Windows 2000 supports aggregating users into groups and domains. You can assign users to a particular group or domain, then grant (or deny) permission to use certain system resources based on their membership. For example, you could create a group of users in the accounting department and grant that group access to the printer in the department conference room, without having to grant printer access to users from outside the department. For a complete explanation of managing users, groups, and domains, see Essential Windows NT System Administration, by Æleen Frisch (O’Reilly & Associates).

Besides offering access controls so that users and groups gain or lose access to individual files, shares, servers, and printers, NT 3.1 offered a set of features you could customize on a per-machine or per-user basis. As you might guess, these settings were just keys in the Registry; an example is the warning notice that you can add to the logon process by adding two new values to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Even though these settings were present, there were two serious flaws that made them more difficult than necessary to use: