I originally wrote this blog post when System Center 2012 R2 Configuration Manager’s (SCCM) Role-Based Administration (RBA) feature was relatively new. Since then, RBA is now widely used, so I thought that the time was right to re-visit this post. Here I’ll demonstrate how to add a SQL Server Reporting Services (SSRS) execution or computer account to the Windows Authorization Access Group. Doing this will allow SCCM’s RBA feature to work correctly with ConfigMgr / SCCM security users and roles.
In order for ConfigMgr to use the RBA feature within SSRS, the SSRS execution or computer account needs to determine who is running the report. Then it determines what SCCM rights the user has before displaying the report results.
In some cases, however, after upgrading to SCCM Current Branch, when you run a SSRS report you may receive the following error message:
The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: The specified directory service attribute or value does not exist.
The solution to this problem is to add the execution or computer account to the Windows Authorization Access Group (Active Directory (AD) security group). The online documentation for Windows Authorization Access Group says:
Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
In ConfigMgr terms this means that the SSRS execution account will be allowed to query for the, “…token GroupsGlobalAndUniversal attribute, this token is used to determine who is running the reports and therefore using RBA it can check to see what ConfigMgr objects (Collections, Software Update groups, etc.) the user executing the SSRS is allowed to access.”
Below are the steps and my screenshots from the original blog post. Even though I was using SCCM 2012 R2 at the time, the steps are still the same with Current Branch.
Open Active Directory Users and Computers (ADUC), and browse to the Builtin container. Double-click on the Windows Authorization Access Group.
Click on the Members tab.
Click Add…
Add the execution or computer account and click OK twice to return back to the ADUC.
From this point forward the ConfigMgr SSRS account will be able to read the access token from AD and the reports will work correctly.
If you have any questions, please feel free to contact me @GarthMJ.
Do you have an idea for a blog post about a System Center Configuration Manager query or reporting topic? Let me know. Your idea might become the focus of my next blog post!
Additional ConfigMgr Resources
Learn more about how to better use ConfigMgr.
Overview
- ConfigMgr / SCCM Overview
Inventory
- Creating a Subselect Query for WQL
Reporting
- How Can I Install Report Builder?
- How to Install a SCCM Reporting Services Point
- Dynamic Images to SSRS Report for SCCM
- Editing SCCM Reports with Report Builder
- Fixing the SCCM Reporting Services Point
Scripting
- Best Feature of SCCM: Run Scripts
Security/Permissions
- Grant Permission to One SCCM SSRS Report
Software
- How to Download a Software Update Outside of the SCCM Console
- The Facts on SCCM Software Inventory
External Integration
- How to Integrate SCCM Data with ServiceNow
The Windows Authorizations Access Group (WAAG) is a new built-in security group introduced in Windows Server 2003. The members of this group are allowed to look up group membership for a particular user.
- What is the name of the group that is present by default in a newly created share?
- What is an administered group used to manage cache permissions and resource usage?
- How do I set group permissions in Active Directory?
- Which built in security group has the highest level of rights in an Active Directory domain?
- What is a group in Windows What are the different groups in Windows?
- How do I find my Active Directory security Group?
- What is the difference between a role in RBAC and a group commonly used in Unix?
- What is a cache pool?
- How do I see group permissions in Active Directory?
- How do I access local users and groups on a domain controller?
- How do I change the security group permissions in Active Directory?
- Which three principal user security groups are created when Windows is installed?
- What is protected group in Active Directory?
- What is the highest privilege on a Windows system?
- What does Domain users group do?
- What can group policy be used for?
- What is the purpose of creating groups in Windows 10?
Default security groups. Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
What is an administered group used to manage cache permissions and resource usage?
A cache pool is an administrative entity used to manage groups of cache directives.
How do I set group permissions in Active Directory?
Go to AD Mgmt > File Server Management > Modify NTFS permissions. Choose which folders you want to enable a user or group access to. Now go to the Accounts section and choose the users or groups you want to grant permission to access the folder. Finalize the changes by clicking Modify.
Which built in security group has the highest level of rights in an Active Directory domain?
Securing the Domain Admins membership is crucial to maintaining an effective security posture. The most powerful group in an Active Directory forest is the Enterprise Admins universal group followed by Schema Admins, which has the ability to modify the underlying attributes of any Active Directory object.
