Windows 7 also provides groups, which you use to grant permissions to similar types of users and to simplify account administration. If a user is a member of a group that has access to a resource, that user has access to the same resource. You can give a user access to various work-related resources just by making the user a member of the correct group.
Although you can log on to a computer with a user account, you can’t log on to a computer with a group account. Because different Active Directory domains or local computers might have groups with the same name, groups are often referred to by Domain\GroupName or Computer\GroupName (for example, Technology\GMarketing for the GMarketing group in a domain or on a computer named Technology).
Windows 7 uses the following three types of groups:
- Local groups: Defined on a local computer and used on the local computer only. You create local groups with Local Users And Groups.
- Security groups: Can have security descriptors associated with them. You use a Windows server to define security groups in domains, using Active Directory Users And Computers.
- Distribution groups: Used as e-mail distribution lists. They can’t have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.
As with user accounts, group accounts are tracked using unique SIDs. This means that you can’t delete a group account and re-create it and then expect that all the permissions and privileges remain the same. The new group will have a new SID, and all the permissions and privileges of the old group will be lost.
When you assign user access levels, you have the opportunity to make the user a member of the following built-in or predefined groups:
- Administrators: Members of this group are local administrators and have complete access to the workstation. They can create accounts, modify group membership, install printers, manage shared resources, and more.
Because this account has complete access, you should be very careful about which users you add to this group.
- Backup Operators: Members of this group can back up and restore files and directories on the workstation. They can log on to the local computer, back up or restore files, and shut down the computer. Because of how this account is set up, its members can back up files regardless of whether the members have read/write access to the files. However, they can’t change access permissions on the files or perform other administrative tasks.
Backup Operators have privileges to perform very specific administrative tasks, such as backing up file systems. By default, no other group or user accounts are members of the operator groups. This is to ensure that you grant explicit access to the operator groups.
- Cryptographic Operators: Members can manage the configuration of encryption, IP Security (IPSec), digital IDs, and certificates.
- Event Log Readers: Members can view the event logs on the local computer.
- Guests: Guests are users with very limited privileges. Members can access the system and its resources remotely, but they can’t perform most other tasks.
- Network Configuration Operators: Members can manage network settings on the workstation. They can also configure TCP/IP settings and perform other general network configuration tasks.
- Performance Log Users: Members can view and manage performance counters. They can also manage performance logging.
- Performance Monitor Users: Members can view performance counters and performance logs.
- Power Users: In earlier versions of Windows, this group is used to grant additional privileges, such as the capability to modify computer settings and install programs. In Windows 7, this group is maintained only for compatibility with legacy applications.
- Remote Desktop Users: Members can log on to the workstation remotely using Terminal Services And Remote Desktop. Once members are logged on, additional groups of which they are members determine their permissions on the workstation. A user who is a member of the Administrators group is granted this privilege automatically. (However, remote logons must be enabled before an administrator can remotely log on to a workstation.)
- Replicator: Members can manage the replication of files for the local machine. File replication is primarily used with Active Directory domains and Windows servers.
- Users: Users are people who do most of their work on a single Windows 7 workstation. Members of the Users group have more restrictions than privileges. They can log on to a Windows 7 workstation locally, keep a local profile, lock the workstation, and shut down the workstation.
In most cases, you configure user access by using the Users or Administrators group. You can configure user and administrator access levels by setting the account type to Standard User or Administrator, respectively. While these basic tasks can be performed using Control Panel’s User Accounts page, you make a user a member of a group by using Local Users And Groups under Computer Management.
