530 likes | 687 Views
(Skill 1). Introducing Groups. A group in Active Directory is a collection of users, computers, contacts, and other group objects within a forest Users in a group are assigned rights and permissions, which allow them to access network resources such as files, folders, and applications.
E N D
(Skill 1) Introducing Groups • A group in Active Directory is a collection of users, computers, contacts, and other group objects within a forest • Users in a group are assigned rights and permissions, which allow them to access network resources such as files, folders, and applications
(Skill 1) Introducing Groups (2) • Rights and permissions • Rights give users the capability to perform certain actions such as changing the system time or shutting the system down • Permissionsgrant users a particular level of control over specific resources
(Skill 1) Introducing Groups (3) • Group membership • Multiple users can be part of a single group • Conversely, one user can be a member of multiple groups • Creating groups ensures that the administrator does not need to assign similar permissions to individual users separately
(Skill 1) Figure 6-1 Granting individual permissions vs. group permissions
(Skill 1) Introducing Groups (4) • When you are creating groups, there are two basic settings • Group type • Group scope • There are two types of groups • Distribution groups • Security groups
(Skill 1) Introducing Groups (5) • Distribution groups • Used exclusively for sending e-mail messages to a group of users • Cannot be used to set security permissions
(Skill 1) Introducing Groups (6) • Security groups • Used to define the rights and permissions users will have to access resources on a computer or a network • When a user requests access to a network resource, the credentials of the user are validated against the group permissions to verify whether the user is allowed access • Can be used to distribute e-mail to multiple users because security groups have all the same capabilities as distribution groups
(Skill 1) Introducing Groups (7) • Security groups • Security groups are listed in Discretionary Access Control Lists (DACLs) • A DACL is a list that defines the permissions that are allowed or denied to specific users and groups for resources and objects • After you have selected the group type, you need to decide on the group scope
(Skill 1) Introducing Groups (8) • There are three group scopes • Domain local • Global • Universal
(Skill 1) Introducing Groups (9) • Domain local group scope • Created in Active Directory on a domain controller • Generally used to grant access rights to network resources such as printers and shared folders • The scope of a domain local group is the domain in which the group was created • The distinguishing feature of domain local groups is that they can include members from any domain
(Skill 1) Introducing Groups (10) • Global group scope • Used to group users who share similar roles in the organization • In most typical environments, a global group is created for each job function or title • Can contain members only from its own domain • Is visible in all domains in the forest, and permissions can be assigned to members for resources in any domain
(Skill 1) Introducing Groups (11) • Global group scope • In Windows 2000 native mode and Windows Server 2003 mode, global groups can be nested in other global groups • Universal groups and global groups from any domain can be nested in domain local groups • In Windows 2000 mixed mode, global groups from any domain can be nested in domain local groups
(Skill 1) Introducing Groups (12) • Universal group scope • Can contain members from any domain and are visible in all domains • Are unique in that they are stored entirely on global catalog servers • Used when there are multiple domains in a forest • Are available only when Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode
(Skill 1) Introducing Groups (13) • Universal group scope • Windows Server 2003 Active Directory has four modes • Windows 2000 native mode • Windows 2000 mixed mode • Windows Server 2003 interim mode • Windows Server 2003 mode
(Skill 1) Introducing Groups (14) • Windows 2000 native mode is available only when all domain controllers in the domain are running either Windows 2000 Server or Windows Server 2003 • Domains are configured by default to run in Windows 2000 mixed mode • This allows the coexistence of Windows NT, Windows 2000, and Windows Server 2003 domain controllers in the same domain
(Skill 1) Introducing Groups (15) • If your domain consists of only Windows Server 2003 domain controllers, you can switch to Windows Server 2003 mode • You cannot create universal groups in a domain on which Active Directory is running in Windows 2000 mixed mode
(Skill 1) Introducing Groups (16) • Since Windows 2000 mixed mode is the default setup, to create universal groups you must transfer to Windows 2000 native mode or Windows Server 2003 mode after all domain controllers have been upgraded • In Windows 2000 native mode or Windows Server 2003 mode, domains, user accounts, computer accounts, other universal scope groups, and groups with global scope from any domain can join a group with universal scope • In Windows 2000 mixed mode, only user accounts can be members of global groups
