1 Chapter 8, Group Account Administration

|1|Chapter 8, Group Account Administration

|2|Chapter 8, Lesson 1

Introduction to Groups

|3|1.Groups and Permissions

A.A group is a collection of user accounts.

B.Groups simplify administration by allowing permissions and rights to be assigned to a group of users.

C.Permissions control what users can do with a resource, such as a folder, file, or printer.

D.When permissions are assigned, users can gain access to a resource and define the type of access.

E.Rights allow users to perform system tasks.

F.User accounts, other groups, contacts, and computers can be added to groups.

G.Computers are added to groups to simplify giving a system task on one computer access to a resource on another computer.

2.Group Types

|4|A.Overview

1.The group type, which is either security or distribution, determines how the group is used.

2.Both types of groups are stored in the database component of Active Directory.

3.Storage in the database component allows use of groups anywhere in the network.

|5|B.Security groups

1.Microsoft Windows 2000 uses only security groups.

2.Are used to assign permissions to gain access to resources

3.Has all the capabilities of a distribution group

|6|C.Distribution groups

1.Used by applications as lists for nonsecurity-related functions

2.Used when the only function of the group is nonsecurity-related

3.Cannot be used to assign permissions

Note Only programs that are designed to work with Active Directory can use distribution groups.

|7|3.Group Scopes

|8|A.Overview

1.A group type and scope must be selected when a group is created.

2.Group scopes allow groups to be used in different ways to assign permissions.

3.The scope of a group determines where in the network the group can be used to assign group permissions.

|9|B.Global groups

1.Used to organize users who share similar network access requirements

2.Members can be added only from the domain in which the global group is created.

3.Can be used to assign permissions to gain access to resources that are located in any domain in the domain tree or forest

|10|C.Domain local groups

1.Used to assign permissions to resources

2.Members can be added from any domain.

3.Can be used to assign permissions to gain access to resources located only in the same domain where the domain local group is created

|11|D.Universal groups

1.Used to assign permissions to related resources in multiple domains

2.Members can be added from any domain.

3.Can be used to assign permissions to gain access to resources located in any domain

4.Not available in mixed mode

5.A full feature set of Windows 2000 is available only in native mode.

|12|4.Group Nesting

A.Overview

1.Creates a consolidated group

2.Reduces network traffic between domains and simplifies administration in a domain tree

B.Guidelines for group nesting

1.Minimize levels of nesting

a.Tracking permissions and troubleshooting becomes more complex with multiple levels of nesting.

b.One level of nesting is most effective.

2.Document group membership to keep track of permissions assignments

a.Eliminates the redundant assignment of user accounts to groups

b.Reduces the likelihood of accidental group assignments

5.Rules for Group Membership

|13|A.Overview

1.The group scope determines the membership of a group.

2.Membership rules determine the members that a group can contain.

3.Group members can be user accounts and other groups.

4.Knowledge of group membership rules is important when assigning members to groups and using nesting.

B.Group scope membership rules

|14|1.Native mode

a.Global group scope: User accounts and global groups from the same domain

b.Domain local group scope: User accounts, universal groups, and global groups from any domain; domain local groups from the same domain

c.Universal group scope: User accounts, other universal groups, and global groups from any domain

|15|2.Mixed mode

a.Global group scope: Users from the same domain

b.Domain local group scope: User accounts and global groups from any domain

c.Universal group scope: Not applicable; universal groups cannot be created in mixed mode.

|16|6.Local Groups

A.A collection of user accounts on a computer

B.Used to assign permissions to resources residing on the computer on which the local group is created

C.Windows 2000 creates local groups in the local security database.

7.Using Local Groups

|17|A.Guidelines

1.Can be used only on the computer where it is created

2.Its permissions provide access only to the resources on the computer where it is created.

3.Can be used on computers running Windows 2000 Professional and member servers running Windows 2000 Server

4.Cannot be created on a domain controller

5.Used to limit the ability of local users and groups to gain access to network resources without creating domain groups

|18|B.Membership rules

1.A local group can contain local user accounts from the computer where the local group is created.

2.Local groups cannot be members of any other group.

|19|Chapter 8, Lesson 2

Planning a Group Strategy

|20|1.Planning Global and Domain Local Groups

A.Use the following strategy:

1.Assign users with common job responsibilities to global groups.

2.Create a domain local group for resources to be shared.

3.Add to the domain local group global groups that need access to the resources.

4.Assign resource permissions to the domain local group.

|21|B.Limitations of other strategies:

1.Placing user accounts in domain local groups and assigning permissions to the domain local groups

a.Does not allow for the assignment of permissions for resources outside of the domain

b.Reduces the flexibility when your network grows

2.Placing user accounts in global groups and assigning permissions to the global groups

a.Complicates administration when using multiple domains

b.If global groups from multiple domains require the same permissions, permissions have to be assigned for each global group.

