 中的权限、特权和权限Rights, Privileges, and Permissions in Active Directory

权限、权限和权限之间的差异可能会令人感到困惑和矛盾,甚至是在 Microsoft 的文档中。The differences between rights, permissions, and privileges can be confusing and contradictory, even within documentation from Microsoft. 本部分介绍了在本文档中使用的各个特性。This section describes some of the characteristics of each as they are used in this document. 对于其他 Microsoft 文档,这些说明不应被视为权威说明,因为它可能会以不同的方式使用这些术语。These descriptions should not be considered authoritative for other Microsoft documentation, because it may use these terms differently.

权限和特权Rights and Privileges

权限和特权实际上是授予安全主体(如用户、服务、计算机或组)的系统范围相同的功能。Rights and privileges are effectively the same system-wide capabilities that are granted to security principals such as users, services, computers, or groups. 通常由 IT 专业人员使用的接口通常称为 "权限" 或 "用户权限",它们通常由组策略对象分配。In interfaces typically used by IT professionals, these are usually referred to as "rights" or "user rights," and they are often assigned by Group Policy Objects. 下面的屏幕截图显示了一些最常见的用户权限,这些权限可以分配给安全主体 (它代表 Windows Server 2012 域) 中的默认域控制器 GPO。The following screenshot shows some of the most common user rights that can be assigned to security principals (it represents the Default Domain Controllers GPO in a Windows Server 2012 domain). 其中某些权限适用于 Active Directory (例如 " 使计算机和用户帐户可用于委派 " 用户权限),而其他权限适用于 Windows 操作系统(如 更改系统时间)。Some of these rights apply to Active Directory, such as the Enable computer and user accounts to be trusted for delegation user right, while other rights apply to the Windows operating system, such as Change the system time.

特权帐户和组

在组策略对象编辑器的接口中,这些可分配的功能广泛称为用户权限。In interfaces such as the Group Policy Object Editor, all of these assignable capabilities are referred to broadly as user rights. 但实际上,某些用户权限是以编程方式称为权限,而另一些则是以编程方式称为特权。In reality however, some user rights are programmatically referred to as rights, while others are programmatically referred to as privileges. 表 B-1:用户权限和特权提供了一些最常用的可分配用户权限及其编程常量。Table B-1: User Rights and Privileges provides some of the most common assignable user rights and their programmatic constants. 尽管组策略和其他接口是指所有这些接口都是用户权限,但有些接口以编程方式标识为权限,而另一些则定义为特权。Although Group Policy and other interfaces refer to all of these as user rights, some are programmatically identified as rights, while others are defined as privileges.

有关下表中列出的每个用户权限的详细信息,请参阅 Microsoft TechNet 网站上的 Windows Server 2008 R2威胁和漏洞缓解指南中的 "威胁和漏洞的威胁和对策指南:用户权限"。For more information about each of the user rights listed in the following table, use the links in the table or see Threats and Countermeasures Guide: User Rights in the Threats and Vulnerabilities Mitigation guide for Windows Server 2008 R2 on the Microsoft TechNet site. 有关适用于 Windows Server 2008 的信息,请参阅 Microsoft TechNet 站点上的威胁和漏洞缓解文档中的用户权限For information applicable to Windows Server 2008, please see User Rights in the Threats and Vulnerabilities Mitigation documentation on the Microsoft TechNet site. 在撰写本文档时,尚未发布有关 Windows Server 2012 的相应文档。As of the writing of this document, corresponding documentation for Windows Server 2012 is not yet published.

备注

出于本文档的目的,除非另外指定,否则将使用术语 "权限" 和 "用户权限" 来标识权利和权限。For the purposes of this document, the terms "rights" and "user rights" are used to identify rights and privileges unless otherwise specified.