(Skill 1) Introducing Groups (17) • Nesting • The process of adding a group to other groups or consolidating the groups in a network • You can add user groups, as well as groups of other network resources, such as computers and contacts, to create a consolidated group • It simplifies the management of your network
(Skill 1) Introducing Groups (18) • Nesting • It is important to document the access permissions granted to users and their group membership • Reduces group allocation mistakes • Eliminates the redundant inclusion of user accounts in groups • Having more than a single level of nesting is not advisable because troubleshooting a problem on a network that implements multiple levels of nesting can be complicated
(Skill 2) Planning Group Strategies (2) • “The Microsoft rule” • This strategy suggests that even if you have only a single domain, consider using the global and domain local group strategy to assign permissions to network resources • Essentially, you build one global group for each position or job function • Each time you create a share, you typically create four separate domain local groups for different levels of access to the share • You would make the global group or groups members of the appropriate domain local group
(Skill 2) Planning Group Strategies (3) • Benefits of using the Microsoft rule • Modularity • Ease of modification • A reduction in the size of the global group list • Summarize the rule using the acronym A-G-DL-P: Accounts go into global groups, which go into domain local groups, which are assigned permissions
(Skill 2) Figure 6-3 Strategy for creating global and domain local groups
(Skill 2) Planning Group Strategies (4) • Strategies for using the universal group scope • Before creating universal groups, make sure that the memberships of those groups will not change frequently • Never add a user account as a member of a universal group; instead, add global groups as members of universal groups • Universal groups are designed to be used in one specific situation
(Skill 2) Planning Group Strategies (5) • Strategies for using the universal group scope • When you use universal groups to organize global groups from multiple domains, the Microsoft rule is modified so that universal groups are nested in between global and domain local groups • The acronym is now A-G-U-DL-P: Accounts go into global groups, which go into universal groups, which are placed in domain local groups, which are assigned permissions
(Skill 3) Creating Groups • Groups can be used to effectively manage large numbers of users and resources • Even in small environments, it is advised that you follow the Microsoft rule for creating groups and assigning permissions
(Skill 3) Creating Groups (2) • As organizational changes are made, some groups may become redundant • It is important to delete groups that are no longer required • Maintains security • Avoids accidentally assigning permissions to groups and resources that are no longer required • Windows Server 2003 Active Directory uses the Security Identifier (SID) to identify a particular group and assign permissions to it
(Skill 3) Creating Groups (3) • Security Identifier (SID) • A unique number that identifies each security object in Active Directory • When a group is deleted, the SID for that group is also deleted and is never used by Windows Server 2003 again • You cannot recreate and restore the settings for a deleted group
(Skill 3) Figure 6-4 Creating a group
(Skill 4) Setting Group Properties • After you have created a group, you can open the Propertiesdialog box for the group to set its properties • Tabs on the Properties dialog box for a group • General: Describes the scope and type assigned to the group • Members:Used to add members of the domain to the group; members of a group can include user accounts, contacts, other groups, or computers
(Skill 4) Setting Group Properties (2) • Tabs on the Properties dialog box for a group • Member Of: Used to add the group to other groups in the domain or universal groups in other domains in the forest • Managed By: Used to specify the user or contact person managing the group • Object: Specifies the path to the group within the domain • Security:Used to set permissions for the members of the group
(Skill 4) Figure 6-6 Selecting a user for the group
(Skill 6) Creating Local Groups • Sometimes groups with a domain local scope are referred to as local groups • However, there is a vast difference between a local group and a domain local group • Unlike a domain local group, which is a collection of user accounts from a domain, a local group is used to manage local user accounts on a single server or a stand-alone computer • In other words, groups with a local scope are called local groups
(Skill 6) Creating Local Groups (2) • The access level for local groups is limited to resources located on the computer on which the group is created • Local groups are mainly used in peer-to-peer or workgroup networks, or on stand-alone computers that are not part of a domain • You populate local groups with user accounts that are stored in the local security database of a single computer
(Skill 6) Creating Local Groups (3) • On a domain network, you can create global groups that belong to a local group so that domain users can be assigned rights and permissions for the resources on a particular workstation • To create local groups, you use the Local Users and Groups snap-in in the Computer Management console • You can delete, rename, and add members to the local group from the context menu for the local group in the Computer Management console
