Domain Groups

This video looks at the groups created in Active Directory that are available to all computers in your domain.

Show lesson content

Enterprise Admins 00:46

Schema Admins 01:33

Domain Admins 02:12

Domain Users 02:58

Domain Guests 03:32

Domain Computers 04:40

Domain Controllers 05:09

Read-only Domain Controllers 05:35

Enterprise Read-Only Domain Controllers 06:13

Allowed RODC Password Replication Group 06:48

Denied RODC Password Replication Group 07:43

DNSAdmins 08:22

DNSUpdateProxy 08:54

DHCP Administrators 09:24

DHCP Users 10:29

Group Policy Creator Owners 10:51

Cert Publishers 11:10

RAS and IAS Servers 11:30

Enterprise Admins
This group is the most powerful group in Active Directory. It is automatically made a member of the Domain Administrators group for all domains in the forest thus giving members of this group administrator’s rights on all domains in the forest. This group also has additional rights forest wide like changing forest wide information and adding/removing domains from the forest.

Schema Admins
This is the only group that can make changes to the schema. The schema defines the active directory database. This group only exists in the root domain of the forest.

Domain Admins
The domain admins group has administrator’s rights to all users and computers in the domain including domain controllers. When a computer is added to the domain, this group is added to the local administrators group on that computer.

Domain Users
Members of this group can login in to workstations, run applications and change computer settings that relate to them. This group is automatically added to the local users group on a computer when it is added to the domain.

Domain Guests
This group has no rights or permissions in the domain. It is not added to the local guest on any computer when they are added to the domain and thus does not have any rights on any computers in the domain. For this reason, a user that is added to this group will not be able to login to any computers in the domain unless they are a member of another group that grants them this right.

Domain Computers
This group contains all the computers in the domain expect domain controllers. When you add a computer to the domain, the computer account for that computer automatically gets added to this group.

Domain Controllers
This group contains all the computer accounts for all the domain controllers in the domain except for domain controllers that are in read-only domain controllers. When a server is promoted to a domain controller, if the computer account is in the domain computers group, it will be moved in the domain controllers group.

Read-only Domain Controllers
This group contains all the read-only domain controllers in your domain. This group does not contain writeable domain controllers or computer accounts.

Enterprise Read-Only Domain Controllers
This group exists only in the root of the forest. It has no members by default, even if you add read only domain controllers to the root domain, the computer account for these read only domain controllers does not get added to this group.

Allowed RODC Password Replication Group
Members of this group will have their password cached on the read-only domain controller when they are authenticated using this read-only domain controller. Remember that the password attribute is not normally replicated to a read-only domain controller. This means that if they attempt to authenticate off the read-only domain controller during a network outage they will still be able to authenticate from the read-only domain controller even though a writeable domain controller is not available.

Denied RODC Password Replication Group
If a user account is a member of this group, their user password will not be cached on a read-only domain controller. Passwords will not be cached on a read-only domain controller if it has be configured. If a user is a member of this group and password caching has been configured their password will not be cached. Deny always overrides allow.

Members of this group can perform basic DNS administration on DNS servers in the domain including starting and stopping the DNS service. If the DNS records are stored in Active Directory, they may not be able to modify these DNS records as this would require additional access.

Some clients may not have enough access to due to legacy permissions to perform dynamic updates for clients. This is the case with Windows Server 2000. If you have a DHCP server running Windows Server 2000, add the computer account for this server in this group to provide additional access for the DHCP server to perform dynamic updates for DNS records.

DHCP Administrators
Members of this group can perform DHCP administration on your DHCP server. This includes changing DHCP records on the server. If the DHCP server creates a dynamic DNS record n a DNS server, being a member of this group does not give you permission to this DNS record even though the DHCP server created it. Members of this group cannot authorize a DHCP server in Active Directory. In order to do this, the user needs to be a member of the domain administrator group.

DHCP Users
Members of this group can login into the DHCP server and read the record on the DHCP server. They cannot make changes to DHCP records.

Group Policy Creator Owners
This group allows members to make changes to group policy in the domain. The domain administrator is automatically added to this group.

Cert Publishers
Members of this group can publish certificates in Active Directory for users and computers. The certificate can be a generated from an internal certificate authority or a certificate that has been purchased from an external certificate authority.

RAS and IAS Servers
Certain remote access properties are stored in Active Directory. Members of this group are able to read these properties for the user.

“Default groups” http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg. 177
“Administering the Password Replication Policy“ http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
“How to configure DNS dynamic update in Windows 2000“ http://support.microsoft.com/?id=317590
“DCHP Group” http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx


Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.


Active Directory Infrastructure


Group Policy