Microsoft KB Archive/101471

= Local and Global Groups in Windows NT and Advanced Server =

Article ID: 101471

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Workstation 3.1
 * Microsoft Windows NT Advanced Server 3.1

-



This article was previously published under Q101471



SUMMARY
The Windows NT networking environment defines groups to organize users who have similar jobs or resource requirements into a unit, to ease the process of granting appropriate rights and resource permissions. When groups are defined, an administrator need only to take the one action of giving a right or permission to a group to give that right or permission to all the present and future members of that group. Without this capability, it would be necessary for the administrator to manually grant rights and resource permissions to each individual user account.

To create or manage user and group accounts, use the User Manager. Use File Manager to assign permissions for files and directories to users or groups and use Print Manager to assign access to printers to users or groups. Windows NT defines two types of groups: local and global groups.



MORE INFORMATION
Windows NT workstations and Advanced Servers support local groups. The table below presents the default local groups which represent the different default privilege levels:   Windows NT                  Windows NT   Advanced Server Domains     Workstations ---

Administrators             Administrators Backup Operators           Backup Operators Server Operators           Power Users Account Operators          Users Print Operators            Guests Users                      Replicator Guests Replicator A second type of default group contains no members because the group privileges apply to any account that uses the computer in a specified manner. These groups do not refer to the privilege level of the user but reflect resource access. The four groups are as follows:


 * Interactive Users. Any user that only logs onto the computer interactively.
 * Network Users. Any user who connects to the computer through the network.
 * Everyone. Any user who accesses the computer. This group includes both interactive and network users.
 * Creator/Owner. Any user who creates or takes ownership of a resource.

Local Groups
User Manager represents local groups with a graphic of two faces imposed over a computer. A local group is local to the security system in which it is created. A local group created on a Windows NT workgroup workstation is available only on the workstation on which it is created. A local group created on a Domain Controller is available on all Domain Controllers.

A local group on a Windows NT workstation can contain user accounts created on the workstation, users and global groups from the workstation's domain and users and groups from domains trusted by the workstation's domain.

Global Groups
User manager represents global groups with a graphic of two faces imposed over a globe. Global groups contain user accounts from one domain grouped together as one group name. A global group cannot contain another global group or a local group. The default global groups on an Advanced Server are the Domain Admins and the Domain Users groups. A Windows NT workstation does not define any default global groups. However, because a global group can be a member of a local group, a local group defined on a Windows NT workstation can contain a global group from the domain. A local group can also contain a global group from another domain by passing through trust relationships. Local groups cannot traverse trust relationships.

The primary purpose of a global group is to support use on machines other than the Advanced Servers in a domain. In a single domain model, this applies to Windows NT domain workstations and LAN Manager servers that participate in the domain.

NOTE: A local group and a global group that share the same name are two separate entities, each of which has its own distinct security identifier and characteristics as defined above. Permissions assigned to one group do not apply to the other group that shares the same name.

Additional query words: prodnt

Keywords: kbnetwork KB101471

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.