What is a group in Windows What are the different groups in Windows?
To expand on this knowledge, in Windows operating systems, a user group is a collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights. … Local groups — are the user groups that exist on your Windows computer or device.
How do I find my Active Directory security Group?
You can check group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest and drilling down into the object’s properties and clicking the “Members” or “Member Of” tab.
What is the difference between a role in RBAC and a group commonly used in Unix?
A group is a collection of users with a given set of permissions assigned to the group (and transitively, to the users). A role is a collection of permissions, and a user effectively inherits those permissions when he acts under that role.
What is a cache pool?
Cache Pools are the logical repositories of cache items. They perform all the common operations on items, such as saving them or looking for them. … Therefore, applications can keep using the same cache pool even if the underlying cache mechanism changes from a file system based cache to a Redis or database based cache.
How do I see group permissions in Active Directory?
From Users and Computers, press the View menu and make sure ‘Advanced Features’ is ticked. 2. By ticking this box, you can see the security tab when you choose Properties on objects in Active Directory. Right click on the same OU that you just delegated permissions and choose Properties, then the Security Tab.
How do I access local users and groups on a domain controller?
In the Domain Security window, click the Allow log on Locally policy, and click Actions > Properties. In the Allow log on Locally Properties window, click Add User or Group. Click Browse. In the Select Users, Computers, or Groups window, click Advanced and then click Find Now.
How do I change the security group permissions in Active Directory?
Editing a Security Group
To edit an existing security group, choose the group from the Select Group to Edit drop-down list. Make the desired changes and then choose Admin > Security Groups > Save.
Which three principal user security groups are created when Windows is installed?
Terms in this set (5) Which three principal user security groups are created when Windows is installed? A) Users, Administrators, and Guests. … A) The main tool to use is the Local Users and Groups management console.
What is protected group in Active Directory?
Within Active Directory, a default set of highly privileged accounts and groups are considered protected accounts and groups.
What is the highest privilege on a Windows system?
The highest privilege level is number zero. This level is commonly known as Kernel Mode for Linux and Ring 0 for Windows-based operating systems. A CPL of three is used for user space programs in both Linux and Windows.
What does Domain users group do?
Domain Users Group-AD#
Description: A Global Group Security Group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default. Most methods do not reveal membership in the «primary» group.
What can group policy be used for?
Group Policy is primarily a security tool, and can be used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers.
What is the purpose of creating groups in Windows 10?
Generally, group accounts are created to facilitate the management of similar types of users. The types of groups that can be created include the following: Groups for departments within the organization: Generally, users who work in the same department need access to similar resources.
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Sign up
Appearance settings
It is super important to be familiar with the default security groups of Active Directory and their purpose. Here is a handy review for you! While most I am sure you are familiar with – some might be a surprise a perhaps you have never needed them in your Enterprise. The exam of course does not care! Be sure to locate the READ MORE link as this list DOES NOT end after Domain Users. 🙂
- Access Control Assistance Operators – Members of this group can remotely query authorization attributes and permissions for resources on the computer.
- Account Operators – The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
- Administrators – Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
- Allowed RODC Password Replication Group – The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
- Backup Operators – Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
- Certificate Service DCOM Access – Members of this group are allowed to connect to certification authorities in the enterprise.
- Cert Publishers – Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
- Cloneable Domain Controllers – Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
- Cryptographic Operators – Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
- Denied RODC Password Replication Group – Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
- Distributed COM Users – Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
- DnsUpdateProxy – Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
- DnsAdmins – Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
- Domain Admins – Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
- Domain Computers – This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
- Domain Controllers – The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
- Domain Guests – The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
- Domain Users – The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group. By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).
- Enterprise Admins – The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.
- Enterprise Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller. Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
- Event Log Readers – Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
- Group Policy Creators Owners – This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
- Guests – Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account. When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the %userprofile% directory, including the user’s registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting Do not logon users with temporary profiles when it is enabled. This setting is located under the following path: Computer Configuration\Administrative Templates\System\User Profiles
- Hyper-V Administrators – Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
- IIS_IUSRS – IIS_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR_MachineName account and the IIS_WPG group with the IIS_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS_IUSRS.
- Incoming Forest Trust Builders – Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
- Network Configuration Operators – Members of the Network Configuration Operators group have misc administrative privileges to manage configuration of networking features.
