Windows Server - Custom Group

Custom Groups

Always create your own groups

You should try to avoid adding users to the groups that do not have members by default (Account Operators, Backup Operators, Server Operators, and Print Operators). Instead, create custom groups to which you assign permissions and user rights that achieve your business and administrative requirements.

For example, if Scott Mitchell should be able to perform backup operations on a domain controller, but should not be able to perform restore operations that could lead to database rollback or corruption, and should not be able to shut down a domain controller, do not put Scott in the Backup Operators group. Instead, create a group and assign it only the Backup Files And Directories user right, and then add Scott as a member.

Local Groups

Don’t forget about the local groups

Local groups are available on stand-alone servers or workstations, on domain member servers that are not domain controllers, or on domain member workstations. Local groups are truly local, which means that they are available only on the computer where they exist. The important characteristics of a local group are:

• You can assign abilities and permissions on local resources only, meaning on the local computer.
• Members can be from anywhere in the AD DS forest.

Protected Users Group

The Protected Users group has its own ACL

There is a subset of default groups that have significant permissions and user rights related to the management of AD DS. Because of the rights that these groups have, they are protected groups. By default, the protected groups include Account Operators, Administrators, Domain Admins and Enterprise Admins. Members of a protected group receive a copy of an ACL from the protected group.

For example, if you add Jeff Ford to the Account Operators group, his account becomes protected. The Help Desk, which can reset all other user passwords in the Employees OU, cannot reset Jeff's password.

Special Identities

Special identities are groups for which membership is controlled by the operating system

• You cannot view the groups in any list (for example, in Active Directory Users and Computers).
• You cannot view or modify the membership of these special identities.
• You cannot add special identities to other groups.

Use special identities to provide access based on authentication or connection

Special identities cannot be changed. You can, however, use these groups to assign rights and permissions. This means you can use them to provide access to resources based on the type of authentication or connection, rather than the user account.

For example, you could create a folder on a system that allows users to view its contents when they are logged on locally to the system, but that does not allow the same users to view the contents from a mapped drive over the network.

• Anonymous Logon. This identity represents connections to a computer and its resources that are made without supplying a user name and password.
• Authenticated Users. This represents identities that are authenticated. This group does not include Guest, even if the Guest account has a password.
• Everyone. This identity includes Authenticated Users and the Guest account.
• Interactive. This represents users who access a resource while logged on locally to the computer that is hosting the resource, as opposed to accessing the resource over the network. When a user accesses any given resource on a computer to which the user is logged on locally, the user is added automatically to the Interactive group for that resource. Interactive also includes users who log on through a Remote Desktop connection.
• Network. This represents users who access a resource over the network, as opposed to users who are logged on locally at the computer that is hosting the resource. When a user accesses any given resource over the network, the user is added automatically to the Network group for that resource.
• Creator Owner. This represents the security principal that created an object

Best Practices

When planning and implementing groups, you now have several points to remember.

• Avoid assigning permissions and rights directly to user accounts. Use groups to make ongoing maintenance easier.
• When you can, use the built-in groups to simplify administration.
• Nest groups to more efficiently control access to resources in larger organizations.