Windows NT Group Strategies

Assigning permissions on a network can be complicated unless you use a group strategy. Learn how to use global and local groups to make managing users easier.

Michael D. Reilly

July 31, 1998

8 Min Read
ITPro Today logo in a gray background | ITPro Today

Manage users easily with groups

Windows NT uses groups to manage users. This month I'll discuss thedifference between global and local groups, and I'll explain how you can use groups to manage user accounts and assign permissions.

NT Groups
Groups in NT help you organize user accounts and simplify assigningpermissions on resources. NT uses global and local groups. You can use a globalgroup anywhere in the domain in which you define the group. Global groupsorganize users by department, job function, or security level. Local groupscontrol access to resources. A local group is relevant only on the system onwhich you create it, unless you create a local group on a domain controller.Backup Domain Controllers (BDCs) do not have accounts databases, so you mustcreate a local group on the Primary Domain Controller (PDC) and then replicatedit to the BDCs. Thus, one local group exists on all the domain controllers.

Groups and Security
The concept of using groups to assign permissions is simple: You assignpermissions to a group, and anyone who is a member of the group automaticallyhas the group's permissions. Suppose you have an Accountants group that haspermissions to read, write, and edit financial files. When you add a newemployee to the accounting department, you make that person a member of theAccountants group. You do not need to figure out what permissions the otheraccountants have to assign the same permissions to the new employee. In fact,figuring out what permissions the other accountants have is difficult because ofhow NT security works. In NT, you set file and directory access on resourcesrather than users, as Screen 1, page 206, shows. A directory keeps a list ofusers who have permissions to read and write to and from the directory. When auser tries to access the directory, NT determines whether the user is on thelist. Users do not have a list of which directories they can use. To get a listof the files and directories a user can access, you need a third-party tool suchas Somarsoft's DumpAcl 2.7.16 (http://www.somarsoft.com) or IntrusionDetection's Kane Security Analyst for Windows NT (http://www.intrusion.com).Screen 2, page 206, shows an example DumpAcl permissions list. Microsoft's SmallBusiness Server (SBS) uses the Microsoft Management Console (MMC) interface toshow which files and directories a user can access. This feature will beavailable in NT 5.0, which uses MMC.

The access control lists (ACLs) for files and directories give members of agroup the access they need, so you can add people to the group as necessary. Youcan also remove users from a group to revoke their access to the group'sresources. This approach ensures that employees who leave a company will nolonger have access to proprietary files.

Global and Local Groups
You define global groups on the PDC. Global group membership is a subset ofdomain users. Each user can belong to as many as 1000 total groups, althoughsecurity is easier to track when users belong to only a few groups. The ISdepartment often maintains global groups and communicates with the humanresources (HR) manager and department heads to decide which groups users need tobelong to.

You define local groups on each system that has resources to share. A localgroup is valid only on the system where you define it, so you might need tocreate local groups on all servers. For example, if you have financialinformation spread across several servers, you might create a local group calledFinance on each server. Alternatively, you might create a local group calledBudget on one server, a local group called Payroll on a second server, and alocal group called Receivables on a third server. Department managers can set upa variety of local groups to control the types of permissions the groups have.

After you define global and local groups, you must set up the local groups'membership. Local group members can be users, or they can be the global groups.Thus, you place the Accountants global group in the Budget local group, asScreen 3 shows. Members of the Accountants global group inherit the permissionsof that group, which inherits its permissions from the Budget local group.

You might be tempted to assign permissions for a resource directly to theglobal group. Suppose you have several accounting groups at branch offices. Eachoffice has an NT domain, with a local Accounting group. If you grant directorypermissions to each local group, you need to make sure that the permissions areconsistent. The ACL for each resource lengthens and takes longer to scan when auser requests access. But if you place each domain's Accounting global groupinto the Budget local group, the global groups have the same permissions, andthe ACL contains only one entry that lists the access privileges for the Budgetlocal group. If you want to change the global group permissions, you can changethe permissions for the local group, and the changes will apply to all users.