- Performance Log Users – Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group.
- Performance Monitor Users – Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.
- Pre–Windows 2000 Compatible Access – Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
- Print Operators – Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
- Protected Users – Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
- RAS and IAS Servers – Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
- RDS Endpoint Servers – Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
- RDS Management Servers – Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
- RDS Remote Access Servers – Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
- Read-Only Domain Controllers – This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
- Remote Desktop Users -The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
- Remote Management Users – Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
- Replicator – Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
- Schema Admins – Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
- Server Operators – Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
- Terminal Server License Servers – Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
- Users – Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
- Windows Authorization Access Group – Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
- WinRMRemoteWMIUsers_ – In Windows 8 and in Windows Server 2012, a Share tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
In large distributed computing environments such as a Windows domain, consisting of many subjects and even more objects, the management of authorization data may become a very tedious and time-consuming task. With the exception of the full control permission that is automatically given to the owner of the object, all other permissions must be set manually by an administrator or by the object’s owner. To ease authorization management, Windows includes the following authorization intermediaries: groups and user rights.
-
Groups provide a way to group entities with similar capabilities. They facilitate authorization management of object permissions. Administrators typically add all authenticated Windows entities (users and machines) that have similar resource permissions or user rights to the same group.
-
User rights define the capabilities of subjects to manage system resources and to perform system-related tasks. For instance, who can log on locally to a domain controller? Who can change the system time? Who can load device drivers? They facilitate authorization management for system resources and system-related tasks. User rights should not be confused with access rights or permissions. User rights apply to a computer system; access rights apply to an object.
Group intermediaries can be used to ease the administration of user rights intermediaries. For example, you can give all the members of the IT support department the right to add computers to the domain.
10.5.1 Groups
The following list gives an overview of the four major differences between the way groups are implemented in NT4 and in Windows 2000/Windows Server 2003.
Windows 2000 and Windows Server 2003 support two types of groups: security groups and distribution groups. Distribution groups are mail-oriented. They demonstrate the tight integration of the Microsoft Exchange mail server (Exchange 2000 and Exchange 2003) and the Windows Operating System. Contrary to a security group, a distribution group does not have an SID and cannot be used in any security-related process (authorization or delegation).
Windows 2000 and Windows Server 2003 support four types of security groups. They are listed in Table 10.9 together with their usage scope (where can I use the group?), their content scope (what can be contained in the group?), and the database or file that holds the group definition and membership.
Table 10.9: Windows 2000/Windows Server 2003 Security Groups
|
Usage Scope |
Content Scope |
Group Definition Storage* |
Group Membership Storage |
|
|---|---|---|---|---|
|
Universal groups |
Global (anywhere in the forest or trusted domains or trusted forests) |
Principals from any domain in the forest Universal groups Global groups from any domain in the forest |
AD Domain NC Global Catalog |
AD Domain NC Global Catalog |
|
Global groups |
Global (anywhere in the forest or trusted domains or trusted forests) |
Principals from the same domain Global groups from the same domain |
AD Domain NC Global Catalog |
AD Domain NC |
|
Domain local groups |
Local domain |
Principals from any domain in the forest Universal groups Global groups from any domain in the forest Domain Local groups from the same domain |
AD Domain NC Global Catalog |
AD Domain NC |
|
Local groups |
Local computer |
Principals from any domain in the forest Universal groups Global groups from any domain in the forest |
SAM |
SAM |
* This means: where the group’s name, type and SID are stored.
The usage scope deserves some more explanation. A global usage scope means that the group can be used in the ACL of any object, anywhere in the forest (or trusted domains or trusted forests). A local usage scope means that the group can be used only in the ACL of an object in the local domain (for a domain local group) or in the ACL of an object on the local computer (for a local group).
Windows 2000 and Windows Server 2003 groups can be nested. An administrator can, for instance, create a global group Employees and embed two other global groups in it: Consultants and Managers. This feature is only available if your domain does not include any NT4 domain controllers. The group scope and group type of domain local, global, and universal security and distribution groups can be changed, as long as the domain does not include any NT4 domain controllers. Furthermore, the members of the group and the group itself need to meet the criteria for the usage scope and content scope that the group would require to have after the conversion takes place. For example, you cannot convert a domain local group to a universal group, if the domain local group contains another domain local group as a member. Similarily, you cannot convert a universal group to a global group, if the universal group is a member of another universal group in a different domain.
