Lesson 5: Implementing Groups

In this lesson, you will learn what groups are and how you can use them to simplify user account
administration. You will also learn about built-in groups, which have a predetermined set of user rights and
group membership. Windows XP Professional has two categories of built-in groups, local and system, which it
creates for you to simplify the process of assigning rights and permissions for commonly used functions.

After this lesson, you will be able to

• Describe the key features of local groups and Windows XP Professional built-in groups
• Create and delete local groups
• Add members to and remove them from local groups

Estimated lesson time: 40 minutes

Understanding Groups
A group is a collection of user accounts. Groups simplify administration by allowing you to assign permissions
and rights to a group of users rather than to each user account individually (see Figure 3.12).

Figure 3.12 Groups simplify administration

Permissions control what users can do with a resource such as a folder, file, or printer. When you assign
permissions, you allow users to gain access to a resource and you define the type of access that they have. For
example, if several users need to read the same file, you can add their user accounts to a group and then give the
group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a
computer and backing up or restoring files.

NOTE
For more information about permissions, see Chapter 8, "Securing Resources with NTFS." For more
information about rights, see Chapter 13, "Configuring Security Settings and Internet Options."

Understanding Local Groups

A local group is a collection of user accounts on a computer. Use local groups to assign permissions to
resources residing on the computer on which the local group is created. Windows XP Professional creates local
groups in the local security database.

Preparing to Use Local Groups

Guidelines for using local groups include the following:

• Use local groups on computers that do not belong to a domain.

You can use local groups only on the computer on which you create them. Although local groups are
available on member servers and domain computers running Windows 2000 Server, do not use local
groups on computers that are part of a domain. Using local groups on domain computers prevents you
from centralizing group administration. Local groups do not appear in the Active Directory service, and
you must administer them separately for each computer.

• You can assign permissions to local groups to access only the resources on the computer on which you
create the local groups.

NOTE
You cannot create local groups on domain controllers because domain controllers cannot have a security
database that is independent of the database in Active Directory.

Membership rules for local groups include the following:

• Local groups can contain local user accounts from the computer on which you create the local groups.
• Local groups cannot belong to any other group.

Creating Local Groups

Use the Computer Management snap-in (shown in Figure 3.13) to create local groups in the Groups folder.
Figure 3.13 The New Group dialog box

To create a local group, complete the following steps:

1. In Computer Management, expand Local Users And Groups.

2. Right-click Groups and then click New Group.

MMC displays the New Group dialog box. Table 3.4 describes the available options.

Table 3.4 New Local Group Options

Option Description
Requires a unique name for the local group. This is the only required entry. Use any
Group
character except for the backslash (\ ). The name can contain up to 256 characters, but very
Name
long names might not display in some windows.
Description Describes the group.
Members Lists the user accounts belonging to the group.
Add Adds a user to the list of members.
Remove Removes a user from the list of members.
Create Creates the group.
Close Closes the New Group dialog box.
 3. Enter the appropriate information, and then click Create.

Adding Members to a Group

You can add members to a local group when you create the group by clicking Add. In addition, Windows XP
Professional provides two methods for adding members to a group that has already been created: the Computer
Management snap-in and the Member Of tab in the group-name Properties dialog box.

To use the Computer Management snap-in to add members to a group that has already been created, complete
the following steps:

1. Start the Computer Management snap-in.

2. Expand Local Users And Groups and then click Groups.
3. In the details pane, right-click the appropriate group, and then click Properties.

Computer Management displays the group-name Properties dialog box.

4. Click Add.

Computer Management displays the Select Users dialog box, as shown in Figure 3.14.
 Figure 3.14 The Select Users dialog box

5. In the From This Location text box, ensure that the computer on which you created the group is selected.
6. In the Select Users dialog box, in the Enter The Object Names To Select text box, type the user account
names that you want to add to the group, separated by semicolons, and then click OK.

TIP
The Member Of tab in the group-name Properties dialog box of a user account allows you to add a user account
to multiple groups. Use this method to quickly add the same user account to multiple groups. To review how to
use the Member Of tab, see the section in Lesson 4 entitled "The Member Of Tab."

Deleting Local Groups

Use the Computer Management snap-in to delete local groups. Each group that you create has a unique
identifier that cannot be used again. Windows XP Professional uses this value to identify the group and its
assigned permissions. When you delete a group, Windows XP Professional does not use the identifier again,
even if you create a new group with the same name as the group that you deleted. Therefore, you cannot restore
access to resources by recreating the group.

When you delete a group, you remove only the group and its associated permissions and rights. Deleting a
group does not delete the user accounts that are members of the group. To delete a group, right-click the group
name in the Computer Management snap-in and then click Delete.

Practice: Creating and Managing Local Groups

In this practice, you create two local groups, add members to the local groups when you create them, and then
add a member to one of the groups after it has been created. You delete a member from one of the groups, and
then delete one of the local groups that you created.

Run the LocalGroups file in the Demos folder on the CD-ROM accompanying this book for a demonstration of
creating and managing local groups.

Exercise 1: Creating Local Groups and Adding and Removing Members

In this exercise, you create two local groups, Accounting and Marketing, and add members to both groups. You
add a member to the existing Marketing group, and then remove a member from the Marketing group.

To create the Accounting and Marketing local groups

1. Log on as Fred or with a user account that is a member of the Administrators group.
2. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

Windows XP Professional starts Computer Management.

