You probably won't use the account once the system has been installed. Instead, you'll probably want to make your administrators members of the Administrators group. This ensures that you can revoke administrator privileges without having to change the passwords for all the Administrator accounts. For a system that's part of a workgroup where each individual computer is managed separately, you'll typically rely on this account anytime you need to perform your system administration duties.
Here, you probably won't want to set up individual accounts for each person who has administrative access to a system. Instead, you'll use a single Administrator account on each computer.
Guest is designed for users who need one-time or occasional access. While guests have limited system privileges, you should be very careful about using this account.
Whenever you use this account, you open the system to potential security problems. The potential is so great that the account is initially disabled when you install Windows Tip If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly.
As with the Administrator account, you may want to rename the account as an added security precaution. Built-in groups are installed with all Windows workstations and servers. Use the built-in groups to grant a user the group's privileges and permissions. You do this by making the user a member of the group.
For example, you give a user administrative access to the system by making a user a member of the local Administrators group. You give a user administrative access to the domain by making a user a member of the domain local Administrators group in Active Directory.
The availability of a specific built-in group depends on the current system configuration. Use Table to determine the availability of the various built-in groups. Each of these groups is discussed later in the chapter. Predefined groups are installed with Active Directory domains. Use these groups to assign additional permissions to users, computers, and other groups. Predefined groups include domain local, global, and universal groups.
The availability of a specific built-in group depends on the domain configuration. Use Table to determine the availability of the various predefined groups.
Key predefined groups are discussed later in this chapter. Note: The group scope for Enterprise Admins and Schema Admins can be either universal or global, depending on the operations mode. In mixed mode, these are global groups. In native mode, these are universal groups. In Windows NT implicit groups were assigned implicitly during logon and were based on how a user accessed a network resource.
For example, if a user accessed a resource through interactive logon, the user was automatically a member of the implicit group called Interactive. In Windows , the object-based approach to the directory structure changes the original rules for implicit groups.
While you still can't view the membership of special identities, you can grant membership in implicit groups to users, groups, and computers. To reflect the new role, implicit groups are also referred to as special identities. A special identity is a group whose membership can be set implicitly, such as during logon, or explicitly through security access permissions.
As with other default groups, the availability of a specific implicit group depends on the current configuration. Use Table to determine the availability of the various implicit groups.
Implicit groups are discussed later in this chapter. When you set up a user account, you can grant the user specific capabilities. You generally assign these capabilities by making the user a member of one or more groups, thus giving the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups.
You withdraw capabilities by removing group membership. In Windows , you can assign various types of capabilities to an account. These capabilities include. Privileges A type of user right that grants permissions to perform specific administrative tasks. You can assign privileges to both user and group accounts. An example of a privilege is the ability to shut down the system. Logon rights A type of user right that grants logon permissions.
You can assign logon rights to both user and group accounts. An example of a logon right is the ability to log on locally. Built-in capabilities A type of user right that is assigned to groups and includes the automatic capabilities of the group. Built-in capabilities are predefined and unchangeable, but they can be delegated to users with permission to manage objects, organizational units, or other containers. An example of a built-in capability is the ability to create, delete, and manage user accounts.
This capability is assigned to administrators and account Operators. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page. View all page feedback. In this article. Most Active Hubs Microsoft Teams.
Security, Compliance and Identity. Microsoft Edge Insider. Azure Databases. Autonomous Systems. Education Sector. Microsoft Localization. Microsoft PnP. Healthcare and Life Sciences. Internet of Things IoT. Enabling Remote Work. Small and Medium Business. Humans of IT. Green Tech. MVP Award Program. Video Hub Azure.
Microsoft Business. Microsoft Enterprise.
0コメント