2.Using Universal Groups

|22|A.Guidelines

1.Assign permissions to universal groups for resources in any domain in the network.

2.Use universal groups only when their membership is static, since changes in membership can cause excessive network traffic between domain controllers.

3.Membership of universal groups may be replicated to a larger number of domain controllers.

4.Add global groups from several domains to a universal group, and then assign permissions for access to a resource to the universal group.

5.Use a universal group in the same way as a domain local group to assign permissions for resources.

|23|Chapter 8, Lesson 3

Creating Groups

1.Creating and Deleting Groups

|24|A.Overview

1.Use the Active Directory Users and Computers console to create and delete groups.

2.Create groups in the Users container or in another container, or in an OU created specifically for groups.

3.As the organization grows and changes, delete groups when they are no longer needed; helps maintain security.

B.To create a group

1.Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers

2.Click the domain, right-click the Users container, point to New, and click Group

|25|3.Complete the New Object-Group dialog box and click OK

C.New Object-Group dialog box options

1.Group Name: The object name must be unique in the domain where the group is created

2.Group Name (pre–Windows 2000): Filled in automatically based on the group name that is typed in

3.Group Scope: Click Domain Local, Global, or Universal

4.Group Type: Click Security or Distribution

2.Deleting a Group

|26|A.Overview

1.Each group has a unique, nonreusable identifier called the security identifier (SID).

2.Windows 2000 uses the SID to identify the group and the assigned permissions.

3.If a new group is created using the deleted group name, Windows 2000 creates a new SID for that group.

4.Access to resources cannot be restored by recreating the group.

B.To delete a group

1.Right-click the group, and then click Delete

2.Click Yes on the Active Directory message box

3.Adding Members to a Group

|27|A.Overview

1.After the group is created, members are added.

2.Members of groups can include user accounts, contacts, other groups, and computers.

3.The Active Directory Users and Computers console is used to add members.

B.To add members to a group

1.Start the Active Directory Users and Computers console and expand Users

2.Right-click the appropriate group, and then click Properties

3.In the Properties dialog box, click the Members tab, and then click Add

|28|4.The Select Users, Contacts, Computers, Or Groups dialog box appears

5.In the Look In list, select a domain from which to display user accounts and groups, or select Entire Directory to view user accounts and groups from anywhere in Active Directory

6.In the Name column, select an object to add, and click Add

Note Use the Shift or Ctrl key to select multiple user accounts or groups simultaneously.

7.Review the accounts to be certain they are the ones to be added, and then click OK to add the members

8.On the Properties dialog box, click OK

Note You can also add a user account or group by using the Member Of tab in the Properties dialog box for that user account or group. Use this method to quickly add the same user or group to multiple groups.

4.Changing the Group Type

|29|A.Overview

1.As group functions change, it may become necessary to change the group type.

2.The group type can be changed only when Windows 2000 is operating in native mode.

B.To change the group type

1.Right-click the group, and then click Properties

2.Change the group type in the General tab of the Properties dialog box for the group

5.Changing the Group Scope to Universal

A.Overview

1.As a network changes, it may be necessary to change a global or domain local group to universal.

2.The group scope can be changed only when Windows 2000 is operating in native mode.

|30|B.Group scopes that can be changed

1.A global group to a universal group: Only if the global group is not a member of another global group

2.A domain local group to a universal group: Only if the domain local group does not contain another domain local group

Note Windows 2000 does not allow changes to the scope of a universal group, because usage and membership rules for other groups are more restrictive.

C.To change the scope of a group

1.Right-click the group, and then click Properties

2.Change the group scope in the General tab of the Properties dialog box for the group

6.Creating Local Groups

|31|A.Overview

1.Use the Local Users and Groups snap-in within the Computer Management console to create local groups.

2.Create local groups in the Groups folder.

B.To create a local group

1.Click Start, point to Programs, point to Administrative Tools, and then click Computer Management

2.For Windows 2000 Professional, click Start, point to Settings, and open the Control Panel

3.Expand the Local Users and Groups snap-in, right-click Groups, and select New Group

|32|4.Complete the New Group dialog box, and then click OK

C.New Group dialog box options

1.Group Name: Unique name for the local group

2.Description: Description of the group

3.Members: Members of the local group

4.Add: Adds a user or global group to the list of members

5.Remove: Removes a user or global group from the list of members

6.Create: Creates the group

D.To delete a local group

1.Right-click the group, and then click Delete

2.Click Yes on the Local Users and Groups message box

E.To add members to a local group

1.Expand the Local Users and Groups snap-in, and then expand Groups

2.Right-click the appropriate group, and then click Properties

3.In the Properties dialog box, click Add

|33|4.The Select Users Or Groups dialog box appears.

5.The Look In list shows the computer for which you are creating a group; select the user account that you want to add, and then click Add.

