1 / 34

Module 3: Managing Groups

Module 3: Managing Groups. Overview. Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups. Lesson: Creating Groups. What Are Groups? What Are Domain Functional Levels? What Are Global Groups? What Are Universal Groups? What Are Domain Local Groups?

isaiah
Download Presentation

Module 3: Managing Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Module 3: Managing Groups

  2. Overview • Creating Groups • Managing Group Membership • Strategies for Using Groups • Using Default Groups

  3. Lesson: Creating Groups • What Are Groups? • What Are Domain Functional Levels? • What Are Global Groups? • What Are Universal Groups? • What Are Domain Local Groups? • What Are Local Groups? • Guidelines for Creating and Naming Groups • Who Can Create Groups? • Practice: Creating Groups

  4. What Are Groups? Groups simplify administration by enabling you to assign permissions for resources Group Groups are characterized by scope and type

  5. What Are Domain Functional Levels?

  6. What Are Global Groups?

  7. What Are Universal Groups?

  8. What Are Domain Local Groups?

  9. What Are Local Groups?

  10. Guidelines for Creating and Naming Groups • Create groups in organizational units by using the following naming considerations: • Naming conventions for security groups • Incorporate the scope in the group name • Should reflect the group ownership • Use a descriptor to identify the assigned permissions • Naming conventions for distribution groups • Use short alias names • Do not include a user’s alias name in the display name • Allow a maximum of five co-owners of a single distribution group

  11. Who Can Create Groups? • In the domain: • Account Operators group • Domain Admins group • Enterprise Admins group • Or users with appropriate delegated authority • On the local computer: • Power Users group • Administrators group on the local computer • Or users with appropriate delegated authority

  12. Practice: Creating Groups In this practice, you will: • Create groups by using Active Directory Users and Computers • Create groups by using the dsadd command-line tool

  13. Lesson: Managing Group Membership • Determining Group Membership • Adding and Removing Members from a Group • Practice: Managing Group Membership

  14. Determining Group Membership Group or Team Global Group Domain Local Group Tom, Jo, and Kim G Denver Admins Denver Admins DL OU Admins G Vancouver Admins Sam, Scott, and Amy

  15. Adding and Removing Members from a Group Group membership can be modified by using Active Directory Users and Computers or the dsmod command

  16. Practice: Managing Group Membership In this practice, you will: • Determine a user’s group membership • Add users to global groups • Add global groups to domain local groups

  17. Lesson: Strategies for Using Groups • Multimedia: Strategy for Using Groups in a Single Domain • What Is Group Nesting? • Group Strategies • Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment • Practice: Nesting Groups and Creating Universal Groups • Modifying the Scope or Type of a Group? • Why Assign a Manager to a Group? • Practice: Changing the Scope and Assigning a Manager to a Group

  18. Multimedia: Strategy for Using Groups in a Single Domain This presentation explains the A G DL P strategy for using groups

  19. What Is Group Nesting? • Group nesting means adding a group as a member of another group Group Group Group Group Group • Nest groups to consolidate group management • Nesting options depend on the domain functional level

  20. Group Strategies A G P A G L P A DL P A G U DL P A G DL P Universal Groups Domain Local Groups User Accounts Global Groups User Accounts Global Groups Universal Groups Domain Local Groups Permissions User Accounts User Accounts User Accounts User Accounts Global Groups Global Groups Domain Local Groups Global Groups Local Groups Domain Local Groups Permissions Permissions Permissions Permissions U DL A G A G U DL P Permissions Local Groups Group strategies: User Accounts Global Groups • A G P • A G DL P • A G U DL P • A G L P A A DL G P P A A G G L DL P P P L A G

  21. Class Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment Northwind Traders has a single domain that is located in Paris, France. Northwind Traders managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Examples 1 and 2 Contoso, Ltd., has a single domain that is located in Paris, France. Contoso managers need access to the Inventory database to perform their jobs. What do you do to ensure that the managers have access to the Inventory database? Example 3 Contoso, Ltd., has expanded to include operations in South America and Asia and now has three domains. You need to grant access to all IT managers from all domains to the IT_Admin tools shared folder in the Contoso domain. Northwind Traders wants to react more quickly to market demands. It is determined that the accounting data must be available to all Accounting personnel. Northwind Traders wants to create the group structure for the entire Accounting division, which includes the Accounts Payable and Accounts Receivable departments. What do you do to ensure that the managers have the required access and that there is a minimum of administration? • Place all of the managers in a global group • Create a domain local group for Inventory database access • Make the global group a member of the domain local group and grant permissions to the domain local group for accessing the Inventory database • Make sure that your network is running in native functional level. • Create three global groups called Accounting Division, Accounts Payable, and Accounts Receivable. • Place the Accounting Division global group into the domain local group so that users can access the accounting data. • Create a domain local group called Accounting Data. Grant this group appropriate permission for the accounting data resources file.

  22. Practice: Nesting Groups and Creating Universal Groups In this practice, you will: • Create the Contoso Managers global group • Nest the departmental Managers global groups into G Contoso Managers • Create an Enterprise Managers universal group • Examine the Members and Member Of properties

  23. Modifying the Scope or Type of a Group? • Changing group scope • Global to universal • Domain local to universal • Universal to global • Universal to domain local • Changing group type • Security to distribution • Distribution to security

  24. Why Assign a Manager to a Group? • Enables you to: • Track who is responsible for groups • Delegate to the manager of the group the authority to add and remove users • Distribute the administrative responsibility to the people who request the group Manager Group

  25. Practice: Changing the Scope and Assigning a Manager to a Group In this practice, you will: • Create a global group and change the scope to universal • Assign a manager to the group • Test the group manager properties

  26. Lesson: Using Default Groups • Default Groups on Member Servers • Default Groups in Active Directory • When to Use Default Groups • Security Considerations for Default Groups • System Groups • Class Discussion: Using Default Groups vs. Creating New Groups • Best Practices for Managing Groups

  27. Default Groups on Member Servers

  28. Default Groups in Active Directory

  29. When to Use Default Groups • Default groups are: • Created during the installation of the operating system or when services are added • Automatically assigned a set of user rights • Use default groups to: • Control access to shared resources • Delegate specific domain-wide administration

  30. Security Considerations for Default Groups • Place a user in a default group when you are sure that you want to give the user all the user rights and permissions assigned to that group in Active Directory; otherwise, create a new security group • As a security best practice, members of default groups should use Run as

  31. System Groups • System groups represent different users at different times • You can grant user rights and permissions to system groups, but you cannot modify or view the memberships • Group scopes do not apply to system groups • Users are automatically assigned to system groups whenever they log on or access a particular resource

  32. Class Discussion: Using Default Groups vs. Creating New Groups Contoso, Ltd., has over 100 servers across the world. • The current tasks that administrators must perform and what minimum level of access users need to perform specific tasks • Whether you can use default groups or must create groups and assign specific user rights or permissions to the groups You must determine:

  33. Best Practices for Managing Groups • Create groups based on administrative needs • Add user accounts to the group that is most restrictive • Use the default group when possible instead of creating a new group • Use the Authenticated Users group instead of the Everyone group to grant most user rights and permissions • Limit the number of users in the Administrators group

  34. Lab: Creating and Managing Groups In this lab, you will: • Create global and domain local groups • Manage group membership • Manage default groups

More Related