P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
796 WINDOWS2000 SECURITYFigure 4: Password Policy settings.resources in the domain or forest where they exist and are
backward compatible with NT global groups), and (only
in Native Mode) universal groups (which can consist of
users and groups from any Native Mode domain within a
tree or forest). Universal groups provide the most flexible
way of forming groups and providing access to them at
the risk of potentially allowing too much access to these
groups unintentionally.
Some types of groups can be included within other
groups. Group inclusion means that any users from one
group can also become members of another group by
adding the first group to the second. For example, globalgroups can be added to domain local groups and in a
Native Mode domain, global groups can even be included
in other global groups.
W2Kâs group inclusion properties provide a very con-
venient way of setting up access to resources, especially
when trusted access is required. System administrators
can, for example, include a universal group from another
domain in a domain local group in their own domain to
give users in the other domain the access they need. The
users in the universal group from the other domain will
have the same access permissions to the resources in ques-
tion as the users in the domain local group. Table 2 listsTable 2Default Groups in W2KLocal Groups in
Domain Local Groups Workstations
Global Groups in DCs and Servers
Domain Administrators Administrators (Local) Administrators (Local)
Domain Users Account Operators Backup Operators
Domain Guests Server Operators Guests
Certificate (Cert) Publishers Backup Operators Power Users
Domain Computers Print Operators Replicator
Domain Controllers Replicator Users
Group Policy Creator Owners Users Interactive Users
Enterprise Controllers Guests Network Users
Interactive Users Everyone
Network Users Creator/Owner
Everyone Dial-up
Creator/Owner Batch
Dial-up Terminal Server Users
Batch
Terminal Server Users