表 B-1:用户权限和特权Table B-1: User Rights and Privileges
组策略中的用户权限User Right in Group Policy 常量名称Name of Constant
作为受信任呼叫方的访问凭据管理器Access Credential Manager as a trusted caller SeTrustedCredManAccessPrivilegeSeTrustedCredManAccessPrivilege
从网络访问此计算机Access this computer from the network SeNetworkLogonRightSeNetworkLogonRight
以操作系统方式操作Act as part of the operating system SeTcbPrivilegeSeTcbPrivilege
将工作站添加到域Add workstations to domain SeMachineAccountPrivilegeSeMachineAccountPrivilege
为进程调整内存配额Adjust memory quotas for a process SeIncreaseQuotaPrivilegeSeIncreaseQuotaPrivilege
允许本地登录Allow log on locally SeInteractiveLogonRightSeInteractiveLogonRight
允许通过终端服务登录Allow log on through Terminal Services SeRemoteInteractiveLogonRightSeRemoteInteractiveLogonRight
备份文件和目录Back up files and directories SeBackupPrivilegeSeBackupPrivilege
绕过遍历检查Bypass traverse checking SeChangeNotifyPrivilegeSeChangeNotifyPrivilege
更改系统时间Change the system time SeSystemtimePrivilegeSeSystemtimePrivilege
更改时区Change the time zone SeTimeZonePrivilegeSeTimeZonePrivilege
创建页面文件Create a pagefile SeCreatePagefilePrivilegeSeCreatePagefilePrivilege
创建令牌对象Create a token object SeCreateTokenPrivilegeSeCreateTokenPrivilege
创建全局对象Create global objects SeCreateGlobalPrivilegeSeCreateGlobalPrivilege
创建永久共享对象Create permanent shared objects SeCreatePermanentPrivilegeSeCreatePermanentPrivilege
创建符号链接Create symbolic links SeCreateSymbolicLinkPrivilegeSeCreateSymbolicLinkPrivilege
调试程序Debug programs SeDebugPrivilegeSeDebugPrivilege
拒绝通过网络访问该计算机Deny access to this computer from the network SeDenyNetworkLogonRightSeDenyNetworkLogonRight
拒绝作为批处理作业登录Deny log on as a batch job SeDenyBatchLogonRightSeDenyBatchLogonRight
拒绝以服务登录Deny log on as a service SeDenyServiceLogonRightSeDenyServiceLogonRight
拒绝本地登录Deny log on locally SeDenyInteractiveLogonRightSeDenyInteractiveLogonRight
拒绝通过终端服务登录Deny log on through Terminal Services SeDenyRemoteInteractiveLogonRightSeDenyRemoteInteractiveLogonRight
信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation SeEnableDelegationPrivilegeSeEnableDelegationPrivilege
从远程系统强制关机Force shutdown from a remote system SeRemoteShutdownPrivilegeSeRemoteShutdownPrivilege
生成安全审核Generate security audits SeAuditPrivilegeSeAuditPrivilege
在身份验证后模拟客户端Impersonate a client after authentication SeImpersonatePrivilegeSeImpersonatePrivilege
增加进程工作集Increase a process working set SeIncreaseWorkingSetPrivilegeSeIncreaseWorkingSetPrivilege
提高日程安排的优先级Increase scheduling priority SeIncreaseBasePriorityPrivilegeSeIncreaseBasePriorityPrivilege
加载和卸载设备驱动程序Load and unload device drivers SeLoadDriverPrivilegeSeLoadDriverPrivilege
在内存中锁定页面Lock pages in memory SeLockMemoryPrivilegeSeLockMemoryPrivilege
作为批处理作业登录Log on as a batch job SeBatchLogonRightSeBatchLogonRight
作为服务登录Log on as a service SeServiceLogonRightSeServiceLogonRight
管理审核和安全日志Manage auditing and security log SesecurityprivilegeSeSecurityPrivilege
修改对象标签Modify an object label SeRelabelPrivilegeSeRelabelPrivilege
修改固件环境值Modify firmware environment values SeSystemEnvironmentPrivilegeSeSystemEnvironmentPrivilege
执行卷维护任务Perform volume maintenance tasks SeManageVolumePrivilegeSeManageVolumePrivilege
配置单一进程Profile single process SeProfileSingleProcessPrivilegeSeProfileSingleProcessPrivilege
配置系统性能Profile system performance SeSystemProfilePrivilegeSeSystemProfilePrivilege
从扩展坞中取出计算机Remove computer from docking station SeUndockPrivilegeSeUndockPrivilege
替换进程级令牌Replace a process level token SeAssignPrimaryTokenPrivilegeSeAssignPrimaryTokenPrivilege
还原文件和目录Restore files and directories SeRestorePrivilegeSeRestorePrivilege
关闭系统Shut down the system SeShutdownPrivilegeSeShutdownPrivilege
同步目录服务数据Synchronize directory service data SeSyncAgentPrivilegeSeSyncAgentPrivilege
获得文件或其他对象的所有权Take ownership of files or other objects SeTakeOwnershipPrivilegeSeTakeOwnershipPrivilege

权限Permissions

权限是应用于安全对象(如文件系统、注册表、服务和 Active Directory 对象)的访问控制。Permissions are access controls that are applied to securable objects such as the file system, registry, service, and Active Directory objects. 每个安全对象都有一个关联的访问控制列表 (ACL) ,其中包含 (Ace) 的访问控制项,该访问控制项可授予或拒绝 (用户、服务、计算机或组) 对对象执行各种操作的能力。Each securable object has an associated access control list (ACL), which contains access control entries (ACEs) that grant or deny security principals (users, services, computers, or groups) the ability to perform various operations on the object. 例如,Active Directory 中的多个对象的 Acl 包含允许经过身份验证的用户读取有关这些对象的常规信息的 Ace,但不授予它们读取敏感信息或更改对象的能力。For example, the ACLs for many objects in Active Directory contain ACEs that allow Authenticated Users to read general information about the objects, but do not grant them the ability to read sensitive information or to change the objects. 除每个域的内置来宾帐户之外,在 Active Directory 林中或受信任的林中,登录并由域控制器进行身份验证的每个安全主体都具有经过身份验证的用户安全标识符 (SID) 默认添加到其访问令牌。With the exception of each domain's built-in Guest account, every security principal that logs on and is authenticated by a domain controller in an Active Directory forest or a trusted forest has the Authenticated Users Security Identifier (SID) added to its access token by default. 因此,用户、服务或计算机帐户是否尝试读取域中用户对象的常规属性,读取操作成功。Therefore, whether a user, service, or computer account attempts to read general properties on user objects in a domain, the read operation is successful.

如果安全主体试图访问某个对象,但该对象的 Ace 未定义,并且包含主体的访问令牌中存在的 SID,则主体将无法访问该对象。If a security principal attempts to access an object for which no ACEs are defined and that contain a SID that is present in the principal's access token, the principal cannot access the object. 而且,如果对象的 ACL 中的 ACE 包含与用户访问令牌匹配的 SID 的 "拒绝" 条目,则 "拒绝" ACE 通常会替代冲突的 "允许" ACE。Moreover, if an ACE in an object's ACL contains a deny entry for a SID that matches the user's access token, the "deny" ACE will generally override a conflicting "allow" ACE. 有关 Windows 中的访问控制的详细信息,请参阅 MSDN 网站上的 访问控制For more information about access control in Windows, see Access Control on the MSDN website.