6.Review the accounts to be certain they are the accounts to be added to the group, and then click OK to add the members

7.On the Properties dialog box, click OK

|34|Chapter 8, Lesson 4

Understanding Default Groups

|35|1.Overview

A.Four categories of default groups: predefined, built-in, built-in local, and special identity

B.Default groups have a predetermined set of user rights or group membership.

C.User rights determine the system tasks that a user or member can perform.

|36|2.Predefined Groups

A.Overview

1.Windows 2000 creates predefined groups with a global scope to group common types of user accounts.

2.Windows 2000 automatically adds members to some predefined global groups.

3.Additional user accounts can be added to predefined groups to provide additional users with privileges and permissions assigned to the group.

4.The Users container holds the predefined global groups in a domain.

5.Predefined groups do not have any inherent rights.

6.Rights are assigned by adding the global groups to domain local groups or by explicitly assigning user rights or permissions to the predefined global groups.

B.Default membership of commonly used predefined global groups

|37|1.Domain Admins

a.Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group.

b.Being added to the Administrators built-in domain local group allows members of Domain Admins to perform administrative tasks on any computer anywhere in the domain.

c.By default, the Administrator account is a member.

|38|2.Domain Guests

a.Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group.

b.By default, the Guest account is a member.

|39|3.Domain Users

a.Windows 2000 automatically adds Domain Users to the Users built-in domain local group.

b.By default, the Administrator, Guest IUSR_computername, IWAM_computername, KRbtgt, and TsInternetUser accounts are initially members.

c.Each new domain user account is automatically a member.

|40|4.Enterprise Admins

a.User accounts should be added to Enterprise Admins for users who should have administrative control for the entire network.

b.Enterprise Admins should be added to the Administrators domain local group in each domain.

c.By default, the Administrator account is a member.

|41|3.Built-In Groups

A.Overview

1.Windows 2000 creates built-in groups with a domain local scope.

2.Built-in groups provide users with user rights and permissions to perform tasks on domain controllers and in Active Directory.

3.Built-in domain local groups give predefined rights and permissions to user accounts when user accounts or global groups are added as members.

4.The Built-in container holds the built-in domain local groups in a domain.

B.Commonly used built-in domain local groups

|42|1.Account Operators

a.Members can create, delete, and modify user accounts and groups.

b.Members cannot modify the Administrators group or any of the operators groups.

|43|2.Administrators

a.Members can perform all administrative tasks on all domain controllers and the domain itself.

b.By default, the Administrator user account and the Domain Admins and Enterprise Admins predefined global groups are members.

|44|3.Backup Operators

a.Members can back up and restore all domain controllers by using Windows Backup.

|45|4.Guests

a.Members can perform only tasks for which the administrator has granted rights.

b.Members can gain access only to resources for which the administrator has assigned permissions.

c.Members cannot make permanent changes to their desktop environment.

d.By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.

|46|5.Pre–Windows 2000 Compatible Access

a.A backward compatibility group that allows read access for all users and groups in the domain

b.By default, only the Everyone pre-Windows 2000 system group is a member.

|47|6.Print Operators

a.Members can set up and manage network printers on domain controllers.

|48|7.Replicator

a.Supports directory replication functions

b.The only member should be a domain user account used to log on to the Replicator services of the domain controller.

c.The accounts of actual users must not be added to this group.

|49|8.Server Operators

a.Members can share disk resources and backup and restore files on a domain controller.

|50|9.Users

a.Members can perform only tasks for which the administrator has granted rights.

b.Members can gain access only to resources for which the administrator has assigned permissions.

c.By default, the Authenticated Users and INTERACTIVE pre–Windows 2000 groups and the Domain Users predefined global group are members.

d.Use this group to assign permissions and rights that every user with a user account in the domain should have

|51|4.Built-In Local Groups

A.Overview

1.All stand-alone servers, member servers, and computers running Windows 2000 Professional have built-in local groups.

2.Built-in local groups give users the rights to perform system tasks on a single computer.

3.Windows 2000 places the built-in local groups into the Groups folder in the Local User Manager snap-in.

B.Commonly used built-in local groups

|52|1.Administrators

a.Members can perform all administrative tasks on the computer.

b.By default, the built-in Administrator user account for the computer is a member.

c.Windows 2000 automatically adds the Domain Admins predefined global groups to the local Administrators group.

|53|2.Backup Operators

a.Members can use Windows Backup to back up and restore the computer.

|54|3.Guests

a.Members can perform only tasks for which the administrator has specifically granted rights.

b.Members can gain access only to resources for which the administrator has assigned permissions.

c.Members cannot make permanent changes to their desktop environment.

d.By default, the built-in Guest account for the computer is a member.

e.Windows 2000 automatically adds the Domain Guests predefined global group to the local guests group.

|55|4.Power Users

a.Members can create and modify local user accounts on the computer and share resources.

|56|5.Replicator

a.Supports directory replication functions

b.The only member should be a domain user account used to log on to the Replicator services of the domain controller.