-
A universal group can be converted to a domain local or a global group.
-
A domain local group can be converted to a universal group.
-
A global group can be converted to a universal group.
-
A security group can be converted to a distribution group and the other way around. Before a security group is converted to a distribution group, Windows warns you about the possible authorization consequences of doing so (as illustrated in Figure 10.29).
Figure 10.29: Security to distribution group conversion warning.
A special note should be made on local groups. As Table 10.6 shows, local groups are very different from the three other group categories. They are only meaningful on the local computer, cannot be nested, and are stored in the SAM. Local groups are sometimes referred to as aliases. An alias identifies an object in a different way.
Groups in Windows 2000 mixed and native mode
The availability of some of the group features listed in the previous section depends on whether your Windows domain contains NT4 domain controllers or not. Translated in Windows Server 2003 speak: They are dependent on the functionality level of your Windows domain. For more information on the Windows Server 2003 functionality levels, see Chapter 2 of this book. Table 10.10 gives an overview of the Windows group features and their availability.
Table 10.10: Effect of the Windows Domain Modes on Windows Group Features
|
All Domains Supporting NT4 DCs |
Domains Including Only Windows 2000 or Windows Server 2003 DCs |
|---|---|
|
Three group scopes: global, local and universal* |
Four group scopes: global, domain local, local, and universal |
|
Two group types: security and distribution |
Two group types: security and distribution |
|
Domain controllers share local groups |
Domain computers share domain local groups |
|
Custom local groups can be defined on any machine |
Custom local groups can be defined on any machine with the exception of domain controllers |
|
Groups of the same type cannot be nested |
Groups of the same type can be nested |
|
Group scope and type cannot be changed |
Group scope and type can be changed |
* Universal groups can be created in mixed mode domains, but these can only be universal distribution groups.
Built-in security groups
The goal of this section is not to provide a complete overview of the built-in Windows Server 2000 and Windows Server 2003 security groups. We will focus on the differences with NT4. Table 10.11 lists the new Windows 2000 built-in security groups. Table 10.12 lists the new Windows Server 2003 built-in security groups.
Table 10.11: New Built-In Windows 2000 Groups
|
Built-In Group Name |
Group Scope |
Meaning |
|---|---|---|
|
Pre-Windows 2000 Compatible Access |
Domain Local |
Members of this group have read access to most attributes on user and group AD objects. |
|
Enterprise Admins |
Universal |
The Enterprise Admins group exists only in the root domain of an AD forest. The members of this group can make forest-wide changes and change the AD configuration-naming context. |
|
Schema Admins |
Universal |
The Schema Admins group exists only in the root domain of an AD forest. The members of this group can change the AD schema-naming context |
|
Group Policy Creator Owners |
Global |
Members of this group are authorized to create new Group Policy Objects in the AD. |
|
Domain Controllers |
Global |
Includes all domain controllers of the domain. |
|
Domain Computers |
Global |
Includes alll computers that are joined to the domain with the exception of domain controllers. |
|
DnsAdmins |
Domain Local |
Members of this group can administer the Windows 2000 DNS service. |
|
Replicator |
Domain Local |
Supports file replication in a domain. |
|
Cert Publishers |
Domain Local |
Members of this group are permitted to publish certificates to the Active Directory. |
|
RAS and IAS Servers |
Domain Local |
Servers in this group can access remote access properties of users. |
|
DNSUpdateProxy |
Global |
DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers). |
Table 10.12: New Built-In Windows Server 2003 Groups
|
Built-In Group Name |
Group Scope |
Meaning |
|---|---|---|
|
HelpServicesGroup |
Domain Local |
Group for the Help and Support Center. |
|
IIS_WPG |
Domain Local |
IIS Worker Process Group. |
|
TelnetClients |
Domain Local |
Members of this group have access to Telnet Server on this system. |
|
Windows Authorization Access Group |
Domain Local |
Members of this group have access to the computed token-GroupsGlobalAndUniversal attribute on User objects. |
|
Terminal Server License Servers |
Domain Local |
Terminal Server License Servers. |
|
Remote Desktop Users |
Domain Local |
Members in this group are granted the right to log on remotely. |
|
Performance Monitor Users |
Domain Local |
Members of this group have remote access to monitor this computer. |
|
Performance Log Users |
Domain Local |
Members of this group have remote access to schedule logging of performance counters on this computer. |
|
Network Configuration |
Domain Local |
Members in this group can have some administrative privileges to manage configuration of networking features. |
|
Incoming forest trust builders |
Domain Local |
Members of this group can create incoming, one-way trusts to the forest. |
The Domain Controllers, Domain Computers as well as the Domain Users group are used as the primary group of the respective security principals. As such, AD objects are not an explicit member of these groups: the OS computes their membership dynamically. Every AD object can only have one of them as its primary group. Also the pre-Windows 2000 compatible Access group deserves some more explanation. It enables applications that cannot run using the AD authorization settings as they are enforced by a Windows 2000 Domain Controller, to run in a Windows 2000 or Windows Server 2003 environment. If the application’s security identity is a member of this group, the application will be capable of reading AD user and group objects.