在本文档中,权限是指授予或拒绝对安全对象安全主体的功能。Within this document, permissions refers to capabilities that are granted or denied to security principals on securable objects. 每当用户权限和权限之间发生冲突时,用户权限通常优先。Whenever there is a conflict between a user right and a permission, the user right generally takes precedence. 例如,如果 Active Directory 中的对象已配置有一个 ACL,该 ACL 拒绝管理员对某个对象的所有读取和写入访问权限,那么该域的 Administrators 组成员的用户将无法查看有关该对象的很多信息。For example, if an object in Active Directory has been configured with an ACL that denies Administrators all read and write access to an object, a user who is a member of the domain's Administrators group will be unable to view much information about the object. 但是,因为向管理员组授予用户权限 "获取文件或其他对象的所有权",所以用户只需获得相关对象的所有权,然后重写对象的 ACL 即可授予管理员对对象的完全控制权限。However, because the Administrators group is granted the user right "Take ownership of files or other objects," the user can simply take ownership of the object in question, then rewrite the object's ACL to grant Administrators full control of the object.

出于此原因,本文档建议你避免使用功能强大的帐户和组进行日常管理,而不是尝试限制帐户和组的功能。It is for this reason that this document encourages you to avoid using powerful accounts and groups for day-to-day administration, rather than trying to restrict the capabilities of the accounts and groups. 不能有效地阻止有权访问强大凭据的已确定用户使用这些凭据来访问任何安全资源。It is not effectively possible to stop a determined user who has access to powerful credentials from using those credentials to gain access to any securable resource.

内置特权帐户和组Built-in Privileged Accounts and Groups

Active Directory 旨在促进管理委派和分配权限的最低权限原则。Active Directory is intended to facilitate delegation of administration and the principle of least privilege in assigning rights and permissions. 默认情况下,在 Active Directory 域中具有帐户的 "常规" 用户可以读取目录中的大部分内容,但只能更改目录中非常有限的一组数据。"Regular" users who have accounts in an Active Directory domain are, by default, able to read much of what is stored in the directory, but are able to change only a very limited set of data in the directory. 需要额外权限的用户可以被授予目录中内置的各种特权组的成员身份,以便他们可以执行与其角色相关的特定任务,但无法执行与任务不相关的任务。Users who require additional privilege can be granted membership in various privileged groups that are built into the directory so that they may perform specific tasks related to their roles, but cannot perform tasks that are not relevant to their duties.

在 Active Directory 中,共有三个内置组,其中包含目录中的最高特权组:企业管理员 (EA) 组、域管理员 (DA) 组,以及内置管理员 (BA) 组。Within Active Directory, there are three built-in groups that comprise the highest privilege groups in the directory: the Enterprise Admins (EA) group, the Domain Admins (DA) group, and the built-in Administrators (BA) group.

第四组是架构管理员 (SA) 组,具有这样的特权:如果滥用,会损坏或破坏整个 Active Directory 林,但是,此组的功能比 EA、DA 和 BA 组更受限制。A fourth group, the Schema Admins (SA) group, has privileges that, if abused, can damage or destroy an entire Active Directory forest, but this group is more restricted in its capabilities than the EA, DA, and BA groups.

除了这四个组外,还在 Active Directory 中还有许多其他内置帐户和默认帐户和组,其中每个帐户和权限都被授予了允许执行特定管理任务的权限。In addition to these four groups, there are a number of additional built-in and default accounts and groups in Active Directory, each of which is granted rights and permissions that allow specific administrative tasks to be performed. 尽管本附录并未全面讨论 Active Directory 中的每个内置组或默认组,但它提供了一个表,其中显示了你最可能在安装中看到的组和帐户。Although this appendix does not provide a thorough discussion of every built-in or default group in Active Directory, it does provide a table of the groups and accounts that you're most likely to see in your installations.

例如,如果将 Microsoft Exchange Server 安装到 Active Directory 林中,则可在域中的内置和用户容器中创建其他帐户和组。For example, if you install Microsoft Exchange Server into an Active Directory forest, additional accounts and groups may be created in the Built-in and Users containers in your domains. 本附录仅介绍了基于本机角色和功能在 Active Directory 中的内置和用户容器中创建的组和帐户。This appendix describes only the groups and accounts that are created in the Built-in and Users containers in Active Directory, based on native roles and features. 不包括通过安装企业软件创建的帐户和组。Accounts and groups that are created by the installation of enterprise software are not included.

企业管理员Enterprise Admins

Enterprise Admins (EA) 组位于目录林根级域中,默认情况下,它是林中每个域中内置 Administrators 组的成员。The Enterprise Admins (EA) group is located in the forest root domain, and by default, it is a member of the built-in Administrators group in every domain in the forest. 目录林根级域中的内置管理员帐户是 EA 组中唯一的默认成员。The Built-in Administrator account in the forest root domain is the only default member of the EA group. EAs 被授予了权限,使其能够影响林范围的更改。EAs are granted rights and permissions that allow them to affect forest-wide changes. 这些更改会影响林中的所有域,如添加或删除域、建立林信任或提升林功能级别。These are changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. 在正确设计和实现的委托模型中,仅在第一次构造林或进行特定林范围的更改(例如建立出站林信任)时才需要 EA 成员身份。In a properly designed and implemented delegation model, EA membership is required only when first constructing the forest or when making certain forest-wide changes such as establishing an outbound forest trust.

默认情况下,EA 组位于目录林根级域的 "用户" 容器中,它是一个通用安全组,除非林根域在 Windows 2000 服务器混合模式下运行,在这种情况下,该组为全局安全组。The EA group is located by default in the Users container in the forest root domain, and it is a universal security group, unless the forest root domain is running in Windows 2000 Server mixed mode, in which case the group is a global security group. 尽管某些权限直接授予 EA 组,但此组的许多权限实际上是由 EA 组继承的,因为它是林中每个域中 Administrators 组的成员。Although some rights are granted directly to the EA group, many of this group's rights are actually inherited by the EA group because it is a member of the Administrators group in each domain in the forest. Enterprise Admins 对工作站或成员服务器没有默认权限。Enterprise Admins have no default rights on workstations or member servers.

