Users, Admins, Groups, and Permissions

Domain Users vs Local Users

Domain Users

  • Stored centrally in Active Directory database on Domain Controllers
  • Can log into any domain-joined computer with same credentials
  • Managed through Active Directory Users and Computers (ADUC) or PowerShell
  • Replicated across all DCs in the domain
  • Follow domain-wide security policies

Local Users

  • Exist only on individual servers/computers
  • Cannot access domain resources
  • Managed through Local Users and Groups (lusrmgr.msc)
  • Must be created separately on each machine

Domain Groups

Group Types:

  1. Security Groups
    • Used for assigning permissions and rights
    • Can also be used for email distribution
  1. Distribution Groups
    • Used only for email distribution lists
    • Cannot be used for security permissions

Group Scopes:

  1. Domain Local Groups
    • Can contain users/groups from any domain in forest
    • Used to assign permissions to resources within the domain
    • There is usually a naming convention that adheres to the: DC/ DG
      • BEST PRACTICE FOR EFFICENT ORGANIZATION
  1. Global Groups
    • Can contain only users/groups from same domain
    • Can be used in any domain in forest
  1. Universal Groups
    • Can contain users/groups from any domain in forest
    • Can be used anywhere in forest
    • Replicated to Global Catalog

Default Users

Built-in User Accounts:

  • Administrator - Full control over domain (disabled by default in newer versions)
  • Guest - Limited access account (disabled by default)
  • krbtgt - Kerberos Key Distribution Center service account
  • DefaultAccount - System managed account (disabled)

Service Accounts (commonly created):

  • SQL service accounts
  • Exchange service accounts
  • Backup service accounts
  • Application-specific accounts

Default Groups

Key Built-in Groups:

Administrative Groups:

  • Domain Admins - Full admin rights across entire domain
  • Enterprise Admins - Full rights across entire forest
  • Schema Admins - Can modify AD schema
  • Administrators - Local admin group on DCs
  • Account Operators - Can manage user accounts
  • Server Operators - Can manage domain servers
  • Backup Operators - Can backup/restore files

User Groups:

  • Domain Users - All domain users automatically added
  • Domain Guests - Guest access to domain
  • Domain Computers - All domain-joined computers

Special Groups:

  • Authenticated Users - Any authenticated user
  • Everyone - All users including anonymous
  • Interactive - Users logged on locally
  • Network - Users accessing over network