1
00:00:06,430 --> 00:00:15,490
Windows Server 2016 creates several group automatically These are called default local groups and they

2
00:00:15,490 --> 00:00:24,220
include well-known groups such as administrators backup operators and remote desktop users.

3
00:00:24,220 --> 00:00:33,220
Windows Server 2016 creates additional groups automatically in a domain both in the built in container

4
00:00:33,310 --> 00:00:40,910
and the user's container including domain admins enterprise segments and schema admins.

5
00:00:41,140 --> 00:00:46,150
Let's examine default groups that provide administrative privileges.

6
00:00:46,240 --> 00:00:54,360
A subset of default groups has significant permissions and user rights relating to the management of

7
00:00:54,410 --> 00:01:02,650
ADT yes because of their rights they are protected groups protected groups are described later in this

8
00:01:02,650 --> 00:01:03,360
course.

9
00:01:03,670 --> 00:01:08,740
But now let's have a summary of the capabilities of these groups.

10
00:01:08,740 --> 00:01:10,710
Enterprise admins.

11
00:01:10,840 --> 00:01:16,450
This group was created in the user container of the forest through domain.

12
00:01:16,450 --> 00:01:24,400
This group is a member of the administrators group in every domain in the forest which gives it a complete

13
00:01:24,550 --> 00:01:29,170
access to the configuration of all domain controllers.

14
00:01:29,170 --> 00:01:37,600
It also owns the configuration partition of the directory and has full control of the domain name and

15
00:01:37,900 --> 00:01:41,040
context in all four domains.

16
00:01:41,050 --> 00:01:47,440
The next group is schema Edmonds users container of the forest through domain.

17
00:01:47,440 --> 00:01:52,740
This group owns and has full control of the Active Directory schema.

18
00:01:52,840 --> 00:01:58,170
Administrators exists in built in container of each domain.

19
00:01:58,270 --> 00:02:06,670
Members of this group have complete control over all domain controllers and data in the domain name

20
00:02:06,670 --> 00:02:07,750
and context.

21
00:02:07,780 --> 00:02:14,860
They can change the membership of all other administrative groups in the domain and the administrators

22
00:02:14,860 --> 00:02:22,510
group in the forest through domain can change the membership of enterprise segments schema Edmonds and

23
00:02:22,510 --> 00:02:31,300
domain admins the administrators group in the forest through domain is the most powerful service administration

24
00:02:31,300 --> 00:02:33,310
group in the forest.

25
00:02:33,310 --> 00:02:35,560
The next group is domain Edmonds.

26
00:02:35,560 --> 00:02:39,910
It exists and users container of which domain.

27
00:02:40,060 --> 00:02:47,350
This group is added to the administrators group of its domain is therefore inherits the capabilities

28
00:02:47,350 --> 00:02:49,470
of the administrators group.

29
00:02:49,540 --> 00:02:56,720
It also by default added to the local administrators group of which domain member computer.

30
00:02:56,740 --> 00:03:03,790
Thus given domain Edmonds ownership of all domain computers server operators.

31
00:03:03,820 --> 00:03:07,790
It's built in container of each domain.

32
00:03:07,810 --> 00:03:14,170
Members of this group can perform maintenance tasks on domain controllers.

33
00:03:14,170 --> 00:03:22,210
They have the rights to assign in locally start and stop services perform backup and restore operations

34
00:03:22,410 --> 00:03:29,880
for map disks create or delete shares and shut down domain controllers by default.

35
00:03:29,890 --> 00:03:31,960
This group has no members.

36
00:03:31,960 --> 00:03:34,950
Next up is account operators.

37
00:03:34,960 --> 00:03:39,430
This group exists in built in container in each domain.

38
00:03:39,430 --> 00:03:48,460
Members of this group can create modify and delete accounts for users groups and computers located in

39
00:03:48,640 --> 00:03:52,930
any o viewing the domain except the Domain Controller.

40
00:03:52,930 --> 00:04:01,780
So you aren't in the user or computers container account Operators Group members can not modify accounts

41
00:04:02,050 --> 00:04:11,200
that are members of administrator or or domain Edmonds groups nor can they modify those groups account

42
00:04:11,200 --> 00:04:18,630
Operators Group members also can sign in locally to domain controllers by default.

43
00:04:18,700 --> 00:04:20,690
This group has no members.

44
00:04:20,740 --> 00:04:23,890
Next stop backup operators.

45
00:04:23,980 --> 00:04:27,280
It exists and built in container of which domain.