域管理员Domain Admins

林中的每个域都有自己的域管理员 (DA) 组,它是该域内置管理员 (BA) 组的成员,此外还包含加入域的每台计算机上的本地管理员组的成员。Each domain in a forest has its own Domain Admins (DA) group, which is a member of that domain's built-in Administrators (BA) group in addition to a member of the local Administrators group on every computer that is joined to the domain. 域的 DA 组唯一的默认成员是该域的内置管理员帐户。The only default member of the DA group for a domain is the Built-in Administrator account for that domain.

DAs 在其域中具有全部功能,而 EAs 具有全林性的权限。DAs are all-powerful within their domains, while EAs have forest-wide privilege. 在正确设计和实现的委派模型中,只需在 "中断玻璃" 方案中需要 DA 成员身份,这种情况下,需要对域中的每台计算机使用具有高级别权限的帐户,或者必须进行某些域范围的更改。In a properly designed and implemented delegation model, DA membership should be required only in "break glass" scenarios, which are situations in which an account with high levels of privilege on every computer in the domain is needed, or when certain domain wide changes must be made. 尽管本机 Active Directory 委托机制确实允许在紧急情况下使用 DA 帐户进行委派,但构建有效的委派模型可能会很耗时,许多组织都使用第三方应用程序来加速此过程。Although native Active Directory delegation mechanisms do allow delegation to the extent that it is possible to use DA accounts only in emergency scenarios, constructing an effective delegation model can be time consuming, and many organizations use third-party applications to expedite the process.

DA 组是位于域的 "用户" 容器中的全局安全组。The DA group is a global security group located in the Users container for the domain. 林中的每个域都有一个 DA 组,而一个 DA 组的默认成员是域的内置管理员帐户。There is one DA group for each domain in the forest, and the only default member of a DA group is the domain's Built-in Administrator account. 由于域的 DA 组嵌套在域的 BA 组中并且每个已加入域的系统的本地管理员组中,因此,DAs 不仅具有专门授予给域管理员的权限,而且还继承所有已加入域的系统上的域管理员组和本地管理员组的所有权利和权限。Because a domain's DA group is nested in the domain's BA group and every domain-joined system's local Administrators group, DAs not only have permissions that are specifically granted to Domain Admins, but they also inherit all rights and permissions granted to the domain's Administrators group and the local Administrators group on all systems joined to the domain.

管理员Administrators

内置管理员 (BA) 组是域的内置容器中的域本地组,DAs 和 EAs 嵌套在该域中,这是在目录和域控制器上被授予了许多直接权限和权限的组。The built-in Administrators (BA) group is a domain local group in a domain's Built-in container into which DAs and EAs are nested, and it is this group that is granted many of the direct rights and permissions in the directory and on domain controllers. 但是,域的 Administrators 组对成员服务器或工作站没有任何特权。However, the Administrators group for a domain does not have any privileges on member servers or on workstations. 已加入域的计算机的本地 Administrators 组中的成员身份是授予本地权限的位置;讨论了组,默认情况下,只有 DAs 是所有已加入域的计算机的本地管理员组的成员。Membership in domain-joined computers' local Administrators group is where local privilege is granted; and of the groups discussed, only DAs are members of all domain-joined computers' local Administrators groups by default.

Administrators 组是域的内置容器中的域本地组。The Administrators group is a domain-local group in the domain's Built-in container. 默认情况下,每个域的 BA 组都包含本地域的内置管理员帐户、本地域组和林根域的 EA 组。By default, every domain's BA group contains the local domain's Built-in Administrator account, the local domain's DA group, and the forest root domain's EA group. Active Directory 和域控制器上的许多用户权限专门授予 Administrators 组,而不是 EAs 或 DAs。Many user rights in Active Directory and on domain controllers are granted specifically to the Administrators group, not to EAs or DAs. 域的 BA 组被授予对大多数目录对象的完全控制权限,并且可以获得目录对象的所有权。A domain's BA group is granted full control permissions on most directory objects, and can take ownership of directory objects. 尽管在林和域中向 EA 和 DA 组授予特定于对象的特定权限,但实际上,组中的大部分功能都是从其 BA 组中的成员身份 "继承" 的。Although EA and DA groups are granted certain object-specific permissions in the forest and domains, much of the power of groups is actually "inherited" from their membership in BA groups.

备注

尽管这些是这些特权组的默认配置,但这三个组中的任何一个成员都可以操作该目录,以获取任何其他组的成员身份。Although these are the default configurations of these privileged groups, a member of any one of the three groups can manipulate the directory to gain membership in any of the other groups. 在某些情况下,很难实现,而在其他情况下更难,但从潜在权限的角度来看,所有这三个组都应该被视为有效的等效。In some cases, it is trivial to achieve, while in others it is more difficult, but from the perspective of potential privilege, all three groups should be considered effectively equivalent.

Schema AdminsSchema Admins

架构管理员 (SA) 组是目录林根级域中的一个通用组,并仅包含该域的内置管理员帐户作为默认成员,与 EA 组类似。The Schema Admins (SA) group is a universal group in the forest root domain and has only that domain's Built-in Administrator account as a default member, similar to the EA group. 尽管 SA 组中的成员身份可以允许攻击者损害 Active Directory 架构(这是整个 Active Directory 林的框架),但 SAs 除了架构外,还具有一些默认权限和权限。Although membership in the SA group can allow an attacker to compromise the Active Directory schema, which is the framework for the entire Active Directory forest, SAs have few default rights and permissions beyond the schema.