You can use the same principle to assign permissions to groups instead ofusers. If you assign permissions on a directory or file to dozens of users, NTmust search a large ACL to check permissions. If you assign permissions to agroup, NT searches a smaller ACL and compares the user security context (thelist of groups to which a user belongs) with the groups that can access theresource.

Microsoft recommends the group strategy for assigning permissions. First,decide which users need access to a resource, and place the users in a globalgroup. Then, decide what type of access the users need (e.g., read-only, change,full control), and assign these access rights to a local group. Finally, makethe global group a member of the local group. This method of assigningpermissions makes maintenance and performance optimization easier.

Multiple Group Membership
As I mentioned previously, a user can belong to as many as 1000 groups. If auser belongs to several groups that have different levels of permissions, the user accumulates the combined permissions of the groups. Thus, if a user belongs to a group that can only write files to a directory (e.g., for data entry) and a group that can only read files (e.g., for checking the data entry), the user can read and write files. However, if the user or one of the user's groups has an Access Denied setting on a resource in the ACL, the user will be unable to access the resource. Access Denied acts as a veto: The user cannot use the resource, regardless of permissions status. Novice administrators sometimes place an Access Denied setting on a directory for the group Everyone, intending to then grant permissions to specific users. Theseadministrators quickly learn that the group Everyone includes everyone,including administrators.

Built-in Groups
Screen 4 shows the global and local groups that NT creates on installation.If you install a domain controller, you see the global groups. A standaloneserver or workstation has only the local groups. You can use these built-ingroups for many administration tasks, and you can add groups as necessary togrant or limit access to your data and applications.

The most commonly used global and local groups are Domain Users, DomainAdmins, and Domain Guests. Every user in your domain is automatically a memberof the Domain Users group. Some administrators use this group as the lowestlevel of security, such as for open resources, because it is slightly moresecure than granting resource access to the group Everyone. Domain Adminsincludes systems administrators. You can use the Domain Guests group to set uplimited-access guest accounts for users so they do not have to log on undertheir names. If you are running Internet Information Server (IIS), move theInternet User account from the Domain Users group (its default location) toDomain Guests. Moving this account lets you grant broad permissions to regularusers through the Domain Users group, and lets you restrict anonymous Internetusers through the Domain Guests group to only a limited area in your network.

Other local groups include the Operators groups: Account Operators, BackupOperators, Print Operators, and Server Operators. These groups have specialpermissions and can simplify systems administration tasks.

Account Operators can manage domain user and group accounts and can add anddelete users without contacting the NT systems administrator. In eachdepartment, make one person, such as the department head, an Account Operator,because the department head knows better than the network administrator whoshould be in which groups. Account Operators can administer group memberships,but they cannot make themselves part of the Domain Admins group.

Backup Operators have read-only access so they can read data from a disk andplace the data on a backup tape. Even if a Backup Operator's file and directorypermissions do not permit access to file contents, the Operator can read filesas part of a backup operation. Likewise, a Backup Operator might not havepermissions to write over files but can do so when restoring files. Someadministrators let Backup Operators back up but not restore data, because theBackup Operators might accidentally write over a more recent file. In addition,if Backup Operators can restore a file to a different drive, they might findways to bypass network security.

Print Operators can administer and troubleshoot printers. For eachdepartment, you'll want at least one Print Operator, perhaps the same person asthe Account Operator.

Server Operators can perform system-level administration tasks, includingbackups and restores. The systems administrator's assistants might belong tothis group.

Microsoft recommends that you create a global group on each domain tocorrespond to each of these built-in local groups. You can control groupmembership through the global groups, and you can use the local groups'permissions to help delegate systems administration tasks.

Rationale
It might seem redundant to have global and local groups. However, both typesof groups make administering NT systems and networks easier. You will realizethe most benefit from NT's group function if you implement a sound group policywhen you first install your network.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like