Built-in Groups
Although rights and permissions can be assigned to individual user accounts, they are much more commonly assigned to groups. If a user is a member of a group, and the group is granted specific rights and permissions, the user also has those rights and permissions.
Windows 7 and Windows domains both include many built-in groups. The built-in groups on a local system, and some of the built-in groups in a domain. These groups have been assigned specific rights and permissions to perform actions on systems and within domains.
You can access the Computer Management console to view local built-in groups via the Administrative Tools menu or by clicking Start, right-clicking Computer, and selecting Manage. You view domain built-in groups via the Active Directory Users and Computers console on a domain controller found in the Administrative Tools menu. There is a Builtin container, but additional built-in groups exist in the Users container.
Some of these groups deserve special mention:
- Administrators (local)
Members of the Administrators group on local computers (including Windows 7 computers) can do anything on that computer. The local administrator account is a member of this group, and the first account created on a Windows 7 computer when it is installed is a member of this group. - Administrators (domain)
Members of the domain Administrators group have complete and unrestricted access to computers in the domain. The domain administrator account, the Domain Admins group, and the Enterprise Admins group are all members of the domain Administrators group by default. - Domain Admins
Users in the Domain Admins group can do anything in the domain. This group is automatically added to the local Administrators group for every computer in the domain. It's also added to the domain Administrators group. - Enterprise Admins
Users in the Enterprise Admins group can do anything in the forest. A forest is a group of one or more domains, and users in this group have permissions to add, remove, and administer all of the domains in the forest. This group is a member of the domain Administrators group for every domain in the forest. - Power Users
Power Users is a local group added for backward compatibility. It was used on older operating systems to give a user additional permissions without putting the user in the Administrators group. - Server Operator
This is a special group on domain controllers. It grants members rights and permissions to administer the domain controller without granting them any permission in the domain. - Backup Operators
This group grants members the ability to back up and restore files.
In this tutorial:
- Managing Windows 7 in a Domain
- The Domain
- What is Wrong with Workgroups
- The Domain Concept
- Active Directory
- Domain Security
- Joining a Domain
- Windows 7 Offline Domain Join
- Browsing the Domain
- Searching the Domain
- Custom Searches
- Assigning Permissions to Domain Members
- The Double-Thick Security Trick
- Creating a Test Bed
- Creating a Domain
- Installing Windows Server 2008 on vPC
- Configuring a Windows Server 2008 Server
- Promoting a Server to a Domain Controller
- Joining Windows 7 to a Domain
- Authentication vs Authorization
- Authentication
- Authorization
- Built-in Groups
- Organizing Users with Groups
- Group Scope and Group Type
- Creating Users and Groups in a Domain
- Using HomeGroup with a Domain-Based Computer
- Identifying and Resolving Logon Issues
- Hardware vs. Network
- Using Cached Credentials
- Password Expiration
- Determining Logon Context
- Logon Hours Compliance
- Restricting Computer Access
- Time Synchronization
- Understanding User Profiles
- Standard Profiles
- Roaming Profiles
- Implementing Roaming Profiles
- Mandatory Profiles
- Super-Mandatory User Profiles
- Modifying the Default User Profile
- Configuring Settings with Scripts
- Anti-Malware Software
- Microsoft Windows 7 Defender
- Third-Party Anti-malware Software