Windows 7 / Security and Privacy

Groups

Groups, or group accounts, are collections of user accounts and can have permissions assigned to them just like user accounts. Most permissions are granted to groups, not individuals, and then individuals are made members of the groups. It is therefore important that you have a set of groups that handles both the mix of people in your organization and the mix of permissions that you want to establish. A number of standard groups with preassigned permissions are built into Windows Server 2008, but you can create your own groups, and you can assign users to any of these.

Look at the groups that are a standard part of Windows Server 2008 and see what permissions they contain, and then create your own if you need to. As with user accounts, you look at groups differently depending on whether you are on a stand-alone server or on an Active Directory domain controller.

Groups in Stand-Alone Servers and Workstations

To view and add groups in stand-alone servers or workstations, you need to use the Computer Management window, as follows:

  1. Click Start | Administrative Tools | Computer Management.
  2. In the left pane, open System Tools | Local Users And Groups, and doubleclick Groups. The list of built-in groups will be displayed.
  3. Double-click a few groups to open their respective Properties dialog boxes, in which you can see the members of each group.
  4. Click the Action menu and click New Group. The New Group dialog box opens.
  5. Enter a group name of up to 256 upper- or lowercase characters. It cannot contain just periods or just spaces; it can't contain " / \ [ ] : ; | = , + * ? < > @; and leading spaces or periods are dropped. Enter the description of what the group can uniquely do, and click Add. The Select Users dialog box opens.
  6. Click Advanced, enter a username and password if asked, click Find Now, hold down ctrl, and select the users that you want to include in the group. Click OK. When you have selected all you want to include, click OK.
  7. When your group is the way you want it, click Create and then click Close. The new group will appear in the list on the right of the Computer Management window. Close that window when you are ready.

Groups in Active Directory Domain Controllers

To view and add groups in an Active Directory domain controller, you need to use the Active Directory Users And Computers window. Within that window, you will find two sets of groups: those in the Builtin folder, which are similar to what you saw in the standalone server, and those in the Users folders, which are created by Active Directory. The Builtin groups are limited to the local domain (called a domain local scope), while the Users groups can be either domain-limited or not limited (called a global scope). Look at both sets of groups and add a new group to Users with the following steps:

  1. Click Start | Administrative Tools | Active Directory Users And Computers. The Active Directory Users And Computers window opens.
  2. In the left pane, open the domain in which you want to work, and then open the Builtin folder. You will see a list of groups that has many of the same groups that you saw on the stand-alone server.
  3. Click Users in the left pane. You will see a mixture of users and groups, but a different set of groups that are supporting Active Directory and network operations.
  4. Click the View menu and click Filter Options. Click Show Only The Following Types Of Objects, click Groups, as shown next, and click OK. Once again, open the Users folder.
  5. Double-click several of the groups to open them. They contain substantially more information than the groups on the stand-alone servers and workstations.
  6. While Users is still selected in the left pane, click the Action menu and click New | Group. The New Object - Group dialog box opens.
  7. Enter a Group name of up to 256 characters. It cannot contain just periods or just spaces, and leading spaces or periods are dropped. Notice that the pre-Windows 2000 name is automatically filled in for you. Only the first 20 characters of this name will be used, so if you want, you can enter your own short group name in this field.
  8. Choose the group scope. Here are the scope choices:
    • Domain Local: Can contain users and global or universal groups from any Windows Server 2008 or Windows NT domain, but their permissions are limited to the current domain
    • Global: Can contain users and global groups only from the current domain, but they can be given permissions in any domain
    • Universal: Can contain users and global or universal groups from any Windows Server 2008 domain, and they can be given permission in any domain, but they are limited to distribution groups
  9. Choose a group type. Distribution groups are used for e-mail and fax distribution, whereas security groups are used to assign permission. Click OK when you are done.
  10. Right-click your new group and click Properties. The Properties dialog box opens. Enter a description and e-mail address.
  11. Click Members, click Add, click Advanced, click Find Now, and then hold ctrl and select the user accounts that you want included in the group. When you are done, click OK twice. Look at the other tabs and make any necessary changes. The Security tab is discussed in the next section.
  12. When you have completed the group the way you want it, click OK, and close Active Directory Users And Computers.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Security
  2. Authenticate the User
  3. Network User Authentication
  4. Replacements for Passwords
  5. Certificate Authentication
  6. Control Access
  7. Groups
  8. Permissions
  9. Add New Permissions
  10. Share Permission
  11. Secure Stored Data
  12. Use File and Folder Encryption
  13. Drive Encryption with BitLocker
  14. Use a Computer with BitLocker
  15. Understand Private/Public Key Encryption
  16. Secure Data Transmission
  17. Implement Secure LAN Transmission