你应仔细管理和监视 SA 组中的成员身份,但在某些方面,此组比前面介绍的三个最高优先级的组 "权限更低",因为其权限的作用域非常窄;也就是说,除架构以外,SAs 没有任何其他管理权限。You should carefully manage and monitor membership in the SA group, but in some respects, this group is "less privileged" than the three highest privileged groups described earlier because the scope of its privilege is very narrow; that is, SAs have no administrative rights anywhere other than the schema.

Active Directory 中的其他内置和默认组Additional Built-in and Default Groups in Active Directory

为了便于在目录中委派管理,Active Directory 附带了已被授予特定权限的各种内置和默认组。To facilitate delegating administration in the directory, Active Directory ships with various built-in and default groups that have been granted specific rights and permissions. 下表简要描述了这些组。These groups are described briefly in the following table.

下表列出了 Active Directory 中的内置组和默认组。The following table lists the built-in and default groups in Active Directory. 默认情况下,两组组都存在;不过,内置组 (默认情况下) 在 Active Directory 的内置容器中,而默认组在) 的 "用户" 容器中默认定位 (。Both sets of groups exist by default; however, built-in groups are located (by default) in the Built-in container in Active Directory, while default groups are located (by default) in the Users container in Active Directory. 内置容器中的组都是所有域本地组,而 Users 容器中的组是域本地组、全局组和通用组的组合,此外还有三个单独的用户帐户 (管理员、来宾和 Krbtgt) 。Groups in the Built-in container are all Domain Local groups, while groups in the Users container are a mixture of Domain Local, Global, and Universal groups, in addition to three individual user accounts (Administrator, Guest, and Krbtgt).

除了本附录前面介绍的最高特权组外,某些内置帐户和默认帐户和组将被授予提升的权限,并且还应受到保护并仅在安全管理主机上使用。In addition to the highest privileged groups described earlier in this appendix, some built-in and default accounts and groups are granted elevated privileges and should also be protected and used only on secure administrative hosts. 这些组和帐户可在表 B-1 的阴影行中找到: Active Directory 中的内置组和默认组和帐户。These groups and accounts can be found in the shaded rows in Table B-1: Built-in and Default Groups and Accounts in Active Directory. 由于这些组和帐户中的某些组和帐户被授予了可能被误用以损害 Active Directory 或域控制器的权利和权限,因此它们将作为 Active Directory 中的 "受保护的帐户和组" 中所述的其他保护措施。Because some of these groups and accounts are granted rights and permissions that can be misused to compromise Active Directory or domain controllers, they are afforded additional protections as described in Appendix C: Protected Accounts and Groups in Active Directory.

表 B-1:内置和默认的帐户和组 Active DirectoryTable B-1: Built-in and Default Accounts and Groups in Active Directory
帐户或组Account or Group 默认容器、组作用域和类型Default Container, Group Scope and Type 说明和默认用户权限Description and Default User Rights
Windows Server 2012 中的访问控制协助操作员 (Active Directory) Access Control Assistance Operators (Active Directory in Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以远程查询此计算机上的资源的授权属性和权限。Members of this group can remotely query authorization attributes and permissions for resources on this computer.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Account OperatorsAccount Operators 内置容器Built-in container

域本地安全组Domain-local security group

成员可以管理域用户和组帐户。Members can administer domain user and group accounts.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

管理员帐户Administrator account 用户容器Users container

不是组Not a group

用于管理域的内置帐户。Built-in account for administering the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

调整进程的内存配额Adjust memory quotas for a process

允许本地登录Allow log on locally

允许通过远程桌面服务登录Allow log on through Remote Desktop Services

备份文件和目录Back up files and directories

跳过遍历检查Bypass traverse checking

更改系统时间Change the system time

更改时区Change the time zone

创建页面文件Create a pagefile

创建全局对象Create global objects

创建符号链接Create symbolic links

调试程序Debug programs

信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation

从远程系统强制关机Force shutdown from a remote system

在身份验证后模拟客户端Impersonate a client after authentication

增加进程工作集Increase a process working set

提高日程安排的优先级Increase scheduling priority

加载和卸载设备驱动程序Load and unload device drivers

作为批处理作业登录Log on as a batch job

管理审核和安全日志Manage auditing and security log

修改固件环境值Modify firmware environment values

执行卷维护任务Perform volume maintenance tasks

配置单一进程Profile single process

配置系统性能Profile system performance

从扩展坞中取出计算机Remove computer from docking station

还原文件和目录Restore files and directories

关闭系统Shut down the system

获得文件或其他对象的所有权Take ownership of files or other objects

管理员组Administrators group 内置容器Built-in container

域本地安全组Domain-local security group

管理员对域具有完全且无限制的访问权限。Administrators have complete and unrestricted access to the domain.

直接用户权限:Direct user rights:

从网络访问此计算机Access this computer from the network

调整进程的内存配额Adjust memory quotas for a process

允许本地登录Allow log on locally

允许通过远程桌面服务登录Allow log on through Remote Desktop Services

备份文件和目录Back up files and directories

跳过遍历检查Bypass traverse checking

更改系统时间Change the system time

更改时区Change the time zone

创建页面文件Create a pagefile

创建全局对象Create global objects

创建符号链接Create symbolic links

调试程序Debug programs

信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation

从远程系统强制关机Force shutdown from a remote system

在身份验证后模拟客户端Impersonate a client after authentication

提高日程安排的优先级Increase scheduling priority

加载和卸载设备驱动程序Load and unload device drivers

作为批处理作业登录Log on as a batch job

管理审核和安全日志Manage auditing and security log

修改固件环境值Modify firmware environment values

执行卷维护任务Perform volume maintenance tasks

配置单一进程Profile single process

配置系统性能Profile system performance

从扩展坞中取出计算机Remove computer from docking station

还原文件和目录Restore files and directories

关闭系统Shut down the system

获得文件或其他对象的所有权Take ownership of files or other objects

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

允许的 RODC 密码复制组Allowed RODC Password Replication Group 用户容器Users container

域本地安全组Domain-local security group

此组中的成员可以将其密码复制到域中的所有只读域控制器。Members in this group can have their passwords replicated to all read-only domain controllers in the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

备份操作员Backup Operators 内置容器Built-in container

域本地安全组Domain-local security group

备份操作员只能出于备份或还原文件的目的覆盖安全限制。Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.

