Windows Small Business Server 2011 : Working with Groups

2/27/2012 6:02:27 PM

If your organization is small or uncomplicated, you might be able to use the built-in groups, add a few of your own, and assign all rights and permissions through shared folders. You can even begin with that expectation. However, your organizational needs will perhaps not align exactly with the groups and tools provided in the Windows SBS Console. In that case, using other built-in groups and customizing them to your needs might be required.

UNDER THE HOOD: Group Scopes

All groups have a group scope that defines how permissions are assigned. There are three possible group scopes: global, domain local, and universal. If you’re using the Windows SBS Console to create a group, it will be created as a universal group.

Global Scope

A group with a global scope is actually a bit of an anomaly in an SBS domain because it is designed to provide global scope across multiple domains, something that SBS doesn’t support. Global groups can be members of universal and domain local groups, and they can have the following members:

Other global groups
Individual accounts

Domain Local Scope

A domain local group controls access to specific local resources, and it can have one or more of the following members:

Other domain local groups
Global groups
Universal groups
Individual accounts

Universal Scope

A universal security group is another concept that is a bit awkward in the single-domain environment of SBS. Universal groups can have the following members:

Other universal groups
Global groups
Individual accounts

All of the groups that are created by SBS and used by the SBS wizards are universal scope. Although there can be valid reasons for using other scopes in large, multidomain enterprise environments, they don’t make much sense in an SBS environment.

1. Built-In Universal Groups

The built-in groups with universal scope are, with few exceptions, the groups that all users belong to. Table 1 lists the security universal groups that are specific to Windows SBS 2011. These are the groups you see when you open the Windows SBS Console, select Users And Groups, and then click the Groups tab.

Table 1. SBS-specific universal security groups
GROUP NAME	DESCRIPTION
User Roles	Descriptions of user roles.
Windows SBS Admin Tools Group	Members can access and use the Administration tools in Remote Web Workplace.
Windows SBS Fax Administrators	Members can administer the Windows SBS fax service.
Windows SBS Fax Users	Members can make use of the Windows SBS fax service.
Windows SBS Folder Redirection Accounts	Members have folders redirected to the SBS Users folder on the server.
Windows SBS Link Users	Members can access the Link List in Remote Web Workplace.
Windows SBS Remote Web Workplace Users	Members can access Remote Web Workplace.
Windows SBS SharePoint_MembersGroup	Members can perform usual functions on the internal website such as adding, deleting, customizing, and updating material.
Windows SBS SharePoint_OwnersGroup	Members can administer the internal website.
Windows SBS SharePoint_VisitorsGroup	Members have read-only access to the internal website.
Windows SBS Virtual Private Network Users	Members have remote access to the network.

2. Built-In Domain Local Groups

Built-in domain local groups are created when Windows Small Business Server is installed. These groups can’t be members of other groups, and their group scope can’t be changed. Table 2 shows the built-in local groups.

Table 2. Built-in domain local groups
GROUP NAME	DESCRIPTION
Account Operators	Members can add, change, or delete user and group accounts.
Administrators	Members can perform all administrative tasks on the computer. The built-in Administrator account that is created when the operating system is installed is a member of the group. When a member server or a client running Windows Vista, Windows XP Professional, or Windows 2000 Professional joins a domain, the Domain Admins group is made part of this group.
Allowed RODC Password Replication Group	Members can have their passwords replicated to all Read-Only Domain Controllers (RODC).
Backup Operators	Members can log on to the computer, back up and restore the computer’s data, and shut down the computer. Members cannot change security settings but can override them for purposes of backup and restore.
Cert Publishers	Members are allowed to publish certificates to the directory.
Certificate Service DCOM Access	Members can connect to Certificate Authorities.
Cryptographic Operators	Members can perform cryptographic procedures.
Denied RODC Password Replication Group	Members of this group cannot have their passwords replicated to an RODC. Default members are Cert Publishers, Domain Admins, Domain Controllers, Enterprise Admins, Group Policy Creator Owners, Read-Only Domain Controllers, and Schema Admins.
Distributed COM Users	Members can activate, launch, and use Distributed COM objects on this computer.
DnsAdmins	Members are DNS administrators. No default members.
Event Log Readers	Members can read event logs from local computers.
Guests	Members have the same access as members of the Users group. The Guest account has fewer rights and is a default member of this group.
IIS_IUSRS	Used by Internet Information Services (IIS).
Incoming Forest Trust Builders	Members can create incoming one-way trusts. This group is an anomaly in SBS because SBS doesn’t support trusts.
Network Configuration Operators	Users can have access to managing some network configurations.
Performance Log Users	Members can schedule some performance counters.
Performance Monitor Users	Provides backward compatibility to allow members access to performance counters locally and remotely.
Pre–Windows 2000 Compatible Access	A backward-compatibility group to allow read access on all users and groups in the domain.
Print Operators	Members can manage printers and print queues on domain printers.
RAS And IAS Servers	Servers in this group can access remote access properties of users.
Remote Desktop Users	Members are allowed to connect remotely. This group does not control who has access via Remote Web Workplace.
Replicator	Supports file replication in a domain. Do not add user accounts of actual users to this group. If necessary, you can add a “dummy” user account to this group to permit you to log on to Replicator services on a domain controller and manage replication of files and directories.
Server Operators	Members can administer servers.
Terminal Server License Servers	Members can update user accounts in Active Directory to track and report Terminal Server per user Client Access Licenses usage.
Users	Members can log on to the computer, access the network, save documents, and shut down the computer. Members cannot install programs or make system changes. Authenticated Users and Domain Users are members by default.
Windows Authorization Access Group	Members have access to the computed tokenGroupsGlobal AndUniversal attribute on User objects.

It takes only a glance at this list of groups to see that many are unlikely to be used in a Small Business Server network. However, look a bit further under the domain name in Active Directory Users And Computers and click the Users node (shown in Figure 1) to see more groups.

Figure 1. Additional groups you can use in Windows SBS

The following sections describe some more commonly used groups.

3. Built-In Global Groups

Default global groups are created to encompass common types of accounts. By default, these groups do not have inherent rights; an administrator must assign all rights to the group. However, some members are added to these groups automatically, and you can add more members based on the rights and permissions you assign to the groups. Rights can be assigned directly to the groups or by adding the default global groups to domain local groups. Table 3 lists the commonly used default global groups.

Table 3. Built-in global groups
GROUP NAME	DESCRIPTION
DnsUpdateProxy (installed with DNS)	Members are DNS clients that can provide dynamic updates to DNS on behalf of other clients. No default members.
Domain Admins	This group is automatically a member of the domain local Administrators group, so members of Domain Admins can perform administrative tasks on any computer in the domain. This group is automatically a member of the Administrators group and the Denied RODC Password Replication group. The Administrator account is a member of this group by default.
Domain Computers	All computers in the domain are members.
Domain Controllers	All domain controllers in the domain are members. This group is automatically a member of the Denied RODC Password Replication group.
Domain Guests	The Guest account is a member by default. This group is automatically a member of the domain local Guests group.
Domain Users	The Administrator account and all user accounts are members. The Domain Users group is automatically a member of the domain local Users group.
Group Policy Creator Owners	Members can create and modify group policy for the domain. The Administrator account is a member of this group by default. This group is also a member of the Denied RODC Password Replication group.
Read-Only Domain Controllers	Members are the Read-Only Domain Controllers in the domain.