46
00:04:27,340 --> 00:04:35,650
Members of this group can perform backup and restore operations on domain controllers and can sign in

47
00:04:35,650 --> 00:04:39,210
locally and shut down domain controllers by default.

48
00:04:39,210 --> 00:04:45,540
This group has no members and two more left brain to operate or sound sword.

49
00:04:45,550 --> 00:04:51,720
Publishers print operators exist and built in container of each domain.

50
00:04:51,730 --> 00:04:57,110
Members of this group can maintain print queues on domain controllers.

51
00:04:57,130 --> 00:05:04,330
They can also sign in local and shut down domain controllers and by default this group has no members

52
00:05:04,500 --> 00:05:05,760
cert publishers.

53
00:05:06,480 --> 00:05:14,050
Existing and users container of aged domain and members of this group can publish certificates to the

54
00:05:14,050 --> 00:05:15,780
directory by default.

55
00:05:15,780 --> 00:05:17,530
This group has no members.

56
00:05:17,530 --> 00:05:27,070
So to wrap up there are the following default groups enterprise segments schema admins administrators

57
00:05:27,400 --> 00:05:37,330
domain elements server operators account operators backup operators print operators and cert publishers.

58
00:05:37,330 --> 00:05:44,350
You need to careful and manage the default groups that provide administrative privileges because they

59
00:05:44,350 --> 00:05:53,200
typically have broader privileges than are necessary for most delegated environments and because they

60
00:05:53,290 --> 00:05:56,770
often apply protection to their members.

61
00:05:56,830 --> 00:06:00,850
The account Operators Group is a good example of this.

62
00:06:00,910 --> 00:06:07,900
If you examine the capabilities of the counter operators group you can see that members of this group

63
00:06:08,200 --> 00:06:10,570
have very broad rights.

64
00:06:10,600 --> 00:06:16,190
They can even sign in locally to the main controller in very small networks.

65
00:06:16,240 --> 00:06:23,880
You might assign such rights to one or two individuals who are typically domain administrators anyway.

66
00:06:23,890 --> 00:06:31,840
However in large enterprises the rights and permissions granted to account operators are usually far

67
00:06:31,840 --> 00:06:32,980
too broad.

68
00:06:33,310 --> 00:06:40,870
Additionally the counter Operators Group is like the other administrative groups a protected group.

69
00:06:40,870 --> 00:06:49,060
The operating system defines protected groups which can not be unprotected members of a protected group

70
00:06:49,090 --> 00:06:52,200
become protected by association.

71
00:06:52,300 --> 00:07:02,740
And no loner inherit permissions ACL else from there or you but instead receive a copy of an ACL from

72
00:07:02,740 --> 00:07:04,660
the protected group.

73
00:07:04,690 --> 00:07:10,480
This protected group ACL offers considerable protection to the members.

74
00:07:10,480 --> 00:07:18,340
For example if you add Jeff Fort to the account Operators Group his account becomes protected.

75
00:07:18,370 --> 00:07:28,150
The Help Desk which has rights to resent all other user passwords of the employees or you can not resent

76
00:07:28,480 --> 00:07:36,550
Jeff for its path for protected groups include account operators administrators backup operators and

77
00:07:36,880 --> 00:07:39,760
some more such as sort publishers.

78
00:07:39,760 --> 00:07:46,930
Domain Edmonds enterprise Edmonds redone the domain controller as a replicator of server operators.

79
00:07:46,930 --> 00:07:54,760
You should avoid dead end users to the groups that do not have members by default like account operators

80
00:07:55,090 --> 00:07:59,590
backup operators Sora or operators and print operators.

81
00:07:59,650 --> 00:08:06,130
Instead create custom groups to which you assign permissions sound to user rights that achieve your

82
00:08:06,130 --> 00:08:09,050
business and administrative requirements.

83
00:08:09,070 --> 00:08:16,810
For example Scott Mitchell should be able to perform backup operations on a domain controller but should

84
00:08:16,810 --> 00:08:24,490
not be able to perform restore operations that could lead to database rollback or corruption.

85
00:08:24,490 --> 00:08:29,320
In addition Scott should not be able to shut down a domain controller.

86
00:08:29,590 --> 00:08:34,720
So you do not put Scott in the backup operation operators group.

87
00:08:34,810 --> 00:08:43,000
Instead create a local group and assign it only the backup files and directories user right and then

88
00:08:43,000 --> 00:08:47,080
create a global group and add score to the member.

89
00:08:47,230 --> 00:08:50,320
Then add the global group to the local group.