Local and Global Groups in Windows NT and Advanced Server

• Microsoft Windows NT operating system, version 3.1
• Microsoft Windows NT Advanced Server, version 3.1

SUMMARY

The Windows NT networking environment defines groups to organize users who have similar jobs or resource requirements into a unit, to ease the process of granting appropriate rights and resource permissions. When groups are defined, an administrator need only to take the one action of giving a right or permission to a group to give that right or permission to all the present and future members of that group. Without this capability, it would be necessary for the administrator to manually grant rights and resource permissions to each individual user account.

To create or manage user and group accounts, use the User Manager. Use File Manager to assign permissions for files and directories to users or groups and use Print Manager to assign access to printers to users or groups. Windows NT defines two types of groups: local and global groups.

MORE INFORMATION

Windows NT workstations and Advanced Servers support local groups. The table below presents the default local groups which represent the different default privilege levels:

   Windows NT                  Windows NT
   Advanced Server Domains     Workstations
   ---------------------------------------------------

   Administrators              Administrators
   Backup Operators            Backup Operators
   Server Operators            Power Users
   Account Operators           Users
   Print Operators             Guests
   Users                       Replicator
   Guests
   Replicator

• Interactive Users. Any user that only logs onto the computer interactively.
• Network Users. Any user who connects to the computer through the network.
• Everyone. Any user who accesses the computer. This group includes both interactive and network users.
• Creator/Owner. Any user who creates or takes ownership of a resource.

Local Groups

User Manager represents local groups with a graphic of two faces imposed over a computer. A local group is local to the security system in which it is created. A local group created on a Windows NT workgroup workstation is available only on the workstation on which it is created. A local group created on a Domain Controller is available on all Domain Controllers.

A local group on a Windows NT workstation can contain user accounts created on the workstation, users and global groups from the workstation's domain and users and groups from domains trusted by the workstation's domain.

Global Groups

User manager represents global groups with a graphic of two faces imposed over a globe. Global groups contain user accounts from one domain grouped together as one group name. A global group cannot contain another global group or a local group. The default global groups on an Advanced Server are the Domain Admins and the Domain Users groups. A Windows NT workstation does not define any default global groups. However, because a global group can be a member of a local group, a local group defined on a Windows NT workstation can contain a global group from the domain. A local group can also contain a global group from another domain by passing through trust relationships. Local groups cannot traverse trust relationships.

The primary purpose of a global group is to support use on machines other than the Advanced Servers in a domain. In a single domain model, this applies to Windows NT domain workstations and LAN Manager servers that participate in the domain.

   NOTE: A local group and a global group that share the same name are
   two separate entities, each of which has its own distinct security
   identifier and characteristics as defined above. Permissions
   assigned to one group do not apply to the other group that shares
   the same name.