Groups

Groups are primarily an administrative conveniencethey are logical containers for
aggregating user accounts. (They can also be used to set up e-mail distribution lists in
Windows 2000 and later, which historically have had no security implications.)
Groups are also used to allocate privileges in bulk, which can have a heavy impact on
the security of a system. Windows in its various flavors comes with built-in groups,
predefined containers for users that also possess varying levels of privilege. Any account
placed within a group inherits those privileges. The simplest example of this is the
addition of accounts to the local Administrators group, which essentially promotes the
added user to all-powerful status on the local machine. (Youll see this attempted many
times throughout this book.) Table 2-2 lists built-in groups in Windows Server 2003.
Other versions of Windows may have fewer or different built-in groups, but those listed
in Table 2-2 are the most common.
When a Windows Server system is promoted to a domain controller, a series of predefined
groups are installed as well. The most powerful predefined groups include the Domain
n, and the Enterprise Admins, who are all-
Admins, who are all-powerful on a domai
powerful throughout a forest. Table 2-3 lists the Windows Server 2003 predefined groups.