The actions that a user can perform depend on the group memberships of the user's account. The Advanced Server provides several default groups that have established collections of rights and abilities. Both global and local types are provided:

• Built-in local groups --- Groups that contain users from multiple domains. The Advanced Server provides the following types of built-in local groups: Administrators, Users, Guests, Server Operators, Print Operators, Backup Operators, and Account Operators.
• Built-in global groups --- Groups that put users of a domain into a single unit for use in both their own and other domains. The Advanced Server provides the following types of built-in global groups: Domain Admins, Domain Users, and Domain Guests.

The built-in groups are explained in the sections that follow.

4.8 Built-In Local Groups

When the Advanced Server is installed on any computer, several default built-in local groups are created. Table 4-3 lists the built-in local groups, their initial contents, and who can modify them.

Table 4-3 Built-In Local Groups

Local Group+	Initial Contents	Who Can Modify
Administrators	Domain Admins (global group) Administrator (user account)	Administrators
Users	Domain Users (global group)	Administrators, Account Operators
Guests	Domain Guests (global group)	Administrators, Account Operators
Server Operators	None	Administrators
Print Operators	None	Administrators
Backup Operators	None	Administrators
Account Operators	None	Administrators

In addition to these built-in local groups, an identity called Everyone represents all known people on the network, including administrators, all types of operators, users, users from other domains, and guests. You cannot change the membership of Everyone; it always contains all users. Everyone is not actually a local group and does not appear when groups are displayed, but you can assign file permissions and rights to Everyone.

Membership in built-in local groups gives a user certain privileges.

Table 4-4 shows the rights and abilities held by each built-in local group on an Advanced Server domain. The built-in global groups of a domain are not shown in this table because built-in global groups receive their rights and abilities indirectly through their memberships in built-in local groups.

Table 4-4 Rights and Abilities of Built-In Local Groups

Right or Ability	Admin- istrators	Server Operators	Account Operators	Print Operators	Backup Operators	Every- one	Users	Guests
Right
Log on locally 1	X	X	X	X	X
Access this computer from network	X					X
Take ownership of files	X
Manage auditing and security log	X
Change system time 1	X	X
Shut down system 1	X	X	X	X	X
Force shutdown from a remote system 1	X	X
Back up files and directories 1	X	X			X
Restore files and directories 1	X	X			X
Ability
Create and manage user accounts	X		X 2
Create and manage global groups	X		X 2
Share and stop sharing directories	X	X
Share and stop sharing printers	X	X		X

The following sections describe the built-in local groups in the Advanced Server. For information about built-in local groups on a Windows NT Server, see the Microsoft Windows NT Server Concepts and Planning Guide.

4.8.1 Administrators

The Administrators local group is the most powerful group in the domain. Members of this group have more control over the domain than do any other users. They manage the overall configuration of the domain and the domain's servers. The built-in Administrator user account is a member of the Administrators local group and cannot be removed. By default, the Domain Admins global group is a member of this local group, but it can be removed.

In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked from the Administrators local group.

Unlike administrators in LAN Manager servers, Advanced Server administrators do not automatically have access to every file in the domain. If a file's permissions do not grant access, the administrator cannot access the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so, this event is recorded in the security log (if auditing of files is turned on) and the administrator cannot give ownership back to the original owner. For more information about ownership of files and directories, see Chapter 6, Managing Network Shares, in this guide.

4.8.2 Users

Membership in the Users local group provides the abilities most users need to perform normal tasks.

By default, the Domain Users global group is a member of the Users built-in local group, but it can be removed.

4.8.3 Guests

Differences between the rights granted to the Guests built-in local group and to the Users local group are minimal; both groups have the right to access the server over the network.

4.8.4 Server Operators

Members of the built-in Server Operators local group have many of the same abilities as built-in Administrators; however, they cannot manage security on the server. Specifically, Server Operators can share and stop sharing a server's files and printers, and they can start, stop, pause, and continue selected services.