Well-known security principal groups
A very powerful type of group is the security group, whose membership is controlled automatically by the operating system. A user becomes a member of a well-known security principal group if he or she meets a certain condition. Although their membership cannot be controlled, they can be used, like any other group, for delegation and authorization settings. An interesting characteristic of these groups is the way they are replicated between AD instances: Even though they may contain thousands of objects, their membership is not replicated. Like the three primary groups (Domain Users, Domain Controllers and Domain Computers) that were mentioned above, the OS computes their membership dynamically. The well-known security principal groups are stored in the AD configuration-naming context Well-known Security Principals container. All of the special security groups are listed in Table 10.13. The ones that are new to Windows Server 2003 are listed in Table 10.14.
Table 10.13: Well-Known Security Principal Groups: Windows Server 2003
|
Well-Known Security Principal Groups |
Membership—Meaning |
|---|---|
|
Digest Authentication |
Digest is another authentication packet. This security principal allows specifying who can log on using digest and who cannot. |
|
Network Service |
For services not requiring local system, but network access. |
|
NTLM Authentication |
Allows setting special permissions for down-level clients authenticating using the less secure NTLM protocol. Whenever a user logs on to a DC using NTLM, this group/SID is added to his or her access token. Access to resources can thus be restricted by using this group in a deny ACE. |
|
Other Organization |
Used for forest trust selective authentication. Selective authentication allows distinguishing between users from your own forest and users that come in through a forest trust. See Chapter 3 for more information. |
|
Remote Interactive Logon |
Allows assigning permissions for users logged on via Terminal Services/ Remote Desktop. |
|
SChannel Authentication |
Allows setting special permissions for clients authenticating via a secure |
|
This Organization |
See Other Organization. |
|
Well-Known-Security-ID-System |
Local System account. |
Table 10.14: Well-Known Security Principals: Windows 2000
|
Well-Known Security Principal Groups |
Membership—Meaning |
|---|---|
|
Everyone |
Includes all authenticated users and guests. In Windows Server 2003 the anonymous account is not longer a member of the Everyone group |
|
Anonymous Logon |
Includes all users that logged on anonymously. |
|
Authenticated Users |
Includes all uses that authenticated to the operating system |
|
Network |
Includes all users logged on through a network connection. |
|
Dialup |
Includes all users logged on through a dial-up connection. |
|
Batch |
Includes all users logged on through a batch scheduler connection. |
|
Interactive |
Includes all users logged on interactively. |
|
Service |
Includes all principals that logged on as a service. |
|
Enterprise Domain Controllers |
Includes all domain controllers in a Windows 2000 forest |
|
Terminal Server User |
Includes all users that have logged on to a terminal services server. |
|
System |
Represents the local system. |
|
Creator Owner |
Placeholder used for inheritance: is replaced by the creator owner of the object that inherits the permission. |
|
Creator Group |
Placeholder used for inheritance: is replaced by the primary group of the creator owner of the object that inherits the permission. |
|
Self |
Placeholder—represents the object to whose ACLs Self is added. |
|
Proxy |
Reserved for future use |
|
Restricted Code |
Reserved for future use |
Administrator groups
The pyramid shown in Figure 10.30 shows the level of administrative privileges Windows 2000 gives to its default security groups. Table 10.15 shows the default memberships of these groups on a Windows 2000 workstation, member server, and domain controller. Notice that some groups are not available on all Windows computer types (N/A) and that some groups, by default, do not have members (—).
