Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

Figure 7.8.  The Logon Workstations dialog box may be used to designate which workstations may be used to access the network.

•  Account: A user account can be specified as either a local or a global account (see Figure 7.9). Always accept the default of Global unless the account is being created solely to allow access to a member of an untrusted domain such as LanManager. Local users are identified in User Manager for Domains by an icon of a computer next to a person.

Figure 7.9.  The Account Information dialog box is used to designate an account as local or global.

You can set an account expiration date. By setting an account to expire when a contract worker’s time will be completed you are ensured that he will not be able to gain further access. It he returns, the account can be enabled.

•  Dial-in: Remote users might need access to the network via the remote access service (RAS). The permission to dial in to the network can be set from the Dialin Information dialog box (see Figure 7.10) or from the RAS Administration program. You also can configure here the type of callback security.

Although callback security can be used with RAS Multi-link, the return call only initializes a single line.

Figure 7.10.  The Dialin Information dialog box.

After selecting the Add button the new user is added to the system. The new user account is displayed in figure 7.11.

Figure 7.11.  User Manager for Domains showing the newly created user.

7.4. Managing Groups

This section demonstrates the proper methodology for implementing and administering groups within both a single and multiple domain environment.

You implement groups in NT in order to organize user accounts. When you organize accounts into groups, managing permissions and policies becomes easier.

7.4.1. Local Versus Global Groups

Two types of groups exist within a Microsoft NT network: local and global. Each of the groups serves a specific purpose. Understanding how each group functions independently is important. After you understand this you can understand how they work together.

Groups cannot be renamed. Also, you cannot change a group from local to global or global to local.

Local Groups

A local group is local to the systems that share the SAM database information where it was created. Because each of the listed systems maintains its own unique SAM database, a local group created on an NT Workstation, stand-alone server, or member server can be granted permissions only on the system it was created.

When a local group is created from a controller the group is being added to the SAM database at the PDC. Because the SAM database from the PDC is replicated to all BDCs, the local group will be available to each of the controllers.

Local groups created from a controller will not be available to NT workstations or NT member servers. Although they are members of the domain, they do not receive a replicant copy of the SAM database. Additionally, local groups cannot be made available across trusts to trusting domains.

Permissions are normally granted directly to local groups.

Local groups are identified in User Manager for Domains by an icon of a computer and two people.

Local Group Membership A local group can contain the following members:

•  Global user accounts from the local groups domain

•  Local user accounts from the local groups domain

•  Global groups from the local groups domain

•  Global groups from trusted domains

•  Global users from trusted domains

Local groups cannot contain other local groups.

Global Groups

Global groups can exist only on controllers. When a global group is created it is placed on the PDC and replicated with the SAM information to each of the BDCs. Although member servers and NT workstation domain members do not receive a copy of the group, they will be able to grant the group permissions to their resources. Permissions can be directly granted to the global group, but it is better to make the global group a member of a local group and assign the local group the resource permissions.

Global groups are available across trusts to members of a trusting domain. Global groups are identified in User Manager for Domains by an icon of a globe and two people.

Global Group Membership A global group can contain only global users from the same domain.

Creating Local and Global Groups

You use User Manager for Domains to create both local and global groups. Before creating the group you can select the desired group members by highlighting them and holding the Ctrl key while clicking them. After you select the group members, simply choose User from the menu bar and then either New Local Group or New Global Group.

When creating global groups the only potential global group members will be domain users from the same domain (see figure 7.12). When assigning membership to a global group, all domain users are listed. If there are any local user accounts on that machine, they are not available to membership in this group.

Figure 7.12.  Available user accounts that can be added to the new global group.

Local group members can include both local and global users and global groups (see Figure 7.13).

Figure 7.13.  Available user and group accounts that can be included in the new local group.

7.4.2. Special Groups

You do not directly control the membership of some special groups. The groups are special because membership is based more upon what you do rather than who you are. The name of each group explicitly describes its membership:

•  Network: You are a member of the Network group if you are accessing the computer from across the network.

•  Interactive: You are a member of the Interactive group if you are accessing the computer locally.

•  Everyone: You are a member just by virtue of logging on. The Everyone group includes all logged on users including the guest account.

Because of special group permissions, you might have more or less access to certain resources when you are local to them versus when you are accessing them from the network.