4.8.5 Print Operators

Members of the built-in Print Operators local group can manage shared printers.

If you want a domain's Print Operators to administer printers managed by Windows NT workstation computers in the domain, as well as printers managed by the domain's servers, you must perform the following steps:

1. Create a Domain Print Operators global group in the domain. Make this global group a member of the domain's Print Operators local group.
2. Add the user account of each print operator to the Domain Print Operators group.
3. On each workstation that manages printers, place the Domain Print Operators global group in the workstation's Power Users local group.

Members of the built-in Backup Operators local group have specific rights on any Windows NT Server in the domain, but no specific rights on Advanced Server.

4.8.7 Account Operators

Members of the built-in Account Operators local group can manage the server's user and group accounts. An Account Operator can create, delete, and modify most user accounts, global groups, and local groups. However, the Account Operators cannot modify the user accounts of Administrators, nor can they modify the Administrators, Server Operators, Account Operators, Print Operators, or Backup Operators local groups. They also cannot assign user rights.

4.8.8 Logging On as System Administrator

Most of the system administrators on your network have dual roles: they are both administrators and users. Although they perform network administration tasks, they also perform tasks as network users.

For this reason, every system administrator should maintain the following two accounts:

• An account in the Administrators group used to perform network tasks
• An account in the Users group used when not performing network management tasks

Your network will be more secure if your system administrator uses these two accounts. While a system administrator is logged on as a regular user, he or she will be unable to change aspects of the network that only system administrators can change. However, using this method will result in some inconvenience for system administrators, because they will have to log off and then log on again before they can administer the network.

4.8.9 Allowing Guest Access

Every Advanced Server domain has a Guest account which is disabled by default. The Guest account does not have a password and can be used to support network guest logons.

A network guest logon occurs when a user tries to access a computer over the network but does not have an account in the computer's domain or in a domain that the computer trusts. Because the account does not exist in the computer's domain, or in any domain that it trusts, the computer does not recognize the user who is trying to access it. In this case, the computer approves the access as a guest logon, as long as the Guest account of the target computer is enabled and has no password.

The guest user then has all of the rights, permissions, and group memberships on the computer that are granted to the Guest account, even though the guest user did not specify Guest as his or her user name.

A network guest logon can occur only when a user with no account on the domain or on a trusted domain tries to access the computer, and the guest account is enabled. By default, the guest account is disabled. To enable the guest account, the administrator must modify the guest disuser flag, using the MODIFY USER command. See the Advanced Server for OpenVMS Commands Reference Manual for information on how to enable the guest account.

4.8.10 Using the Operators Local Groups

As an example of how to use operators local groups, consider a medium-sized department that is deciding how to assign its technical staff to the various administrator and operator groups.

At least one user must be an administrator. Members of the Administrators group have several unique abilities. These include taking ownership of files and managing auditing. Because of their unique abilities, members of the Administrators group are responsible for planning and maintaining network security for the department. They also can be allowed to administer Windows NT workstation computers.

If there is someone in the group who is responsible for helping new employees get started, it may be wise to make this person a member of the Account Operators group. This account operator then can create domain accounts for new employees and place these accounts in the appropriate groups.

If the domain's Administrators group has only a few members, you should assign at least one additional person to the Server Operators group. The basic function of the Server Operators group is to keep the domain servers running. This goal is reflected in their abilities to share directories and printers on servers. If possible, at least one member of either the Administrators or Server Operators group should be present at all hours during which people are using the network.

If the ability to print documents quickly is important to your group, you should add several people to the Print Operators group to ensure that printer problems can be addressed quickly.

4.8.11 Setting Up a Universal Operators Group

If your network has multiple domains, each containing computers with shared printers, and you have a single group of Print Operators who need the ability to administer printers in all domains, use a universal operators group (a combination of global groups and local groups) to set this up. By doing so, you ensure that your Print Operators group is easy to maintain as your network evolves, as print operators come and go, and as new computers or domains are added.

