Windows NT
Administrators: Local and Global

In Affiliation with Beyond.com

 

by Pat Bloodwell,
Tech Support Manager, Executive Software



Note: This is the first in a series of articles on the subject of Windows NT
permissions.  Because we feel that this is a particularly vital area of
network management, we thought it deserved some coverage.

In this first article we hope to explain a number of points using real world
examples.  Our purpose is to lead everyone to a higher level of comfort and
competence in this complex and sometimes confusing area of Windows NT.  I
will begin with my focus on the Administrator group, the most powerful group
in the operating system.

The following is an actual example of a typical situation that we have seen
on a number of occasions.  It involves a user account that has local
administrator access when the user logs on to the local computer name, but
does not have local administrator access when the user logs on to the domain
name.

The main difference between logging in the local machine name or logging
into the domain name is where the login is authenticated.  When the user
logs in to the local machine, his login is authenticated by the local
directory database, created and modified by the local User Manager
application.  When a user logs into the domain, his login is authenticated
either by the global directory database on the PDC (Primary Domain
Controller) or a copy of that same global directory database on a BDC
(Backup Domain Controller).  This centralized directory database is created
and modified by User Manager for Domains from any domain controller or other
Windows NT system that has User Manager for Domains on the local system.
Which way the user chooses to log in will determine which of the two
separate accounts the user is actually using.

In this case, the account "workstation/joe" is a member of the local
administrator group and can perform all functions locally as an
administrator.  The account "domain/joe" is NOT a member of the local
administrator group.  Thus the "domain/joe" account is not an administrator
on this local system.  There are several options you can use to set up this
account as an administrator; here are two that I believe are the simplest
solutions:

1.  If you want "domain/joe" to be an administrator on THIS WORKSTATION
ONLY, add his global account name, "domain/joe," to the administrator group
in this specific workstation's User Manager.  The local User Manager
controls access to the local system.

2.  If you want "domain/joe" to be an administrator on ALL GLOBAL SYSTEMS,
add the group Domain Admins to his account in User Manager for Domains.
User Manager for Domains controls the global user database for the domain.
By default, Domain Admins are members of the local administrator group on
any system that is running Windows NT, making "domain/joe" a local
administrator on all Windows NT systems.  I will be discussing this powerful
group in a later article.

To add the account "domain/joe" to the Administrator group on this local
system only:

a.  Open User Manager on the local system from this menu location: Start /
Programs / Administrative Tools.
b.  Within the User Manager Window, highlight and double click
Administrators in the Groups column of the lower sub window.
c.  Within the Local Group Properties Window, click the Add button.
d.  Within the Add Users and Groups Window, make sure that the correct
domain name is displayed in the List Names From pull down list, highlight
the account name joe, and click the Add and OK buttons.
e.  Within the Local Group Properties Window, click the OK button and close
User Manager.

To add the account "domain/joe" to the domain admin group:

a.  Open User Manager for Domains on any domain controller or other Windows
NT system that has the User Manager for Domains application installed from
this menu location: Start / Programs / Administrative Tools.
b.  Within the User Manager for Domains Window, highlight and double click
Domain Admins in the Groups column of the lower sub window.
c.  Within the Global Group Properties Window, highlight joe and click the
Add and OK buttons.
d.  Close User Manager for Domains.

In this article, I was working with the administrator group, but this
general procedure applies to any local or global group.  My next article
will include data on the differences between local and global groups.  If
you have any further data or comments on this article, please contact me at
the
e-mail address below.

------------------------------------------------------
Pat Bloodwell is one of our ace Tech Support Managers, and can be reached at
pbloodwell@executive.com.  Please feel free to write him with questions or
comments about this article.

This information was provided by Executive Software, maker of the Diskeeper defragmenter and Undelete for Windows NT. Visit their web site at
http://www.executive.com

@Macarlo, Inc.
@Macarlo's Shareware & Web
OS/2
Java Lobby Member
Java Site Accredited

[TOP] [HOME] [INDEX]