In a Windows security domain, users and groups identify users (for example, vsmith) and groups of users (for example, software) on the network. Apart from the user-defined network group names (for example, software, finance, and test), Windows also supports a number of built-in or local groups with each providing various privileges and levels of access to the server on which they have been configured.
These groups exist on every Windows computer. They are not network groups, but are local to each computer. So, the user vsmith may be granted Administrator privileges on one computer and not on another.
On the server, the administrator can add users to any of the following local groups:
- Root: If a user is a member of the local Root group, the user bypasses all security checks, and can take ownership of any file in the file system.
- Administrators: If a user is a member of the local Administrators group, the user can take ownership of any file in the file system.
- Audit Service Accounts: If a user is a member of the Audit Service Accounts group, the server does not add any of their events to the audit log. However, the server does add events to the audit log for any user who is not a member of this group. These events consist of the Windows file access and deletion events which are recorded by the server. As an alternative to the NAS Manager, it is possible to use the localgroup CLI commands to add, remove or display the users for this group.
- Backup Operators: If a user is a member of the local Backup Operators group, the user bypasses all security checks, but cannot take ownership of a file in the file system. The privilege to bypass all security checks in the file system is required for accounts that run Backup Exec or perform virus scans. Virus scanner servers that are a part of the Backup Operators group can, however, take ownership of any file in the file system.
- Forced Groups: If a user is a member of the local Forced Groups group, when the user creates a file, the user’s defined primary group is overridden and the user account will be used to indicate the file creator’s name.