Follow these steps to establish a universal operators group:

1. In each domain where accounts of Print Operators are located, create a global group called Domain PrintOps and make all of the Print Operators in the domain members of this group.
2. In each domain where printers are to be administered, modify the Print Operators local group by adding the Domain PrintOps global groups to it. Be sure to make this change to the Print Operators local group in every domain.

After you complete these steps, every Print Operator has the ability to administer all printers.

If you also need to administer printers on Windows NT workstation computers, you will need to go a step further, because a domain's local groups (such as Print Operators) cannot be used by Windows NT workstation computers --- even Windows NT workstation computers participating in that domain. To each Windows NT workstation computer with printers to administer, add all of the Domain PrintOps global groups to the workstation's Power Users local group.

4.9 Built-In Global Groups

Three global groups are built in:

• Domain Admins --- The Domain Admins built-in group initially contains the Administrator account. When you create accounts for the administrators of your domain, you should add these accounts to the Domain Admins global group, which is already a member of the Administrators local group.
• Domain Users --- The Domain Users built-in group initially contains the Administrator account. Administrators and Account Operators can modify these groups. Every user account you subsequently add to this domain is put automatically in the Domain Users global group.
• Domain Guests --- The Domain Guests built-in group initially contains the Guest account. Administrators and Account Operators can modify the Domain Guests built-in group.

Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.

Table 4-5 Built-In Global Groups

Global Group	Initial Contents	Who Can Modify
Domain Admins	Administrator	Administrators
Domain Users	Administrator	Administrators, Account Operators
Domain Guests	Guest	Administrators, Account Operators

The following sections further explain the built-in global groups and how to use them.

4.9.1 Domain Admins

The Domain Admins global group is a member of the Administrators local group for the domain and of the Administrators local group for every Windows NT workstation computer in the domain. The built-in Administrator user account is a member of the Domain Admins global group.

Because of these memberships, a user logged on to the Administrator account can administer the domain, the primary and backup domain controllers, and all of the Windows NT workstation computers in the domain. (However, Domain Admins users can be prevented from administering a particular workstation by removing the Domain Admins global group from that workstation's Administrators group.)

To provide administrative abilities to a new account, make the new account a member of the Domain Admins global group. This allows that user to administer the domain, the workstations of the domain, and the trusted domains that have added the Domain Admins global group from this domain to their Administrators local group.

4.9.2 Domain Users

By default, all domain user accounts belong to the Domain Users group, including the built-in Administrator account and any new accounts that are created.

The Domain Users global group is by default a member of the Users local group for the domain and of the Users local group for every Windows NT workstation computer in the domain. Domain Users is the default group for each user.

Because of these memberships, users of the domain have normal user access to and abilities in the domain and the Windows NT workstation computers of the domain. (However, domain users can be prevented from being granted this access for a particular workstation by removing the Domain Users global group from that workstation's Users group.)

4.9.3 Domain Guests

The Domain Guests global group initially contains the domain's built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you may want to add those accounts to the Domain Guests group and remove them from the Domain Users group.

The Domain Guests global group is a member of the domain's Guests local group.

4.10 Server-Specific Groups

In addition to the built-in groups mentioned, server-specific groups are created by the system and are used for special purposes. You cannot delete these special groups and should not modify them. When you administer a computer and are presented with a list of groups, these server-specific groups sometimes appear in the list. For example, they can appear when assigning permissions to directories, files, shared network directories, or printers.

Table 4-6 lists the server-specific groups provided and the purpose of each.

Table 4-6 Server-Specific Groups

Group	Refers to
EVERYONE	Anyone using the computer. This includes all local and remote users; that is, the INTERACTIVE and NETWORK groups combined. In a domain, members of EVERYONE can access the network, connect to a server's shared network directories, and print to a server's printers.
INTERACTIVE	Anyone using a computer locally.
NETWORK	All users connected over the network to a computer.
SYSTEM	The operating system.