(Skill 6) Figure 6-11 The Location dialog box
(Skill 6) Figure 6-12 Searching for local resources
(Skill 6) Creating Local Groups (4) • You generally create local groups when the number of users is small and Active Directory is not installed on the network • It is important to remember that local groups cannot be created on domain controllers because domain controllers use the Active Directory database, not the local user database • Local groups can be used only on the computer where the local group was created
(Skill 7) Introducing Default Groups • Windows Server 2003 Active Directory provides four classes of default groups • Built-in local • Built-in domain local • Built-in global • Built-in system • These groups have a predefined common set of user rights or group memberships, which determine the type of tasks that a user or a group member of each group can perform
(Skill 7) Introducing Default Groups (2) • Built-in local groups • Are created on all Windows Server 2003 computers • Can be viewed in the Groups folder in the Computer Management snap-in on all non-domain controllers • On domain controllers, they are stored in the Builtincontainer in the Active Directory Users and Computers console
(Skill 7) Introducing Default Groups (3) Built-in local groups in the Builtin container • Performance Monitor Users • Pre-Windows 2000 Compatible Access • Print Operators • Remote Desktop Users • Replicator • Server Operators • Users • Account Operators • Administrators • Backup Operators • Guests • Incoming Forest Trust Builders • Network Configuration Operators • Performance Log Users
(Skill 7) Introducing Default Groups (4) • Built-in domain local groups • Cannot be deleted • Are automatically created only on domain controllers • Are stored in the Users container in the Active Directory Users and Computers console • The number of domain local groups will be different on each domain controller, depending on the type of services the domain controller is running
(Skill 7) Introducing Default Groups (5) • Built-in domain local groups • Their names generally identify the function of the group • Have a set of predefined rights and permissions to perform various actions in Active Directory and on domain controllers
(Skill 7) Introducing Default Groups (6) • Built-in global groups • Are automatically created on domain controllers • Are stored in the Userscontainer in the Active Directory Users and Computers console • These groups, also known as predefined global groups, consolidate common types of user accounts and have predefined group memberships
(Skill 7) Introducing Default Groups (7) • Built-in global groups • Domain-wide rights and privileges must be assigned to members of these groups • Rights can be assigned to built-in global groups either directly or by adding them to domain local groups
(Skill 7) Introducing Default Groups (8) • Some commonly used built-in global groups • DnsUpdateProxy:DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers) • Domain Admins: Members of this group have full control over the domain; this group is a member of the Administrators group by default • Domain Computers: All workstations and servers joined to the domain • Domain Controllers: All domain controllers in the domain
(Skill 7) Introducing Default Groups (10) • Some commonly used built-in global groups • Enterprise Admins: This group, which is present only in the forest root domain, is used by network administrators to manage resources in an enterprise • The Domain Admins group and the Administrators user account are default members of this built-in global group • When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group
(Skill 7) Introducing Default Groups (11) • Some commonly used built-in global groups • Schema Admins:Designated administrators of the schema • The Administrator account is a default member of this group • When Active Directory is running in Windows 2000 native mode or Windows Server 2003 mode, this will be converted to a universal group
(Skill 7) Introducing Default Groups (12) • Built-in system groups • Also referred to as special identities • Are populated with users based on how they access a computer or a resource • Network administrators cannot add, modify, or delete user accounts because the operating system does so automatically • Since users cannot be added to built-in system groups, they are not shown when you are managing your user accounts, but they are available for selection when you are granting rights and permissions
(Skill 8) Starting a Program Using the Run as Command • As a general rule, you should avoid running a computer using the Administrator account in order to protect your network from significant security risks • You should log on as a member of the Users or Power Users group for routine tasks
(Skill 8) Starting a Program Using the Run as Command (2) • To perform an administrative task or to start a program while you are logged on as a user, you can use the Run as command • The Run as command allows you to access programs and other Windows Server 2003 administrative tools temporarily without logging off as the current user