Group Management in XP

Before you start

Objectives: learn how create or delete groups and how to manage group membership. Also you will familiarize yourself with built-in local groups in XP.

Prerequisites: you should know how to manage user accounts in XP.

Key terms: group, membership, user, local, account, member, rights, access.


Local Users and Groups Snap-in

We can manage groups with Local Users and Groups snap-in in Computer Management console. We can create our own groups or modify existing groups. We can also modify some groups which the system has created for our usage (we can’t modify the SYSTEM, INTERACTIVE, Everyone, and the NETWORK group). Let’s say that we have a shared folder on a network. We want some people to be able to manage files in that shared folder and other people to be able to only read files in shared folder. In this situation we can create different user groups and put our users that need to have read rights in one group, and those that need to have read rights in another group. Then we can assign resource permissions to that particular user groups.

Local Users and Groups

Image 171.1 – Local Users and Groups Snap-in

From this particular screen we have the ability of adding new user groups, modify the membership of the existing groups, and we also have the ability to delete or rename user groups. To manage group membership, we have to edit the group properties. To edit group properties, simply right-click the desired group, and select Properties.

Right Click On Group

Image 171.2 – Right Click On Group

When we get into the group properties, we can use ‘Add…‘ or Remove button to edit group membership. For example, let’s add a user to the Helpdesk group. We have to click on ‘Add…’ button and the following windows appears:

User Selection

Image 171.3 – User Selection

Here we will going to click on ‘Advanced…’ button to generate a list of users. This computer is not on a domain, so we can only search for users on a local machine (in this case, on ADMIN-8268F4658). When we are ready, we can click on Find Now button. The list of local users now appears, as shown below.

List of Users

Image 171.4 – List of Users

In this case, we will select two users – Kim Verson and wdelmonte. When we are done selecting, we will click on the OK button, and then on the next window click OK again. Now we can see our two users in the member list of the Helpdesk group.

Helpdesk Group

Image 171.5 – Helpdesk Group

We can also manage group membership for individual users. To do that, we can go to the user list, right-click on a particular user, and select Properties. Then we have to go to the “Member Of “tab and add or remove groups that the user belongs to.

Individual User Membership

Image 171.7 – Individual User Membership

Create New Group

To create a new group we have to right-click on the group list window and select ‘New Group…’ option. We have to provide group name (Developers in our case), and optional, group description. We can also add members to the group right away by clicking on ‘Add…’ button. In this case, we will add the anderson user account. When we are done, we have to click on the Create button to create a group.

New Group

Image 171.6 – New Group

Delete Existing Group

To delete a group of users, we have to select a group we want to delete and then click on the Remove button. When we delete a group from the computer, we don’t delete the users that were members of the group. We only delete the group, and the users stay on the local machine. Removing a user account from a group does not delete the group or the user account. We can not remove the local Administrator user account from the Administrators group and Guest user account from the Guests group.

Built-in Groups

Whenever possible, we should use built-in groups to assign rights and permissions. For example, to allow someone to back up and restore the system, we should make the user account a member of the Backup Operators group. We should use caution when modifying the default rights and permissions assigned to built-in groups. When assigning security, we should make user accounts members of groups, then assign the rights or permissions to the group rather than the user accounts. Built-in local groups are:

  • Administrators – Members have complete and unrestricted access to the computer, including every system right. The Administrator user account and any account designated as a “computer administrator” is a member of this group.
  • Backup Operators – Members can back up and restore files (regardless of permissions), log on locally, and shut down the system. Members cannot change security settings.
  • Guests – Members have limited rights (similar to members of the Users group). Members can shut down the system.
  • Users – Members can use the computer but cannot perform system administration tasks and might not be able to run legacy applications. Members cannot share directories or install printers if the driver is not yet installed. Members cannot view or modify system files. Any user created with Local Users and Groups is automatically a member of this group. User accounts designated as “limited user” accounts are members of this group. A user account created as a “computer administrator” is made a member of this group.
  • Power Users – Members can create and modify user accounts and local groups. They can remove users from Power Users, Users and Guests groups. They can change the system date and time, and install applications. They can not change the membership of the Administrators or Backup Operators groups, take ownership of files, back up or restore files, load or unload device drivers, and manage security settings.

Windows XP also includes the following local groups:

  • Network Configuration Operators
  • Remote Desktop Users
  • Replicator

In order to participate in one of the groups, a user has to be added to a particular group and they automatically inherit particular privileges.

Special Built-in Groups

There are also other specific built-in user groups, like the Everyone group. The membership of the Everyone group is everyone. It’s created for simplified access to the resources. We can not modify the membership of the Everyone group because everyone belongs to it. As we look into original permissions and security settings in Windows XP, we will notice that the default is always is the Everyone group. The first thing that we will probably want to do is remove the Everyone group from the list, and add our own groups of users to have access to particular resources.

Two groups that we should also mention are INTERACTIVE group, and the NETWORKgroup. Let’s say that we have two computers that are linked over computer network. One user is logged on to the particular machine and is actively using the keyboard, the mouse and looking at the monitor of that particular computer. In that case we consider that that user is a member of INTERACTIVE group because he is interactive with that computer. It is important to know where the user comes from. If that user access the resources on some machine on the network (shared folder), he becomes a member of a NETWORK group.

Sometimes we refer to those groups as implicit groups or special identities. They act as variables to represent either a set of users or a set of programs running on the computer. The identity and membership of these groups is dynamically configured, so they are not listed in Local Users and Groups. In many cases, user accounts are being dynamically made a member of these groups when users perform certain actions (such as logging on or creating a file). Implicit local groups are:

  • ANONYMOUS LOGON – Membership is obtained by logging on without a user name and password (anonymous logon is commonly permitted if the computer is acting as a web server)
  • AUTHENTICATED USERS – Membership is obtained by logging on with a user name and password
  • CREATOR GROUP – Membership is obtained by creating an object
  • CREATOR OWNER – Membership is obtained by creating an object (such as a file)
  • DIALUP – Membership is obtained by connecting to the computer through a dial-up connection
  • Everyone – Membership is obtained by gaining access to the computer except through anonymous logon
  • INTERACTIVE – Membership is obtained by logging on interactively (also called logging on locally) through the computer console
  • NETWORK – Membership is obtained by logging on to the computer through a network connection
  • REMOTE INTERACTIVE LOGON – Membership is obtained by logging on to the computer through a remote desktop connection

Except the Everyone group, we can recognize these groups because their names are all written in caps.

Remember

We can manage groups with Local Users and Groups snap-in. We can create our own groups or modify existing groups. To manage group membership, we have to edit the group properties. To create a new group we have to right-click on the group list window and select ‘New Group…’ option. To delete a group of users, we have to select a group we want to delete and then click on the Remove button. Whenever possible, we should use built-in groups to assign rights and permissions. Administrators have complete and unrestricted access to the computer. Members of Users group can use the computer but cannot perform system administration tasks. ANONYMOUS LOGON membership is obtained by logging on without a user name and password. NETWORK membership is obtained by logging on to the computer through a network. INTERACTIVE membership is obtained by logging on interactively.