|
|
|
||
| Home | ||||
| Free Downloads | ||||
| Product FAQs (NT) | ||||
| Product FAQs (OpenVMS) | ||||
| Product Alerts | ||||
| Technical References | ||||
| Links | ||||
GROUPS: Local and Global
This is the second article in our series on Windows NT permissions. It addresses the basic concept of Local and Global groups as well as how they interact.
In the first article on the subject we discussed a default global group called Domain Admins. As you may recall, any user who is a member of the Domain Admins is by default a member of the local Administrator group on any system running Windows NT. I repeat this data because I think the relationship between the Domain Admins groups and the Administrator group is the clearest way to illustrate the layout and power of global and local groups.
Global groups are used to administrate users at the domain level. If you have a user on your domain that you wish to have the same access as another user, you put that user into the same global group as the other user and he will have that same access. If you want a user to have administrator rights on all Windows NT systems on your domain, add them to the global Domain Admins group and they will have the access and rights by default.
The actual access and rights exist on the local system level, not on the Domain level. Being a member of the Domain Admins itself is only powerful because of the default that every system running Windows NT has the group Domain Admins as a member of the local Administrator group. It is the local Administrator group that actually has the access and rights. This is the key to domain user administration: The access and rights exist on the local system, and the global group has the same access and rights because it is linked to the local group.
It's really that simple, but how does this look in the two interfaces: User Manager and User Manager for Domains? Let's start with User Manager for Domains. User Manager for Domains controls the directory database for the domain along with the local directory database on all domain controllers:
a. Open User Manager for Domains on any domain controller or other Windows NT system that has User Manager for Domains application installed from this menu location: Start / Programs / Administrative Tools.
b. Within the lower subwindow within the User Manager for Domains window, you will see two different icons. The icons with the two users and the Earth are global groups while the icons with the two users and the CRT (the monitor) are local groups. Highlight and double click the global group icon for Domain Admins in the Groups column of the lower subwindow.
c. Within the right hand subwindow of Global Group Properties window, you will see ONLY domain users and NOTHING ELSE. This is key to what I mentioned above about global groups being used to administrate users on the domain level. You can add or remove domain users ONLY to global groups. No global groups, local groups or local users may be added.
Next, we'll use User Manager to see how local groups function. User Manager manages only the local directory database.
a. Open User Manager on the local system from this menu location: Start / Programs / Administrative Tools.
b. Within the lower subwindow within the User Manager window, you will see only one type of icon. The icons with the two users and the CRT are local groups. You do not have access to global groups from User Manager, only your local directory database. Highlight and double click Administrators in the Groups column of the lower subwindow.
c. Within the Local Group Properties window, select the Add button.
d. Within the Add Users and Groups window, you will see either your local system name or a domain name displayed in the List Names From pull down list. If you see your local system name in the pull down list, you will see all of the user accounts in your local system's directory database ONLY. If you see a domain name displayed in the pull down list, you will see both all the user accounts on the domain and all of the global groups. You would use this interface to add global groups our domain users to your local group.
As in the previous article, we are working with the administrator group, but this general procedure applies to any local or global group. This data is rather brief, my intention is to give you the needed information in a simple, short format that you can use right now. If you have any further data or comments on my article please contact me at the attached e-mail address.
If you have any comments about this article or any requests for new technical articles e-mail
Executive Software Europe