直接用户权限:Direct user rights:

允许本地登录Allow log on locally

备份文件和目录Back up files and directories

作为批处理作业登录Log on as a batch job

还原文件和目录Restore files and directories

关闭系统Shut down the system

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Cert PublishersCert Publishers 用户容器Users container

域本地安全组Domain-local security group

此组的成员允许将证书发布到目录。Members of this group are permitted to publish certificates to the directory.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

证书服务 DCOM 访问Certificate Service DCOM Access 内置容器Built-in container

域本地安全组Domain-local security group

如果在域控制器上安装证书服务 (不推荐) ,则此组授予域用户和域计算机 DCOM 注册访问权限。If Certificate Services is installed on a domain controller (not recommended), this group grants DCOM enrollment access to Domain Users and Domain Computers.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Windows Server 2012AD DS 中 (AD DS 的可克隆域控制器) Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS) 用户容器Users container

全局安全组Global security group

此组的成员可以是克隆的域控制器。Members of this group that are domain controllers may be cloned.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Cryptographic OperatorsCryptographic Operators 内置容器Built-in container

域本地安全组Domain-local security group

授权成员执行加密操作。Members are authorized to perform cryptographic operations.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

调试器用户Debugger Users 这既不是默认值,也不是内置组,但在 AD DS 中,会导致进一步调查。This is neither a default nor a built-in group, but when present in AD DS, is cause for further investigation. 调试器用户组的存在指示在某个时间点已在系统上安装了调试工具,不管是通过 Visual Studio、SQL、Office 还是需要并支持调试环境的其他应用程序。The presence of a Debugger Users group indicates that debugging tools have been installed on the system at some point, whether via Visual Studio, SQL, Office, or other applications that require and support a debugging environment. 此组允许对计算机进行远程调试访问。This group allows remote debugging access to computers. 如果此组在域级别存在,则表示已在域控制器上安装了调试器或包含调试器的应用程序。When this group exists at the domain level, it indicates that a debugger or an application that contains a debugger has been installed on a domain controller.
拒绝的 RODC 密码复制组Denied RODC Password Replication Group 用户容器Users container

域本地安全组Domain-local security group

此组中的成员不能将其密码复制到域中的任何只读域控制器。Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

DHCP 管理员DHCP Administrators 用户容器Users container

域本地安全组Domain-local security group

此组的成员具有对 DHCP 服务器服务的管理访问权限。Members of this group have administrative access to the DHCP Server service.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

DHCP 用户DHCP Users 用户容器Users container

域本地安全组Domain-local security group

此组的成员对 DHCP 服务器服务具有 "仅查看" 访问权限。Members of this group have view-only access to the DHCP Server service.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Distributed COM UsersDistributed COM Users 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员允许在此计算机上启动、激活和使用分布式 COM 对象。Members of this group are allowed to launch, activate, and use distributed COM objects on this computer.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

DnsAdminsDnsAdmins 用户容器Users container

域本地安全组Domain-local security group

此组的成员具有对 DNS 服务器服务的管理访问权限。Members of this group have administrative access to the DNS Server service.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

DnsUpdateProxyDnsUpdateProxy 用户容器Users container

全局安全组Global security group

此组的成员是指允许代表不能执行动态更新的客户端来执行动态更新的 DNS 客户端。Members of this group are DNS clients who are permitted to perform dynamic updates on behalf of clients that cannot themselves perform dynamic updates. 此组的成员通常是 DHCP 服务器。Members of this group are typically DHCP servers.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

域管理员Domain Admins 用户容器Users container

全局安全组Global security group

域的指定管理员;域管理员是每个已加入域的计算机本地管理员组的成员,并且除了域的 Administrators 组外,还会接收授予本地管理员组的权限。Designated administrators of the domain; Domain Admins is a member of every domain-joined computer's local Administrators group and receives rights and permissions granted to the local Administrators group, in addition to the domain's Administrators group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

调整进程的内存配额Adjust memory quotas for a process

允许本地登录Allow log on locally

允许通过远程桌面服务登录Allow log on through Remote Desktop Services

备份文件和目录Back up files and directories

跳过遍历检查Bypass traverse checking

更改系统时间Change the system time

更改时区Change the time zone

创建页面文件Create a pagefile

创建全局对象Create global objects

创建符号链接Create symbolic links

调试程序Debug programs

信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation

从远程系统强制关机Force shutdown from a remote system

在身份验证后模拟客户端Impersonate a client after authentication

增加进程工作集Increase a process working set

提高日程安排的优先级Increase scheduling priority

加载和卸载设备驱动程序Load and unload device drivers

作为批处理作业登录Log on as a batch job

管理审核和安全日志Manage auditing and security log

修改固件环境值Modify firmware environment values

执行卷维护任务Perform volume maintenance tasks

配置单一进程Profile single process

配置系统性能Profile system performance

从扩展坞中取出计算机Remove computer from docking station

还原文件和目录Restore files and directories

关闭系统Shut down the system

获得文件或其他对象的所有权Take ownership of files or other objects

域计算机Domain Computers 用户容器Users container

全局安全组Global security group

加入该域的所有工作站和服务器都是此组的默认成员。All workstations and servers that are joined to the domain are by default members of this group.