Figure 10.30: Windows administrator pyramid.
Table 10.15: Windows Administrator Groups
|
Group |
Default Members on Workstations, Member Servers |
Default Members on Domain Controllers |
|---|---|---|
|
Enterprise Admins |
N/A |
Administrator of forest root domain |
|
Domain Admins |
N/A |
Administrator of the domain* |
|
Administrators |
Administrator, Domain Admins† |
Administrator, Domain Admins, Enterprise Admins |
|
Users |
Authenticated Users, Domain Users |
Authenticated Users, Domain Users, Interactive |
|
Power Users |
Interactive Users |
N/A |
|
Account Operators |
N/A |
— |
|
Server Operators |
N/A |
— |
|
Backup Operators |
N/A |
— |
|
Print Operators |
N/A |
— |
* The enterprise admins group is only defined on the domain controllers of the root domain of a forest.
† The Domain Admins group is added to the local Administrators group when the machine joins a domain. The same is true for the Domain Users and the local Users group.
Let’s look a bit more in detail at the power of the Windows Enterprise Admins, Domain Admins, and Administrators groups. It is also worth comparing these groups to the administrator groups that were available in NT4.
NT4 had two administrator groups: Domain Admins and Administrators:
-
The Administrators group on domain controllers was one and the same group shared between all domain controllers of a domain. A member of this group had the right to manage all domain resources, including users, groups, rights, account policy, audit policy, trusts, shares, and the services on all domain controllers.
-
The Administrators group on a member server or a workstation had the right to manage all resources on the local workstation or member server system.
-
The Domain Admins group did not have proper rights. Members of the Domain Admins group receive administrative right over every system in a domain because, by default, when a system joined the domain, the Domain Admins group was added to the local Administrators group.
A key problem of NT4 is its inflexible nature on the level of granular administration. If you wanted to give an administrator permission to manage a subset of domain accounts, you either added him to the Account Operators or Domain Admins group. This gave him or her administrative control not just over the subset but over every account in your domain. The Account Operators group merely denied its members to change administrative accounts in the domain.
Windows 2000 and Windows Server 2003 have three administrator groups: Enterprise Admins, Domain Admins, and Administrators:
-
The Enterprise Admins group is created in the first domain that is created in the forest. The Enterprise Admins group is added automatically to every Administrators group of the domain controllers in every domain that joins the forest. This means that, by default, a member of the Enterprise Admins can manage the configuration of a forest and also every domain controller in the forest. Table 10.16 lists some Windows administrative tasks that require enterprise administrator rights and permissions.
Table 10.16: Administrator Tasks That Require Enterprise Administrator Permissions
Task
Reason
Create new domain in forest
Creates crossRef objects in CN=Partitions, CN=Configuration subtree.
Manage Sites and Subnets
Creates and modifies objects in CN=Sites, CN=Configuration subtree.
Install Enterprise Certification Authority
Creates CA object in CN=Public Key Services, CN=Services, CN= Configuration subtree.
Install Certification Authority for a child domain
Creates objects in CN=Public Key Services, CN=Services CN= Configuration subtree.
Create Admission Control Service (ACS) policies
Creates subnet objects in CN=Subnets, CN=Sites, CN=Configuration. Creates CN=ACS, CN=Subnets, CN=Sites, CN=Configuration and objects in this subtree.
Install first Exchange server in forest
Extends schema configuration naming context. Creates objects in CN=DisplaySpecifiers, CN=Configuration subtree. Creates CN=MS Exchange, CN=Services, CN=Configuration and objects in this subtree.
Authorize a DHCP server
Creates CN=DHCPRoot, CN=NetServices, CN=Services, CN= Configuration and objects in this subtree.
Set up printer location tracking
Sets location attribute on subnet or site objects in CN=Sites, CN= Configuration subtree. Sets location attribute on computer object in any domain.
Set up Simple Certificate Enrollment Protocol (SCEP)
Changes ACL on objects in CN=Public Key Services, CN=Services CN=Configuration subtree.
