Domain local groups are used to grant permissions to resources within a single domain. In terms of scope, they can contain accounts and groups from any domain in the forest. The thing to remember about domain local groups is that they can only be used to assign permissions to resources within the domain that the group is created.
Once Windows Server 2003 is installed and promoted to a domain controller several default domain local groups are created. Each of the groups are automatically assigned certain rights and adding a user to one of these built in groups will give them the right to perform specific tasks. You can use these default groups or you can create new ones based on your administrative model and practices. If you do add a user to one of these groups, make sure to review the rights assigned to them before hand to ensure you aren’t giving a user more administrative power than they need.
The default domain local groups within the Built-in container are described below.
- Account Operators: Members of the account operators group can create, modify, and delete user, group and computer accounts with the exception of those accounts located within the Built-in folder and the Domain Controllers OU.
- Administrators: Members of this group have full control within the domain.
- Backup Operators: Members of this group can backup and restore data on all domain controllers within the domain.
- Guests: Members of this group have limited access to the network.
- Incoming Forest Trust Builders: Members of this group have the right to create one-way incoming trusts to the domain.
- Network Configuration Operators: Members of this group can make changes to TCP/IP settings on all domain controllers within the domain.
- Performance Log Users: Members of this group have access to schedule logging of performance counters on all domain controllers within the domain.
- Performance Monitor Users: Members of this group have the right to monitor domain controllers.
- Pre-Windows Compatible Access: This group if for backwards compatibility with Windows NT 4.0. Members of this group have read access on all user and group accounts within the domain.
- Print Operators: Members are permitted to administer all domain printers.
- Remote Desktop Users: Members have the right to remotely logon to domain controllers.
- Replicator: This group is used by the file replication service to support directory replication.
- Server Operators: Members of this group have the right to administer servers within the domain. They can perform tasks such as backup and restore data, log on locally, stop and start network services, format hard drives, and shut down the system.
- Users: Members of this group have limited ability within a domain.