This video looks at the groups created in Active Directory that are available to all computers in your domain.
Enterprise Admins
This group is the most powerful group in Active Directory. It is automatically made a member of the Domain Administrators group for all domains in the forest thus giving members of this group administrator's rights on all domains in the forest. This group also has additional rights forest wide like changing forest wide information and adding/removing domains from the forest.
Schema Admins
This is the only group that can make changes to the schema. The schema defines the active directory database. This group only exists in the root domain of the forest.
Domain Admins
The domain admins group has administrator's rights to all users and computers in the domain including domain controllers. When a computer is added to the domain, this group is added to the local administrators group on that computer.
Domain Users
Members of this group can login in to workstations, run applications and change computer settings that relate to them. This group is automatically added to the local users group on a computer when it is added to the domain.
Domain Guests
This group has no rights or permissions in the domain. It is not added to the local guest on any computer when they are added to the domain and thus does not have any rights on any computers in the domain. For this reason, a user that is added to this group will not be able to login to any computers in the domain unless they are a member of another group that grants them this right.
Domain Computers
This group contains all the computers in the domain expect domain controllers. When you add a computer to the domain, the computer account for that computer automatically gets added to this group.
Domain Controllers
This group contains all the computer accounts for all the domain controllers in the domain except for domain controllers that are in read-only domain controllers. When a server is promoted to a domain controller, if the computer account is in the domain computers group, it will be moved in the domain controllers group.
Read-only Domain Controllers
This group contains all the read-only domain controllers in your domain. This group does not contain writeable domain controllers or computer accounts.
Enterprise Read-Only Domain Controllers
This group exists only in the root of the forest. It has no members by default, even if you add read only domain controllers to the root domain, the computer account for these read only domain controllers does not get added to this group.
Allowed RODC Password Replication Group
Members of this group will have their password cached on the read-only domain controller when they are authenticated using this read-only domain controller. Remember that the password attribute is not normally replicated to a read-only domain controller. This means that if they attempt to authenticate off the read-only domain controller during a network outage they will still be able to authenticate from the read-only domain controller even though a writeable domain controller is not available.
Denied RODC Password Replication Group
If a user account is a member of this group, their user password will not be cached on a read-only domain controller. Passwords will not be cached on a read-only domain controller if it has be configured. If a user is a member of this group and password caching has been configured their password will not be cached. Deny always overrides allow.
References
"Default groups" http://technet.microsoft.com/en-us/li...
"MCTS 70-640 Configuring Windows Server 2008 Active Directory" Microsoft Press, pg. 177
"Administering the Password Replication Policy " http://technet.microsoft.com/en-us/li...
"How to configure DNS dynamic update in Windows 2000 " http://support.microsoft.com/?id=317590
"DCHP Group" http://technet.microsoft.com/en-us/li...
Enterprise Admins
This group is the most powerful group in Active Directory. It is automatically made a member of the Domain Administrators group for all domains in the forest thus giving members of this group administrator's rights on all domains in the forest. This group also has additional rights forest wide like changing forest wide information and adding/removing domains from the forest.
Schema Admins
This is the only group that can make changes to the schema. The schema defines the active directory database. This group only exists in the root domain of the forest.
Domain Admins
The domain admins group has administrator's rights to all users and computers in the domain including domain controllers. When a computer is added to the domain, this group is added to the local administrators group on that computer.
Domain Users
Members of this group can login in to workstations, run applications and change computer settings that relate to them. This group is automatically added to the local users group on a computer when it is added to the domain.
Domain Guests
This group has no rights or permissions in the domain. It is not added to the local guest on any computer when they are added to the domain and thus does not have any rights on any computers in the domain. For this reason, a user that is added to this group will not be able to login to any computers in the domain unless they are a member of another group that grants them this right.
Domain Computers
This group contains all the computers in the domain expect domain controllers. When you add a computer to the domain, the computer account for that computer automatically gets added to this group.
Domain Controllers
This group contains all the computer accounts for all the domain controllers in the domain except for domain controllers that are in read-only domain controllers. When a server is promoted to a domain controller, if the computer account is in the domain computers group, it will be moved in the domain controllers group.
Read-only Domain Controllers
This group contains all the read-only domain controllers in your domain. This group does not contain writeable domain controllers or computer accounts.
Enterprise Read-Only Domain Controllers
This group exists only in the root of the forest. It has no members by default, even if you add read only domain controllers to the root domain, the computer account for these read only domain controllers does not get added to this group.
Allowed RODC Password Replication Group
Members of this group will have their password cached on the read-only domain controller when they are authenticated using this read-only domain controller. Remember that the password attribute is not normally replicated to a read-only domain controller. This means that if they attempt to authenticate off the read-only domain controller during a network outage they will still be able to authenticate from the read-only domain controller even though a writeable domain controller is not available.
Denied RODC Password Replication Group
If a user account is a member of this group, their user password will not be cached on a read-only domain controller. Passwords will not be cached on a read-only domain controller if it has be configured. If a user is a member of this group and password caching has been configured their password will not be cached. Deny always overrides allow.
References
"Default groups" http://technet.microsoft.com/en-us/li...
"MCTS 70-640 Configuring Windows Server 2008 Active Directory" Microsoft Press, pg. 177
"Administering the Password Replication Policy " http://technet.microsoft.com/en-us/li...
"How to configure DNS dynamic update in Windows 2000 " http://support.microsoft.com/?id=317590
"DCHP Group" http://technet.microsoft.com/en-us/li...
No comments:
Post a Comment