local and global user accounts

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I'm having trouble understanding local and global users and I was wondering if
someone could help me out.
In these Windows NT Server books, they always talking about users and accounts.
Are they the same thing like: are Local users the same thing as local
accounts??
The same goes for global users as opposed to global accounts??

Second:

Please let me know if I'm understanding this correctly-

* On a local workstation or server in a non-domain environment, if the person
needed to use the machine is placed in the "User" group, this person has a
local account or is a local user in a local group. The person can log
interactively by default into the machine.

* On a domain, through User Manager for Domains on I guess the PDC, if a user
is entered into the "User" group, by default, it is a global user account in a
local group. This person can log in interactively if the policies are set up to
allow it on the PDC.

If the Administrator had selected "Local Account for users from unrtusted
domains" in the Account menu in the User Manager for Domain, while adding this
person to the "User" group, would they be a local user in a local group??

Does the local account/local user appears in all domain controllers. Since the
SAM is replicated to them, can this user log on to all domain controllers
through a network logon or only into the PBC through a network logon??

* Finally, if the Administrator had instead added the user to the "Domain
Users" group, and had selected "local account" in the accounts box, can the
user log on to all computers and domain controllers through a network logon on
that domain?? Wouldn't that user be a local user belonging to a global group??

I would greatly appreciate any help you could extend to me on this matter.

Thanks.
1 answer Last reply
More about local global user accounts
  1. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    OK. Here it is.

    If you wanted to logon to a Windows NT workstation you
    would need a user account on that particular workstation.
    If you had three+ workstations you would need one user
    account on each workstation. What a domain does is
    provide one logon for multiple workstations for each
    user. So if you have 3,000 users that need to logon to
    three+ workstations it is simpler to just add the
    workstations to a domain so that you only need to create
    3,000 accounts, which would be on the PDC.

    A group is only a collection of users with the exception
    of the built in groups.

    For a local (non-domain) workstation you typically have:

    Administrators
    Power users
    Users

    In a domain and only on the Domain Controller you have:

    Domain Admins
    Account Operators
    Domain Users
    And a lot others....

    When you add a workstation to a domain the Domain Admins
    group is automatically added to the workstations Local
    Administrators group. this is what gives the Domain Admin
    God Like rights over all domain workstations.

    The Account Operators group only permits users of that
    group the ability to create user accounts on the PDC, but
    not on the individual workstations.

    The groups come in handy when you need to assign access
    rights to a group of users. For example if bsmith has a
    domain account on the ACCOUNTING domain and he belonged
    to a group called ACCOUNTANTS and DOMAIN USERS and he
    want to access a share on another computer you could
    setup the security to allow any of the following:

    ACCOUNTING\DOMAIN USERS
    ACCOUNTING\BSMITH
    ACCOUNTING\ACCOUNTANTS

    The first and third would allow everyone who belongs to
    those groups to access the share or you could just allow
    ACCOUNTING\BSMITH to access the share. So basically you
    use groups to allow more than one user to access a domain
    or computer resource.

    The groups are not necessary to give a user a global
    account. Try this from a workstation:

    Go to a DOS prompt and type:

    net user test 111111 /add

    try to logon to any workstation. The user account will
    only work on the workstation you created it on. Now go
    back to the same workstation and type:

    net user test 111111 /domain /add

    Do not replace the word domain

    Now try to logon to any workstation. You should be able
    to because the account is not global. So you basically
    now have toaccounts called test. One that was created
    locally on the workstation and one that is create on the
    PDC.

    Hope this helps.


    Shawn



    >-----Original Message-----
    >I'm having trouble understanding local and global users
    and I was wondering if
    >someone could help me out.
    >In these Windows NT Server books, they always talking
    about users and accounts.
    >Are they the same thing like: are Local users the same
    thing as local
    >accounts??
    >The same goes for global users as opposed to global
    accounts??
    >
    >Second:
    >
    >Please let me know if I'm understanding this correctly-
    >
    >* On a local workstation or server in a non-domain
    environment, if the person
    >needed to use the machine is placed in the "User" group,
    this person has a
    >local account or is a local user in a local group. The
    person can log
    >interactively by default into the machine.
    >
    >* On a domain, through User Manager for Domains on I
    guess the PDC, if a user
    >is entered into the "User" group, by default, it is a
    global user account in a
    >local group. This person can log in interactively if the
    policies are set up to
    >allow it on the PDC.
    >
    >If the Administrator had selected "Local Account for
    users from unrtusted
    >domains" in the Account menu in the User Manager for
    Domain, while adding this
    >person to the "User" group, would they be a local user
    in a local group??
    >
    >Does the local account/local user appears in all domain
    controllers. Since the
    >SAM is replicated to them, can this user log on to all
    domain controllers
    >through a network logon or only into the PBC through a
    network logon??
    >
    >* Finally, if the Administrator had instead added the
    user to the "Domain
    >Users" group, and had selected "local account" in the
    accounts box, can the
    >user log on to all computers and domain controllers
    through a network logon on
    >that domain?? Wouldn't that user be a local user
    belonging to a global group??
    >
    >I would greatly appreciate any help you could extend to
    me on this matter.
    >
    >Thanks.
    >
    >
    >.
    >
Ask a new question

Read More

Domain User Accounts Windows