默认直接用户权限: 内容Default direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

域控制器Domain Controllers 用户容器Users container

全局安全组Global security group

域中的所有域控制器。All domain controllers in the domain. 注意:域控制器不是域计算机组的成员。Note: Domain controllers are not a member of the Domain Computers group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

域来宾Domain Guests 用户容器Users container

全局安全组Global security group

域中的所有来宾All guests in the domain

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

域用户Domain Users 用户容器Users container

全局安全组Global security group

域中的所有用户All users in the domain

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Enterprise Admins (仅存在于目录林根级域中) Enterprise Admins (exists only in forest root domain) 用户容器Users container

通用安全组Universal security group

企业管理员有权更改林范围的配置设置;Enterprise Admins 是每个域的 Administrators 组的成员,并接收授予该组的权限。Enterprise Admins have permissions to change forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators group and receives rights and permissions granted to that group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

调整进程的内存配额Adjust memory quotas for a process

允许本地登录Allow log on locally

允许通过远程桌面服务登录Allow log on through Remote Desktop Services

备份文件和目录Back up files and directories

跳过遍历检查Bypass traverse checking

更改系统时间Change the system time

更改时区Change the time zone

创建页面文件Create a pagefile

创建全局对象Create global objects

创建符号链接Create symbolic links

调试程序Debug programs

信任计算机和用户帐户可以执行委派Enable computer and user accounts to be trusted for delegation

从远程系统强制关机Force shutdown from a remote system

在身份验证后模拟客户端Impersonate a client after authentication

增加进程工作集Increase a process working set

提高日程安排的优先级Increase scheduling priority

加载和卸载设备驱动程序Load and unload device drivers

作为批处理作业登录Log on as a batch job

管理审核和安全日志Manage auditing and security log

修改固件环境值Modify firmware environment values

执行卷维护任务Perform volume maintenance tasks

配置单一进程Profile single process

配置系统性能Profile system performance

从扩展坞中取出计算机Remove computer from docking station

还原文件和目录Restore files and directories

关闭系统Shut down the system

获得文件或其他对象的所有权Take ownership of files or other objects

企业只读域控制器Enterprise Read-only Domain Controllers 用户容器Users container

通用安全组Universal security group

此组包含林中所有只读域控制器的帐户。This group contains the accounts for all read-only domain controllers in the forest.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

事件日志读者Event Log Readers 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以读取域控制器上的事件日志。Members of this group in can read the event logs on domain controllers.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Group Policy Creator OwnersGroup Policy Creator Owners 用户容器Users container

全局安全组Global security group

此组的成员可以创建和修改域中的组策略对象。Members of this group can create and modify Group Policy Objects in the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

来宾Guest 用户容器Users container

不是组Not a group

这是未将经过身份验证的用户 SID 添加到其访问令牌的 AD DS 域中的唯一帐户。This is the only account in an AD DS domain that does not have the Authenticated Users SID added to its access token. 因此,此帐户将无法访问配置为向经过身份验证的用户组授予访问权限的任何资源。Therefore, any resources that are configured to grant access to the Authenticated Users group will not be accessible to this account. 此行为并不是域来宾和来宾组的成员,然而,这些组的成员会将 "已验证用户" SID 添加到他们的访问令牌。This behavior is not true of members of the Domain Guests and Guests groups, however- members of those groups do have the Authenticated Users SID added to their access tokens.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

来宾Guests 内置容器Built-in container

域本地安全组Domain-local security group

默认情况下,来宾与 Users 组的成员具有相同的访问权限,但 Guest 帐户除外,如前文所述,这会进一步限制。Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Hyper-v 管理员 (Windows Server 2012) Hyper-V Administrators (Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员拥有对 Hyper-v 所有功能的完整且不受限制的访问权限。Members of this group have complete and unrestricted access to all features of Hyper-V.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

IIS_IUSRSIIS_IUSRS 内置容器Built-in container

域本地安全组Domain-local security group

Internet Information Services 使用的内置组。Built-in group used by Internet Information Services.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

传入林信任生成器 (仅存在于目录林根级域中) Incoming Forest Trust Builders (exists only in forest root domain) 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以创建对此林的传入单向信任。Members of this group can create incoming, one-way trusts to this forest. 为企业管理员保留 (创建出站林信任。 ) (Creation of outbound forest trusts is reserved for Enterprise Admins.)

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

KrbtgtKrbtgt 用户容器Users container

不是组Not a group

Krbtgt 帐户是域中 Kerberos 密钥发行中心的服务帐户。The Krbtgt account is the service account for the Kerberos Key Distribution Center in the domain. 此帐户有权访问 Active Directory 中存储的所有帐户凭据。This account has access to all accounts' credentials stored in Active Directory. 此帐户在默认情况下处于禁用状态,因此不应启用This account is disabled by default and should never be enabled

用户权限: 不适用User rights: N/A

Network Configuration OperatorsNetwork Configuration Operators 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员被授予权限,使其可以管理网络功能的配置。Members of this group are granted privileges that allow them to manage configuration of networking features.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

性能日志用户Performance Log Users 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以计划性能计数器的日志记录、启用跟踪提供程序,以及在本地收集事件跟踪以及通过远程访问计算机收集事件跟踪。Members of this group can schedule logging of performance counters, enable trace providers, and collect event traces locally and via remote access to the computer.

