Group Permissions

Posted on 2005-04-17
Last Modified: 2010-04-18
This is probably a silly question, but I cant find the answer anywhere.

I would like a list off all the groups that are available and what permissions they are granted, before I move users into groups.

I thought Administrators, would be able to install applications on their workstations, but apparrently not, I have had to assign them to Domain Admins, to allow this. Which I am not overly enthusiatic about?

But I would just like some info on Group Permissions please, and possibly the difference between Local Groups and Domain Groups?
Question by:alanheaton
    LVL 15

    Expert Comment

    Hi alanheaton,
    What groups exist will depend on how you've set your domain up - the same applies for permissions I'm afraid!

    I'll see what I can dig out with regards default groups.

    I can see where your confusion is coming from with the "Administrators" group though.

    A "local" group exists just for that individual PC or server.  This group is held on and managed by the individual PC concerned.
    Each machine will have it's own local "Administrators" group.
    Users who are a member of this group have permission to administrate that specific machine.

    A "domain" group exists within the entire domain, and not on specific machines.  It's managed by the domain controllers.
    "Domain Admins" is a good example of a domain group.

    Local groups (such as "Administrators") can contain domain groups (such as "Domain Admins") - but not the other way round.

    So, when a PC is added into the domain, the machine will automatically add the domain "Domain Admins" group into it's own local "Adminstrators" group.
    This is what allows users in the Domain Admins group to administrate the PC.

    Does that make sense?

    You're rightt, setting up your users as Domain Admins is a bad idea.
    If you need your users to be administrators of their own local PC, you can add their domain account into the local Administrators group on that PC.
    This will then allow them to log in with their domain account, and have administrative access to that PC.  They won't have administrative access to anything else though.

    That's a (very!) brief overview of how it works - does that help?

    LVL 15

    Expert Comment

    I've just found an article at which explains a little about the different types of domain groups.
    LVL 2

    Author Comment

    Thanx for that,

    But prior to me installing a domain, The user was an Administrator on that PC.

    When I added the PC to the domain, I created him as a user, and added him to the Administrators group but he couldn't install anything on his PC. I had to add the doamin Admins group to his user to enable him to do this.

    My main concern is that if he is a Domain Admin he will be able to log on to the server ...I THINK?

    So I just want to nail him down to installing on that PC
    LVL 15

    Accepted Solution

    If he is a domain admin, he'll have access to the server - and pretty much anything else on your network.

    Just to be clear on how this is set up:

    You have a PC, called PC01
    You have a domain, called MYDOMAIN

    Your user (Fred) was set up as a local user on PC01, before the machine was added to the domain.  At this point he was a local administrator on the machine.
    This would mean that you'd added the user PC01\FRED to the local Administrators group on PC01

    Note the prefix of the username (PC01\) is the name of the PC on which the account resides.

    Now, you created your domain (MYDOMAIN), and created a user in that domain for Fred.
    Fred's domain account is now MYDOMAIN\FRED  - once again, his username is prefixed with the name of the machine (or in this case, the domain) in which the account resides.

    So - your user is logging in as MYDOMAIN\FRED, and you have PC01\FRED set up as an Administrator on PC01.
    Although these may look the same, they are completely different accounts - and the PC knows this.

    You therefore need to add MYDOMAIN\FRED to the local Administrators group on PC01.
    Fred will then be able to administrate the machine when he logs in with his domain account.

    Does that make more sense?
    LVL 2

    Author Comment

    Yes Thanks Very Much.

    I have got it now

    I have had to go into the user Acccounts of PC01 and create him as a Power User, which should do the job

    Thank You
    LVL 15

    Expert Comment

    Glad I could help :-)


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now