The Enterprise Admins group is not added to the Domain Admins group and the Administrators group on member servers and workstations. By default, it is also not possible for a member of the Enterprise Admins group to grant himself administrative rights on all servers and workstations in a forest simply by changing the group memberships of the Domain Admins groups. This is because:
-
Domain Admins are global groups in their respective domain;
-
Enterprise Admins is a universal group in the root domain;
-
A universal group cannot be added to a global group;
-
The group-type of the Domain Admins group cannot be changed;
-
A user from one domain cannot be added to a global group of another domain.
-
Members of the Enterprise admins group have however the power to create other accounts (in each domain of the forest) which they can then add to the respective domain admins group. They can also use the restricted groups GPO settings to enforce the addition of the Enterprise Admins group to all local Administrators groups.
-
The same rules as in NT4 apply to the Domain Admins and the Administrators group on member servers and workstations.
Both Windows 2000 and Windows Sever 2003 include major enhancements on the level of granular administration. In both OSs it is also possible to grant an administrator the permission to manage only a subset of the domain accounts. We will come back to this in Section 10.7.
AdminSDHolder and permissions on administrator accounts
To protect against unauthorized modification of the permissions set on accounts that are members of one of the built-in Windows administrator groups, Microsoft provides a mechanism that automatically resets the permissions on these accounts at regular intervals.
In Windows 2000 this feature applies to members of the Enterprise Admins, Schema Admins, Domain Admins, and Administrators groups. In Windows Server 2003[4] it also applies to members of the Account Opera- tors, Server Operators, Print Operators, Backup Operators, and Cert Publishers groups.
This mechanism is based on a special AD container object called AdminSDHolder (Administrator Security Descriptor Holder object). Every hour the holder of the PDC Emulator master of operations (FSMO) role compares the permissions on the administrator accounts against the permissions on the CN=AdminSDHolder, CN=System, DC=<DomainName>,DC=<Domain- Extension> container. If the permissions are different, the security descriptor on the administrator object is changed to reflect the permissions on the AdminSDHolder container. In order for this process to work, AdminSDHolder also automatically disables permission inheritance on the AD administrator objects.
To change the permissions the PDC emulator applies to the administrator accounts, you must change the permissions on the AdminSDHolder container. Because AdminSDHolder is a container object, not all permissions applicable to a user account object can be set from the Windows GUI. For example, you cannot set the change password permission from the GUI. To do so, you can use the dsacls command-line utility as shown in the following example:
dsacls cn=adminsdholder,cn=system,dc=<domainname> /G “Everyone:CA;Change Password”
10.5.2 Group usage guidelines
Windows 2000 and Windows Server 2003 administrators are facing the same authorization administration problem as they did in NT4: They must give a universe of users access to a universe of resources. It is obvious that groups can make the life of administrators much easier. What are some of the basic rules an administrator should use when dealing with groups for authorization? Here is a starting point (illustrated in Figure 10.31):
Figure 10.31: Group usage guidelines.
-
Use global groups to group users, use local groups (SAM local or domain local) to set the ACLs on resources, and put global groups into local groups to apply authorization settings.
-
Use universal groups to give users access to resources that are located in more than a single domain. This means that you should put global groups into universal groups, put the universal groups into local groups, and then use these local groups to set the resources’ ACLs.
-
Use universal groups when the group’s membership is close to static. Universal groups cause more network traffic when their membership changes frequently, than this is the case with domain local or global groups. The reason for this was shown in Table 10.6: The member- ship of a universal group is stored in the Global Catalog (GC) that is replicated forest-wide. Specific applications may demand more usage of universal groups than would make sense from a pure AD replication perspective. For example, you should always use universal groups as distribution lists for Exchange 2000 and later. This is because of the way Exchange resolves distribution list (DL) memberships. An Exchange server talks to a GC server to resolve a DL’s membership. If a DL contains a global group from another domain, then the global group will always be emtpy from an Exchange perspective. Remember that global group memberships are only available on the DCs of the global group’s definition domain.
User rights can be split into two categories: logon rights and user privileges. Logon rights control who can log on to a computer system and how he or she can do the logon. User privileges are used to control access to system resources and system-related operations.
[4]The same is true on Windows 2000 if you have installed the hotfix that is mentioned .in Microsoft KB article Q327825 or you have installed Windows 2000 Service Pack 4 (SP4).