直接用户权限:Direct user rights:

作为批处理作业登录Log on as a batch job

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

性能监视器用户Performance Monitor Users 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以本地和远程访问性能计数器数据。Members of this group can access performance counter data locally and remotely.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Windows 2000 以前版本兼容的访问Pre-Windows 2000 Compatible Access 内置容器Built-in container

域本地安全组Domain-local security group

存在此组是为了与 Windows 2000 服务器之前的操作系统向后兼容,并提供成员读取域中的用户和组信息的能力。This group exists for backward compatibility with operating systems prior to Windows 2000 Server, and it provides the ability for members to read user and group information in the domain.

直接用户权限:Direct user rights:

从网络访问此计算机Access this computer from the network

跳过遍历检查Bypass traverse checking

继承的用户权限:Inherited user rights:

将工作站添加到域Add workstations to domain

增加进程工作集Increase a process working set

打印操作员Print Operators 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以管理域打印机。Members of this group can administer domain printers.

直接用户权限:Direct user rights:

允许本地登录Allow log on locally

加载和卸载设备驱动程序Load and unload device drivers

关闭系统Shut down the system

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

RAS 和 IAS 服务器RAS and IAS Servers 用户容器Users container

域本地安全组Domain-local security group

此组中的服务器可以读取域中用户帐户的远程访问属性。Servers in this group can read remote access properties on user accounts in the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

(Windows Server 2012) 的 RDS 终结点服务器RDS Endpoint Servers (Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组中的服务器运行用户 RemoteApp 程序和个人虚拟机在其中运行的虚拟机和主机会话。Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. 此组需要在运行 RD 连接代理的服务器上填充。This group needs to be populated on servers running RD Connection Broker. 在部署中使用的 RD 会话主机服务器和 RD 虚拟化主机服务器需要位于此组中。RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

(Windows Server 2012) 的 RDS 管理服务器RDS Management Servers (Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组中的服务器可以在运行远程桌面服务的服务器上执行常规管理操作。Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. 此组需要在远程桌面服务部署中的所有服务器上进行填充。This group needs to be populated on all servers in a Remote Desktop Services deployment. 运行 RDS Central Management 服务的服务器必须包含在此组中。The servers running the RDS Central Management service must be included in this group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Windows Server 2012) (RDS 远程访问服务器RDS Remote Access Servers (Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组中的服务器允许 RemoteApp 程序和个人虚拟机的用户访问这些资源。Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. 在面向 Internet 的部署中,这些服务器通常部署在边缘网络中。In Internet-facing deployments, these servers are typically deployed in an edge network. 此组需要在运行 RD 连接代理的服务器上填充。This group needs to be populated on servers running RD Connection Broker. 在部署中使用的 RD 网关服务器和 RD Web 访问服务器需要位于此组中。RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

只读域控制器Read-only Domain Controllers 用户容器Users container

全局安全组Global security group

此组包含域中的所有只读域控制器。This group contains all read-only domain controllers in the domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Remote Desktop UsersRemote Desktop Users 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员被授予使用 RDP 远程登录的权限。Members of this group are granted the right to log on remotely using RDP.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

远程管理用户 (Windows Server 2012) Remote Management Users (Windows Server 2012) 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以通过管理协议来访问 WMI 资源, (如通过 Windows 远程管理服务) 进行 WS-MANAGEMENT 管理。Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). 这仅适用于向用户授予访问权限的 WMI 命名空间。This applies only to WMI namespaces that grant access to the user.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

复制程序Replicator 内置容器Built-in container

域本地安全组Domain-local security group

支持域中的旧文件复制。Supports legacy file replication in a domain.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

架构管理员 (仅存在于目录林根级域中) Schema Admins (exists only in forest root domain) 用户容器Users container

通用安全组Universal security group

只有架构管理员才能对 Active Directory 架构进行修改,并且仅当该架构是启用写功能时才可以修改。Schema admins are the only users who can make modifications to the Active Directory schema, and only if the schema is write-enabled.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

Server OperatorsServer Operators 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以管理域服务器。Members of this group can administer domain servers.

直接用户权限:Direct user rights:

允许本地登录Allow log on locally

备份文件和目录Back up files and directories

更改系统时间Change the system time

更改时区Change the time zone

从远程系统强制关机Force shutdown from a remote system

还原文件和目录Restore files and directories

关闭系统Shut down the system

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

终端服务器许可证服务器Terminal Server License Servers 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员可以使用有关许可证颁发的信息更新 Active Directory 的用户帐户,以跟踪和报告 TS 每用户 CAL 使用情况Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage

默认直接用户权限: 内容Default direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

用户Users 内置容器Built-in container

域本地安全组Domain-local security group

用户有权允许他们读取 Active Directory 中的许多对象和属性,但它们不能更改大多数。Users have permissions that allow them to read many objects and attributes in Active Directory, although they cannot change most. 用户被阻止进行意外或有意的系统范围的更改,并可运行大多数应用程序。Users are prevented from making accidental or intentional system-wide changes and can run most applications.

直接用户权限:Direct user rights:

增加进程工作集Increase a process working set

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

Windows Authorization Access GroupWindows Authorization Access Group 内置容器Built-in container

域本地安全组Domain-local security group

此组的成员有权访问用户对象上的已计算 tokenGroupsGlobalAndUniversal 属性Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set

WinRMRemoteWMIUsers_ (Windows Server 2012) WinRMRemoteWMIUsers_ (Windows Server 2012) 用户容器Users container

域本地安全组Domain-local security group

此组的成员可以通过管理协议来访问 WMI 资源, (如通过 Windows 远程管理服务) 进行 WS-MANAGEMENT 管理。Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). 这仅适用于向用户授予访问权限的 WMI 命名空间。This applies only to WMI namespaces that grant access to the user.

直接用户权限: 内容Direct user rights: None

继承的用户权限:Inherited user rights:

从网络访问此计算机Access this computer from the network

将工作站添加到域Add workstations to domain

跳过遍历检查Bypass traverse checking

增加进程工作集Increase a process working set