 3. Under System Tools, if necessary, expand Local Users And Groups, right-click Groups, and then click
New Group.

MMC displays the New Group dialog box.

4. In the Group Name text box, type Accounting.

5. In the Description text box, type Access to Accounts Receivable Files.
6. Click Add.

MMC displays the Select Users dialog box.

7. In the Name text box, type User1; User2; User4 and then click OK.

User1, User2, and User4 appear in the Members list in the New Group dialog box.

8. Click Create.

Windows XP Professional creates the group and adds it to the list of groups in the details pane. Note that
the New Group dialog box is still open and might block your view of the list of groups.

9. Repeat steps 4 through 9 to create a group named Marketing with a description of Access to Mailing
Lists and User2 and User4 as group members.
10. When you finish creating both the Accounting and the Marketing groups, click Close to close the New
Group dialog box.

The Accounting and the Marketing groups now appear in the details pane.

To add members to and remove members from the Marketing local group

1. In the details pane of the Computer Management window, double-click Marketing.

The Marketing Properties dialog box displays the properties of the group. Notice that User2 and User4
are in the Members list.

2. To add a member to the group, click Add.

Computer Management displays the Select Users dialog box.

3. In the Name text box, type User1, and then click OK.

The Marketing Properties dialog box now displays User1, User2, and User4 in the Members list.

4. Select User4 and then click Remove.

Notice that User4 is no longer in the Members list. User4 still exists as a local user account, but it is no
longer a member of the Marketing group.

5. Click OK.

Exercise 2: Deleting a Local Group

In this exercise, you delete the Marketing local group.

To delete the Marketing local group

1. In the details pane of the Computer Management window, right-click Marketing, and then click Delete.

Computer Management displays a Local Users And Groups dialog box asking if you are sure that you
want to delete the group.

2. Click Yes.

Marketing is no longer listed in the details pane indicating that the Marketing group was successfully
deleted.

3. In the console pane of the Computer Management window, click Users.

User1 and User2 are still listed in the details pane indicating that the group was deleted, but the
members of the group were not deleted from the Users folder.

4. Close Computer Management.

Understanding Built-In Local Groups

All stand-alone servers, member servers, and computers running Windows XP Professional have built-in local
groups. These groups give rights to perform system tasks on a single computer, such as backing up and
restoring files, changing the system time, and administering system resources. Windows XP Professional places
the built-in local groups in the Groups folder in Computer Management.

Table 3.5 lists the most commonly used built-in local groups and describes their capabilities. Except where
noted, these groups do not include initial members.

Table 3.5 Built-In Local Group Capabilities

Local group Description

Members can perform all administrative tasks on the computer. By default, the built-in
Administrator account is a member. When a member server or a computer running Windows
Administrators
XP Professional joins a domain, Windows 2000 Server adds the Domain Admins group to the
local Administrators group.
Backup
Members can use Windows Backup to back up and restore the computer.
Operators
Members can do the following:

• Perform only the tasks for which they have been specifically granted rights
• Access only those resources for which they have assigned permissions
Guests
Members cannot make permanent changes to their desktop environment. By default, the built-in
Guest account is a member. When a member server or a computer running Windows XP
Professional joins a domain, Windows 2000 Server adds the Domain Guests group to the local
Guests group.
Power Users Members can create and modify local user accounts on the computer and share resources.
 Local group Description
Replicator Supports file replication in a domain.
Members can do the following:

• Perform only the tasks for which they have been specifically granted rights
• Access only those resources for which they have assigned permissions
Users
By default, Windows XP Professional adds to the Users group all local user accounts that an
administrator creates on the computer. When a member server or a computer running Windows
XP Professional joins a domain, Windows 2000 Server adds the Domain Users group to the
local Users group.

Understanding Built-In System Groups

Built-in system groups exist on all computers running Windows XP Professional. System groups do not have
specific memberships that you can modify, but they can represent different users at different times, depending
on how a user gains access to a computer or resource. You do not see system groups when you administer
groups, but they are available when you assign rights and permissions to resources. Windows XP Professional
bases system group membership on how the computer is accessed, not on who uses the computer. Table 3.6 lists
the most commonly used built-in system groups and describes their capabilities.

Table 3.6 Built-In System Group Capabilities

System group Description

All users who access the computer. By default, when you format a volume with NTFS, the Full
Control permission is assigned to the Everyone group. This presented a problem in earlier
versions of Windows, including Microsoft Windows 2000. In Windows XP Professional, the
Everyone Anonymous Logon is no longer included in the Everyone group. When a Windows 2000
Professional system is upgraded to a Windows XP Professional system, resources with
permission entries for the Everyone group and not explicitly for the Anonymous Logon group
are no longer available to the Anonymous Logon group.
All users with valid user accounts on the computer. (If your computer is part of a domain, it
Authenticated
includes all users in Active Directory.) Use the Authenticated Users group instead of the
Users
Everyone group to prevent anonymous access to a resource.
The user account for the user who created or took ownership of a resource. If a member of the
Creator Owner
Administrators group creates a resource, the Administrators group owns the resource.
Any user with a current connection from another computer on the network to a shared resource
Network
on the computer.
The user account for the user who is logged on at the computer. Members of the Interactive
Interactive group can access resources on the computer at which they are physically located. They log on
and access resources by "interacting" with the computer.
Anonymous
Any user account that Windows XP Professional cannot authenticate.
Logon
Dialup Any user who currently has a dial-up connection.