MCITP 70-640: Built-in Groups Domain Controllers and Server

Groups covered in this video

Server Operators 03:58
Account Operators 05:01
Print Operators 06:18
Terminal Server Licenses Servers 07:25
Incoming Forest Trust Builders 07:57
Certificate Services DCom Access 09:03
Windows Authorization Access Group 09:38
Pre-Windows 2000 Compatible Access 10:25

DC Promotion Process

Server Operators
This group allows members to login to Domain Controllers, start and stop services on the Domain Controllers, perform backup and restore operations, format disks, create shares, and shut down and restart Domain Controllers. This group has no default members and does not give the user access to any other servers that are not domain controllers. This group is aimed at someone who is performing maintenance on Domain Controllers. For this reason, members cannot perform Active Directory administration.

Account Operators
Members of this group can perform Active Directory administration such as create new users and groups. Although it is not required for Active Directory administration, members of this group can login to a Domain Controller. Once logged in, they can only perform Active Directory Administration: they cannot perform other tasks on the Domain Controller like rebooting. It should be remembered that account operators are not administrators in the domain, and thus some Active Directory administration cannot be done due to security reasons. This includes making changes to the Domain Controllers OU, changing members of the Domain/Enterprise Administrations group, or changing properties for any user that is an administrator.

Print Operators
Members of this group can manage printers on Domain Controllers and printer objects in Active Directory. In order to manage printers on a Domain Controller, member of this group can also login to a Domain Controller. Allthough they don not have the rights to perform day to day administration on the Domain Controller, members of this group can shut down the Domain Controller.

Terminal Server Licenses Servers
Inside an Active Directory user account is information stored about terminal server licenses. The terminal services licensing server needs to access this information. In order to only give this server the minimum required access to Active Directory to get this information, you can add the computer account of the licensing server to this group.

Incoming Forest Trust Builders
To create a trust between two domains, normally an administrator in each domain will create and approve the trust. If you place a user from another domain in this group, they will be able to create an incoming trust from another domain to that domain without an administrator in the other domain having to create or approve the trust.

Certificate Services DCom Access
This group exists on both Domain Controllers and member servers. If users that use DCom need access to certificates, they need to be added to this group.

Windows Authorization Access Group
In the user account in Active Directory there is a computed token. This is a computed version of the same security token that is created when a user logs in. You only need to add users to this group for special software that requires this access.

Pre-Windows 2000 Compatible Access
Members of this group are allowed read access to users and group in the domain. This group should only be used if you have Windows NT computers in your domain.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory" Microsoft Press, pg. 177-179